I did a fresh git pull on Monday, and ran the stig-rhel6-server-upstream scan.
The set of false positives has shrunk, but is still not zero. 1) mountopt_noexec_on_removable_partitions exits with error, when there are no removable partitions configured in fstab 2) file_ownership_library_dirs complains about an /usr/libexec suid abrt file 3) no_files_unowned_by_* are still broken and looking for any files in / 4) enable_execshield and sysctl_kernel_randomize_va_space are failing, although sysctl shows correct results 5) selinux_all_devicefiles_labeled shows errors with the /dev/.udev directories 6) enable_gdm_login_banner didn't get the gconf mandatory check fixed, although all the rest did (YAY!) 7) sysctl_ipv6_default_accept_redirects and service_ip6tables_enabled fail when ipv6 has been disabled via modprobe.d entries 8) install_openswan is obsoleted by libreswan 9) audit_file_access does not check for open_by_handle_at, and fails when the audit rules lines do not contain exactly the content specified. I was very glad to see almost all of the sysctl and gconf false positives fixed! Andrew Gilmore
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
