Ack to this patch. Comments below were just my notes to ensure a review
of individual changes.
On 7/10/14, 8:53 AM, David Smith wrote:
Signed-off-by: David Smith<[email protected]>
---
RHEL/6/input/intro/intro.xml | 2 +-
RHEL/6/input/system/accounts/physical.xml | 18 +++++++-------
RHEL/6/input/system/network/iptables.xml | 24 ++++++++++----------
RHEL/6/input/system/network/ipv6.xml | 10 ++++----
RHEL/6/input/system/network/wireless.xml | 8 +++---
RHEL/6/input/system/permissions/partitions.xml | 22 +++++++++---------
RHEL/6/input/system/software/disk_partitioning.xml | 2 +-
7 files changed, 43 insertions(+), 43 deletions(-)
diff --git a/RHEL/6/input/intro/intro.xml b/RHEL/6/input/intro/intro.xml
index 6b34ec3..28b82f1 100644
--- a/RHEL/6/input/intro/intro.xml
+++ b/RHEL/6/input/intro/intro.xml
@@ -146,7 +146,7 @@ by a dollar sign ($) prompt.
<title>Formatting Conventions</title>
<description>
Commands intended for shell execution, as well as configuration file text,
-are featured in a <tt>monospace font</tt>. <i>Italics</i> are used
+are featured in a <tt>monospaced font</tt>. <i>Italics</i> are used
ack
to indicate instances where the system administrator must substitute
the appropriate information into a command or configuration file.
</description>
diff --git a/RHEL/6/input/system/accounts/physical.xml
b/RHEL/6/input/system/accounts/physical.xml
index e36056e..c9d1958 100644
--- a/RHEL/6/input/system/accounts/physical.xml
+++ b/RHEL/6/input/system/accounts/physical.xml
@@ -168,7 +168,7 @@ prompted before any action is taken.
NOTE: When updating the <tt>initscripts</tt> package on a Red Hat Enterprise
Linux 6 system, custom changes to <tt>/etc/init/control-alt-delete.conf</tt>
-may be overwritten. Refer tohttps://access.redhat.com/site/solutions/70464
+may be overwritten. Refer to
<b>https://access.redhat.com/site/solutions/70464</b>
for additional information.
Are links bolded elsewhere?
</rationale>
<ident cce="27567-7"/>
@@ -221,14 +221,14 @@ by choosing <b>Lock Screen</b> from the <b>System</b>
menu.
The <tt>gconftool-2</tt> program can be used to enforce mandatory
screen locking settings for the default GNOME environment.
The
-following sections detail commands to enforce idle activation of the screen
saver,
+following sections detail commands to enforce idle activation of the
screensaver,
ack
screen locking, a blank-screen screensaver, and an idle
activation time.
<br /><br />
Because users should be trained to lock the screen when they
step away from the computer, the automatic locking feature is only
-meant as a backup. The Lock Screen icon from the System menu can
+meant as a backup. The <b>Lock Screen</b> icon from the <b>System</b> menu can
fine. ack.
also be dragged to the taskbar in order to facilitate even more
convenient screen-locking.
<br /><br />
@@ -238,9 +238,9 @@ to log into an X Windows environment, and should only be
used to
for direct login via console in emergency circumstances.
<br /><br />
For more information about configuring GNOME screensaver, see
-http://live.gnome.org/GnomeScreensaver. For more information about
+<b>http://live.gnome.org/GnomeScreensaver</b>. For more information about
ack
enforcing preferences in the GNOME environment using the GConf
-configuration system, seehttp://projects.gnome.org/gconf and
+configuration system, see <b>http://projects.gnome.org/gconf</b> and
ack
the man page <tt>gconftool-2(1)</tt>.</description>
<Value id="inactivity_timeout_value" type="number" operator="equals">
@@ -293,7 +293,7 @@ in the GNOME desktop after a period of inactivity:
If properly configured, the output should be <tt>true</tt>.
</ocil>
<rationale>
-Enabling idle activation of the screen saver ensures the screensaver will
+Enabling idle activation of the screensaver ensures the screensaver will
ack
be activated after the idle delay. Applications requiring continuous,
real-time screen display (such as network management products) require the
login session does not have administrator rights and the display station is
located in a
@@ -330,7 +330,7 @@ access the system, preventing access by passersby.
</Rule>
<Rule id="set_blank_screensaver">
-<title>Implement Blank Screen Saver</title>
+<title>Implement Blank Screensaver</title>
ack
<description>
Run the following command to set the screensaver mode
in the GNOME desktop to a blank screen:
@@ -391,7 +391,7 @@ for users who may need to suspend console logins.
<title>Hardware Tokens for Authentication</title>
<description>
The use of hardware tokens such as smart cards for system login
-provides stronger, two-factor authentication than using a username/password.
+provides stronger, two-factor authentication than using a username and
password.
ack
In Red Hat Enterprise Linux servers and workstations, hardware token login
is not enabled by default and must be enabled in the system settings.
</description>
@@ -419,7 +419,7 @@ smart card (CAC) authentication:
</ul>
</ocil>
<rationale>Smart card login provides two-factor authentication stronger than
-that provided by a username/password combination. Smart cards leverage a PKI
+that provided by a username and password combination. Smart cards leverage PKI
ack
(public key infrastructure) in order to provide and verify credentials.
</rationale>
<ident cce="27440-7"/>
diff --git a/RHEL/6/input/system/network/iptables.xml
b/RHEL/6/input/system/network/iptables.xml
index bf31193..639b16e 100644
--- a/RHEL/6/input/system/network/iptables.xml
+++ b/RHEL/6/input/system/network/iptables.xml
@@ -1,34 +1,34 @@
<Group id="network-iptables">
<title>iptables and ip6tables</title>
-<description>A host-based firewall called Netfilter is included as
+<description>A host-based firewall called <tt>netfilter</tt> is included as
ack
part of the Linux kernel distributed with the system. It is
activated by default. This firewall is controlled by the program
-iptables, and the entire capability is frequently referred to by
-this name. An analogous program called ip6tables handles filtering
+<tt>iptables</tt>, and the entire capability is frequently referred to by
+this name. An analogous program called <tt>ip6tables</tt> handles filtering
for IPv6.
ack
<br /><br />
Unlike TCP Wrappers, which depends on the network server
-program to support and respect the rules written, Netfilter
+program to support and respect the rules written, <tt>netfilter</tt>
ack
filtering occurs at the kernel level, before a program can even
process the data from the network packet. As such, any program on
the system is affected by the rules written.
<br /><br />
This section provides basic information about strengthening
-the iptables and ip6tables configurations included with the system.
+the <tt>iptables</tt> and <tt>ip6tables</tt> configurations included with the
system.
ack
For more complete information that may allow the construction of a
sophisticated ruleset tailored to your environment, please consult
the references at the end of this section.</description>
<Group id="iptables_activation">
<title>Inspect and Activate Default Rules</title>
-<description>View the currently-enforced iptables rules by running
+<description>View the currently-enforced <tt>iptables</tt> rules by running
ack
the command:
<pre># iptables -nL --line-numbers</pre>
-The command is analogous for the ip6tables program.
+The command is analogous for <tt>ip6tables</tt>.
ack
<br /><br />
If the firewall does not appear to be active (i.e., no rules
appear), activate it and ensure that it starts at boot by issuing
-the following commands (and analogously for ip6tables):
+the following commands (and analogously for <tt>ip6tables</tt>):
ack
<pre># service iptables restart</pre>
The default iptables rules are:
<pre>Chain INPUT (policy ACCEPT)
@@ -81,7 +81,7 @@ Inspect the file <tt>/etc/sysconfig/ip6tables</tt> to
determine
the default policy for the INPUT chain. It should be set to DROP:
<pre> # grep ":INPUT" /etc/sysconfig/ip6tables</pre>
</ocil>
-<rationale>In <tt>ip6tables</tt> the default policy is applied only after all
+<rationale>In <tt>ip6tables</tt>, the default policy is applied only after all
ack
the applicable rules in the table are examined for a match. Setting the
default policy to <tt>DROP</tt> implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
@@ -111,7 +111,7 @@ capability for IPv4 and ICMP.
<title>Strengthen the Default Ruleset</title>
<description>The default rules can be strengthened. The system
scripts that activate the firewall rules expect them to be defined
-in the configuration files iptables and ip6tables in the directory
+in the configuration files <tt>iptables</tt> and <tt>ip6tables</tt> in the
directory
ack
<tt>/etc/sysconfig</tt>. Many of the lines in these files are similar
to the command line arguments that would be provided to the programs
<tt>/sbin/iptables</tt> or <tt>/sbin/ip6tables</tt> - but some are quite
@@ -169,7 +169,7 @@ add or correct the following line in
<tt>/etc/sysconfig/iptables</tt>:
<pre>:FORWARD DROP [0:0]</pre>
</description>
-<rationale>In <tt>iptables</tt> the default policy is applied only after all
+<rationale>In <tt>iptables</tt>, the default policy is applied only after all
ack
the applicable rules in the table are examined for a match. Setting the
default policy to <tt>DROP</tt> implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
@@ -221,7 +221,7 @@ general-purpose use cases and can also make troubleshooting
more difficult.
<description>Packets with non-routable source addresses should be rejected,
as they may indicate spoofing. Because the
modified policy will reject non-matching packets, you only need to add these
rules if you are interested in also
logging these spoofing or suspicious attempts before they are dropped. If you
do choose to log various suspicious
-traffic, add identical rules with a target of DROP after each LOG.
+traffic, add identical rules with a target of <tt>DROP</tt> after each
<i>LOG</i>.
ack
To log and then drop these IPv4 packets, insert the following rules in
<tt>/etc/sysconfig/iptables</tt> (excepting
any that are intentionally used):
<pre>-A INPUT -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: "
diff --git a/RHEL/6/input/system/network/ipv6.xml
b/RHEL/6/input/system/network/ipv6.xml
index 22f496e..cf9a07f 100644
--- a/RHEL/6/input/system/network/ipv6.xml
+++ b/RHEL/6/input/system/network/ipv6.xml
@@ -218,21 +218,21 @@ net.ipv6.conf.default.max_addresses = 1</pre>
The <tt>router_solicitations</tt> setting determines how many router
solicitations are sent when bringing up the interface. If addresses are
statically assigned, there is no need to send any solicitations.
-<br />
+<br /><br />
ack
The <tt>accept_ra_pinfo</tt> setting controls whether the system will accept
prefix info from the router.
-<br />
+<br /><br />
ack
The <tt>accept_ra_defrtr</tt> setting controls whether the system will accept
Hop Limit settings from a router advertisement. Setting it to 0 prevents a
router from changing your default IPv6 Hop Limit for outgoing packets.
-<br />
+<br /><br />
ack
The <tt>autoconf</tt> setting controls whether router advertisements can cause
the system to assign a global unicast address to an interface.
-<br />
+<br /><br />
ack
The <tt>dad_transmits</tt> setting determines how many neighbor solicitations
to send out per address (global and link-local) when bringing up an interface
to ensure the desired address is unique on the network.
-<br />
+<br /><br />
ack
The <tt>max_addresses</tt> setting determines how many global unicast IPv6
addresses can be assigned to each interface. The default is 16, but it should
be set to exactly the number of statically configured global addresses
diff --git a/RHEL/6/input/system/network/wireless.xml
b/RHEL/6/input/system/network/wireless.xml
index 209b65c..703f8dd 100644
--- a/RHEL/6/input/system/network/wireless.xml
+++ b/RHEL/6/input/system/network/wireless.xml
@@ -4,7 +4,7 @@
(WiFi) and Bluetooth, can present a security risk to sensitive or
classified systems and networks. Wireless networking hardware is
much more likely to be included in laptop or portable systems than
-desktops or servers.
+in desktops or servers.
ack
<br /><br />
Removal of hardware provides the greatest assurance that the wireless
capability remains disabled. Acquisition policies often include provisions to
@@ -24,7 +24,7 @@ prevent malicious software or careless users from
re-activating the
devices.</description>
<Rule id="wireless_disable_in_bios">
-<title>Disable WiFi or Bluetooth BIOS</title>
+<title>Disable WiFi or Bluetooth in BIOS</title>
ack
<description>Some systems that include built-in wireless support offer the
ability to disable the device through the BIOS. This is system-specific;
consult your hardware manual or explore the BIOS setup during
@@ -45,8 +45,8 @@ normal usage of the wireless capability.
<br /><br />
First, identify the interfaces available with the command:
<pre># ifconfig -a</pre>
-Additionally,the following command may also be used to
-determine whether wireless support ('extensions') is included for a
+Additionally, the following command may be used to
+determine whether wireless support is included for a
ack
particular interface, though this may not always be a clear
indicator:
<pre># iwconfig</pre>
diff --git a/RHEL/6/input/system/permissions/partitions.xml
b/RHEL/6/input/system/permissions/partitions.xml
index 7b38b93..aff29b9 100644
--- a/RHEL/6/input/system/permissions/partitions.xml
+++ b/RHEL/6/input/system/permissions/partitions.xml
@@ -76,15 +76,15 @@ in the output are not removable media.
<!-- investigate: this is like obsoleted by gvfs/DeviceKit-based mounting now
-->
<Rule id="mountopt_nosuid_on_removable_partitions">
<title>Add nosuid Option to Removable Media Partitions</title>
-<description>The <tt>nosuid</tt> mount option prevents set-user-identifier
(suid)
-and set-group-identifier (sgid) permissions from taking effect. These
permissions
+<description>The <tt>nosuid</tt> mount option prevents set-user-identifier
(SUID)
+and set-group-identifier (SGID) permissions from taking effect. These
permissions
ack
allow users to execute binaries with the same permissions as the owner and
group
-of the file respectively. Users should not be allowed to introduce suid and
guid
+of the file respectively. Users should not be allowed to introduce SUID and
SGID
ack
files into the system via partitions mounted from removeable media.
<mount-desc-macro option="nosuid" part="any removable media partitions" />
</description>
-<rationale>The presence of suid and sgid executables should be tightly
controlled. Allowing
-users to introduce suid or sgid binaries from partitions mounted off of
+<rationale>The presence of SUID and SGID executables should be tightly
controlled. Allowing
+users to introduce SUID or SGID binaries from partitions mounted off of
ack
removable media would allow them to introduce their own highly-privileged
programs.</rationale>
<ident cce="27056-1" />
<oval id="mount_option_nosuid_removable_partitions"
value="var_removable_partition" />
@@ -124,12 +124,12 @@ can expose the system to potential compromise.</rationale>
<Rule id="mount_option_tmp_nosuid">
<title>Add nosuid Option to /tmp</title>
<description>The <tt>nosuid</tt> mount option can be used to prevent
-execution of setuid programs in <tt>/tmp</tt>. The suid/sgid permissions
+execution of setuid programs in <tt>/tmp</tt>. The SUID and SGID permissions
ack
should not be required in these world-writable directories.
<mount-desc-macro option="nosuid" part="/tmp" />
</description>
-<rationale>The presence of suid and sgid executables should be tightly
controlled. Users
-should not be able to execute suid or sgid binaries from temporary storage
partitions.</rationale>
+<rationale>The presence of SUID and SGID executables should be tightly
controlled. Users
+should not be able to execute SUID or SGID binaries from temporary storage
partitions.</rationale>
ack
<ident cce="26762-5" />
<oval id="mount_option_tmp_nosuid" />
<ref nist="CM-7, MP-2"/>
@@ -168,12 +168,12 @@ such as <tt>/dev/shm</tt> can expose the system to potential
compromise.</ration
<Rule id="mount_option_dev_shm_nosuid">
<title>Add nosuid Option to /dev/shm</title>
<description>The <tt>nosuid</tt> mount option can be used to prevent execution
-of setuid programs in <tt>/dev/shm</tt>. The suid/sgid permissions should not
+of setuid programs in <tt>/dev/shm</tt>. The SUID and SGID permissions should
not
ack
be required in these world-writable directories.
<mount-desc-macro option="nosuid" part="/dev/shm" />
</description>
-<rationale>The presence of suid and sgid executables should be tightly
controlled. Users
-should not be able to execute suid or sgid binaries from temporary storage
partitions.</rationale>
+<rationale>The presence of SUID and SGID executables should be tightly
controlled. Users
+should not be able to execute SUID or SGID binaries from temporary storage
partitions.</rationale>
ack
<ident cce="26486-1" />
<oval id="mount_option_dev_shm_nosuid" />
<ref nist="CM-7, MP-2"/>
diff --git a/RHEL/6/input/system/software/disk_partitioning.xml
b/RHEL/6/input/system/software/disk_partitioning.xml
index a2c5914..c2f5ee2 100644
--- a/RHEL/6/input/system/software/disk_partitioning.xml
+++ b/RHEL/6/input/system/software/disk_partitioning.xml
@@ -55,7 +55,7 @@ Ensuring that <tt>/var</tt> is mounted on its own partition
enables the
setting of more restrictive mount options. This helps protect
system services such as daemons or other programs which use it.
It is not uncommon for the <tt>/var</tt> directory to contain
-world-writable directories, installed by other software packages.
+world-writable directories installed by other software packages.
ack
</rationale>
<ident cce="26639-5"/>
<oval id="partition_for_var" />
-- 1.7.1
--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
