Re: [PATCH 04/21] Add set_ip6tables_default_rule to common, map to STIG RHEL-06-000523

Sun, 27 Jul 2014 20:36:07 -0700 


On 7/27/14, 11:26 PM, Shawn Wells wrote:

From: Leland Steinke<[email protected]>

- For some reason the set_ip6tables_default_rule was not enabled in common 
(whereas standard ip4 is);
- Mapped set_ip6tables_default_rule to RHEL-06-000523

Signed-off-by: Leland Steinke<[email protected]>
---
  RHEL/6/input/auxiliary/stig_overlay.xml |    4 ++--
  RHEL/6/input/profiles/common.xml        |    1 +
  2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml 
b/RHEL/6/input/auxiliary/stig_overlay.xml
index e75aeaf..f78506e 100644
--- a/RHEL/6/input/auxiliary/stig_overlay.xml
+++ b/RHEL/6/input/auxiliary/stig_overlay.xml
@@ -1309,8 +1309,8 @@
                <VMSinfo VKey="38445" SVKey="50245" VRelease="1" />
                <title>Audit log files must be group-owned by root.</title>
        </overlay>
-       <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000523" disa="66" 
severity="medium">
-               <VMSinfo VKey="38444" SVKey="50244" VRelease="1" />
+       <overlay owner="disastig" ruleid="set_ip6tables_default_rule" ownerid="RHEL-06-000523" 
disa="66" severity="medium">
+               <VMSinfo VKey="38444" SVKey="50244" VRelease="2" />
                <title>The system's local IPv6 firewall must implement a deny-all, 
allow-by-exception policy for inbound packets.</title>
        </overlay>
        <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000524" disa="15" 
severity="low">
diff --git a/RHEL/6/input/profiles/common.xml b/RHEL/6/input/profiles/common.xml
index ba46588..d3ec71b 100644
--- a/RHEL/6/input/profiles/common.xml
+++ b/RHEL/6/input/profiles/common.xml
@@ -94,6 +94,7 @@
  <select idref="service_ip6tables_enabled" selected="true"/>
  <select idref="service_iptables_enabled" selected="true"/>
  <select idref="set_iptables_default_rule" selected="true"/>
+<select idref="set_ip6tables_default_rule" selected="ture" />
  <select idref="kernel_module_dccp_disabled" selected="true"/>
  <select idref="kernel_module_sctp_disabled" selected="true"/>
  <select idref="kernel_module_rds_disabled" selected="true"/>
-- 1.7.1


ack

-- 
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/

Reply via email to