The RHEL 5 STIG development was not a consensus effort, but
its contents should be considered for such discussions for RHEL 6.
This transform is designed to allow easy viewing of the RHEL 5 STIG.
A future modification to this transform will permit
capture of notes by participants for consensus efforts, and to let
the community see where things are going.
Jeffrey Blank (1):
new transform to view RHEL 5 STIG (manual and automated portions)
conveniently * a similar transform will be used to capture
consensus notes
rhel6/src/Makefile | 4 +
.../disa-stig-rhel5-v1r0.6-xccdf-manual.xml |20459 ++++++++++++++++++++
rhel6/src/transforms/xccdf2table-stig.xslt | 118 +
3 files changed, 20581 insertions(+), 0 deletions(-)
create mode 100644 rhel6/src/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml
create mode 100644 rhel6/src/transforms/xccdf2table-stig.xslt
I am pleased to announce that the JBoss Enterprise Application Platform (EAP) SCAP project has been added to the scap-security-guide project. The initial content (OVAL and OCIL) has been added to the repository under JBossEAP5. We have released the initial content to the NIST NCP and to DISA for approval as a STIG. The content includes the Common Criteria Certification guidelines, Red Hat best practices and some DISA guidelines as well as mappings to NIST and DISA security controls. Additional content will be added for EAP 5. Future milestones should include adding content for EAP 6, SOA-P 5 and additional JBoss Middleware projects. We look forward to getting feedback, comments and suggestions from the community as we build the SCAP content for JBoss Middleware.
Kenneth W. Peeples, C|HFI, Security+
Red Hat Consulting
OASIS Member (AMQP, SAML, XACML TC), Infragard Member
Cell: 843.636.3719
Office: 843.323.4261
kpeeples(a)redhat.com
http://www.redhat.com
Continued work on mapping CCI numbers to SSG.
-Willy
Willy Santos (6):
Mapped CCI-000037 to unmet_impractical_guidance
Mapped CCI-000140 to configure_auditd_admin_space_left_action in
auditing.xml
Mapped CCI-000157 to enable_auditd_service in auditing.xml
Mapped CCI-000162 to met_inherently in srg_support.xml
Mapped CCI-000163 to met_inherently in srg_support.xml
Mapped CCI-000164 to met_inherently in srg_support.xml
rhel6/src/input/auxiliary/srg_support.xml | 4 ++--
rhel6/src/input/system/auditing.xml | 3 ++-
2 files changed, 4 insertions(+), 3 deletions(-)
--
1.7.7.6
I received this note from a colleague today regarding content in the
scap-security-guide for RHEL6:
> Ext4 mounts devices with the relatime option by default. Probably not a good idea for secure environments. Means atime is not accurate. Very bad for systems using AIDE. RHEL 6 security guide needs to turn atime back on for Ext4 mounts.
>
> cat /proc/mounts
>
> Sent from iPhone.
When he states that "atime is not accurate" I believe he's referring to
how relatime maintains atime data, but not for each time the file was
accessed. Only /modified/.
From a performance perspective relatime makes a lot of sense.
Enablement of relatime means that the filesystem will not write
read-times to a file when read. Imagine recording every time a file in
hadoop or a highly utilized fileshare was read... that could be a lot of
overhead which relatime prevents.
With that said, we're writing a security guide and not a performance
guide. What does everyone think about this, and what should we do? One
option is to set "default_relatime=0" in grub to prevent any filesystem
from doing this. Is that overkill?
More CCI mappings for OS SRG compliance.
Willy Santos (26):
Mapped CCI-000022 to set_selinux_state in selinux.xml
Corrected CCI reference number.
Mapped CCI-000050 to enable_gdm_login_banner in banners.xml
Mapped CCI-000131 to met_inherently in srg_support.xml
Mapped CCI-000132 to met_inherently in srg_support.xml
Mapped CCI-000133 to met_inherently in srg_support.xml
Mapped CCI-000134 to met_inherently in srg_support.xml
Mapped CCI-000137 to partition_for_var_log_audit in
disk_partitioning.xml
Mapped CCI-000138 to configure_auditd_data_retention in autditing.xml
Mapped CCI-000139 to configure_auditd_action_mail_acct in
auditing.xml
Mapped CCI-000159 to met_inherently in srg_support.xml
Mapped CCI-000371 to unmet_impractical_guidance
Mapped CCI-000372 to unmet_impractical_guidance in srg_support.xml
Mapped CCI-000535 to unmet_impractical_guidance in srg_support.xml
Mapped CCI-000537 to unmet_impractical_guidance in srg_support.xml
Mapped CCI-000539 to unmet_impractical_guidance in srg_support.xml
Mapped CCI-000780 to unmet_impractical_guidance in srg_support.xml
Mapped CCI-001682 to unmet_impractical_guidance in srg_support.xml
Mapped CCI-000879 to sshd_idle_timeout in ssh.xml
Mapped CCI-000880 to auditd_configure_rules in auditing.xml
Mapped CCI-001109 to default_iptables_policies in iptables.xml
Mapped CCI-001383 to unmet_impractical_guidance in srg_support.xml
Mapped CCI-000370 to unmet_impractical_guidance in srg_support.xml
Mapped CCI-000066 to unmet_impractical_guidance in srg_support.xml
Mapped CCI-001694 to met_inherently in srg_support.xml
Mapped CCI-001632 to ssh_server in ssh.xml
rhel6/src/input/auxiliary/srg_support.xml | 4 ++--
rhel6/src/input/services/ssh.xml | 3 ++-
rhel6/src/input/system/accounts/banners.xml | 2 +-
rhel6/src/input/system/auditing.xml | 4 +++-
rhel6/src/input/system/network/iptables.xml | 2 +-
rhel6/src/input/system/selinux.xml | 2 +-
.../input/system/software/disk_partitioning.xml | 2 +-
7 files changed, 11 insertions(+), 8 deletions(-)
--
1.7.7.6
Proposal to replace all references to modprobe.conf with modprobe.d, due to
potential deprecation in the future.
"the /etc/modprobe.conf file can also be used if it exists, but that will be
removed in a future version." Source: modprobe.conf man-page
Michael Palmiotto (1):
Remove use of modprobe.conf and fix some typos.
rhel6/src/input/system/network/uncommon.xml | 10 +++++-----
rhel6/src/input/system/network/wireless.xml | 2 +-
rhel6/src/input/system/permissions/mounting.xml | 20 ++++++++++----------
3 files changed, 16 insertions(+), 16 deletions(-)
The check for single user password changed from RHEL 5 to 6.
The prose is correct and does not need and update
Signed-off-by: Joe Nall <joe(a)nall.com>
---
rhel6/src/input/checks/singleuser_password.xml | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/rhel6/src/input/checks/singleuser_password.xml b/rhel6/src/input/checks/singleuser_password.xml
index 3cb78b2..990c75e 100644
--- a/rhel6/src/input/checks/singleuser_password.xml
+++ b/rhel6/src/input/checks/singleuser_password.xml
@@ -18,15 +18,15 @@
</definition>
<ind:textfilecontent54_test check="all"
check_existence="all_exist"
- comment="Tests the value of the ~~:S:wait:/sbin/sulogin setting in the /etc/inittab file"
+ comment="Tests for existence of SINGLE=/sbin/sulogin in the /etc/sysconfig/init file"
id="test_20096" version="1">
<ind:object object_ref="obj_73" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_73"
version="1">
- <ind:path>/etc</ind:path>
- <ind:filename>inittab</ind:filename>
- <ind:pattern operation="pattern match">~:S:wait:/sbin/sulogin</ind:pattern>
+ <ind:path>/etc/sysconfig</ind:path>
+ <ind:filename>init</ind:filename>
+ <ind:pattern operation="pattern match">^SINGLE=/sbin/sulogin$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
--
1.7.1