From blank at eclipse.ncsc.mil Thu Aug 20 11:34:03 2015
Content-Type: multipart/mixed; boundary="===============2370022878893271143=="
MIME-Version: 1.0
From: Jeffrey Blank <blank at eclipse.ncsc.mil>
To: scap-security-guide at lists.fedorahosted.org
Subject: Re: [PATCH 2/4] removed duplicate Rules
Date: Tue, 30 Apr 2013 16:32:25 -0400
Message-ID: <51802A59.4010306@eclipse.ncsc.mil>
In-Reply-To: 1367353263-5548-3-git-send-email-dsmith@eclipse.ncsc.mil

--===============2370022878893271143==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

great, please push.



On 04/30/2013 04:21 PM, David Smith wrote:
> =

> Signed-off-by: David Smith <dsmith(a)eclipse.ncsc.mil>
> ---
>  RHEL6/input/system/permissions/mounting.xml |   39 ---------------------=
------
>  1 files changed, 0 insertions(+), 39 deletions(-)
> =

> diff --git a/RHEL6/input/system/permissions/mounting.xml b/RHEL6/input/sy=
stem/permissions/mounting.xml
> index 683a2f6..60ff0a3 100644
> --- a/RHEL6/input/system/permissions/mounting.xml
> +++ b/RHEL6/input/system/permissions/mounting.xml
> @@ -19,45 +19,6 @@ Use caution when enabling any such facility, and find =
out
>  whether better configuration management or user education might
>  solve the same problem with less risk.</description>
>  =

> -<Rule id=3D"console_device_restrict_access_desktop">
> -<title>Restrict Console Device Access to Desktop Workstations</title>
> -<description>If the display manager has been altered to allow remote use=
rs to
> -log in and the host is configured to run at runlevel 5, change console a=
s well
> -as the xconsole directive in the <tt>/etc/security/console.perms</tt> to=
 the
> -following:
> -<pre>&lt;console&gt;=3Dtty[0-9][0-9]* vc/[0-9][0-9]* :0\.[0-9] :0
> -&lt;xconsole&gt;=3D:0\.[0-9] :0</pre></description>
> -<rationale>When a user logs in, the module pam_console.so called via the
> -command login, or by some of the graphics program of logging, such as gd=
m, kdm,
> -and xdm. If this user is the first to log into the physical console
> -- called the console user - the user module assures the mastery of a wide
> -variety of devices normally belong to root. Administrative privileges sh=
ould be
> -limited for non-root users. Review the man page for <tt>pam_console</tt>=
 for
> -more information</rationale>
> -<ident cce=3D"27192-4" />
> -<oval id=3D"console_device_restrict_access_desktop" />
> -<ref nist=3D"" />
> -</Rule>
> -
> -<Rule id=3D"console_device_restrict_access_server">
> -<title>Restrict Console Device Access to Servers</title>
> -<description>If the display manager has been altered to allow remote use=
rs to
> -log in and the host is configured to run at runlevel 5, change console a=
s well
> -as the xconsole directive in the <tt>/etc/security/console.perms</tt> to=
 the
> -following:
> -<pre>&lt;console&gt;=3Dtty[0-9][0-9]* vc/[0-9][0-9]*</pre></description>
> -<rationale>When a user logs in, the module pam_console.so called via the
> -command login, or by some of the graphics program of logging, such as gd=
m, kdm,
> -and xdm. If this user is the first to log into the physical console
> -- called the console user - the user module assures the mastery of a wide
> -variety of devices normally belong to root. Administrative privileges sh=
ould be
> -limited for non-root users. Review the man page for <tt>pam_console</tt>=
 for
> -more information</rationale>
> -<ident cce=3D"26892-0" />
> -<oval id=3D"console_device_restrict_access_server" />
> -<ref nist=3D"" />
> -</Rule>
> -
>  <Rule id=3D"kernel_module_usb-storage_disabled">
>  <title>Disable Modprobe Loading of USB Storage Driver</title>
>  <description>
> =


-- =

___________________________
Jeffrey Blank
410-854-8675
Technology and Systems Analysis / Network Components
NSA Information Assurance

--===============2370022878893271143==--