Re: modprobe - I guess that could be good if you're trying to load the module by hand and, instead of typing the command a few times before remembering that it was disabled, actually getting some feedback.
Re: auditd - I'm remembering this from reading the man pages, nothing more. They may, or may not, be accurate.
Trevor
On Tue, Feb 26, 2013 at 1:38 PM, Shaw, Ray V CTR (US) < ray.v.shaw.ctr@mail.mil> wrote:
Classification: UNCLASSIFIED Caveats: NONE
- RHEL5 wants /etc/shadow to be 0400; RHEL6 wants this and /etc/gshadow
at 0000. Not sure of the advantage of the latter.
-> This matters for SELinux.
Fair enough.
- RHEL5 wants module loading (DCCP, SCTP, Bluetooth, etc.) disabled
with /bin/true; RHEL6 wants /bin/false.
-> Not sure about this one. Perhaps it's for some logic checking code or it prevents overrides later down the stack.
The only difference I can see is that /bin/false gives me this message:
FATAL: Error running install command for Bluetooth
and an exit code of 1, while /bin/true is silent (neither log anything to dmesg or syslog) and has an exit code of 0. It's possible that it matters for some deeper reason.
- RHEL5 wants audit rules to start with "exit,always"; RHEL6 wants them
to start with "always,exit". Note that some of the actual RHEL6 benchmark content checks for both (e.g. adjtimex), while some (the majority) does not (e.g. chmod).
-> This was a change in auditd itself. "exit,always" is no longer valid.
As of which audit version? Unless I'm missing something (and based on the logs, I don't think I am; the events I expect to see logged are being logged, and with my specified key values), the same "exit,always" rules from my RHEL5 audit.rules work on RHEL6.
[I do remember that at one point, one direction or the other didn't work on RHEL5, but at the moment, both ways appear to work on both platforms.]
If that syntax is invalid for newer versions of audit than are included in RHEL6, okay, but this is supposed to be a RHEL6 STIG, and a rebase of the audit system seems unlikely (as audit versions tend to be linked to kernel versions, and a rebase of the kernel seems mighty unlikely). If both syntaxes work on RHEL6, I would like to see all audit checks allow both (instead of just the benchmark content of some audit checks).
-- Ray Shaw Contractor, STG Unix support, Army Research Labs
Classification: UNCLASSIFIED Caveats: NONE
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide