Classification: UNCLASSIFIED Caveats: NONE
- RHEL5 wants /etc/shadow to be 0400; RHEL6 wants this and /etc/gshadow
at 0000. Not sure of the advantage of the latter.
-> This matters for SELinux.
Fair enough.
- RHEL5 wants module loading (DCCP, SCTP, Bluetooth, etc.) disabled
with /bin/true; RHEL6 wants /bin/false.
-> Not sure about this one. Perhaps it's for some logic checking code or it prevents overrides later down the stack.
The only difference I can see is that /bin/false gives me this message:
FATAL: Error running install command for Bluetooth
and an exit code of 1, while /bin/true is silent (neither log anything to dmesg or syslog) and has an exit code of 0. It's possible that it matters for some deeper reason.
- RHEL5 wants audit rules to start with "exit,always"; RHEL6 wants them
to start with "always,exit". Note that some of the actual RHEL6 benchmark content checks for both (e.g. adjtimex), while some (the majority) does not (e.g. chmod).
-> This was a change in auditd itself. "exit,always" is no longer valid.
As of which audit version? Unless I'm missing something (and based on the logs, I don't think I am; the events I expect to see logged are being logged, and with my specified key values), the same "exit,always" rules from my RHEL5 audit.rules work on RHEL6.
[I do remember that at one point, one direction or the other didn't work on RHEL5, but at the moment, both ways appear to work on both platforms.]
If that syntax is invalid for newer versions of audit than are included in RHEL6, okay, but this is supposed to be a RHEL6 STIG, and a rebase of the audit system seems unlikely (as audit versions tend to be linked to kernel versions, and a rebase of the kernel seems mighty unlikely). If both syntaxes work on RHEL6, I would like to see all audit checks allow both (instead of just the benchmark content of some audit checks).
-- Ray Shaw Contractor, STG Unix support, Army Research Labs
Classification: UNCLASSIFIED Caveats: NONE