I'm certain others will correct me if I am wrong, but...
CCEs should not be shared between successive generations of operating system software. I
just did a quick compare of the CCEs for RHEL5 and RHEL4 and the CCE IDs do not overlap.
The only RHEL4 CCE corresponding to the RHEL5 /etc/*shadow permissions CCEs is CCE-5735-6
for /etc/shadow perms; there is no RHEL4 CCE referencing /etc/gshadow perms.
I cannot find a specific FAQ entry or explanation, beyond 'A CCE "platform
group" roughly identifies the operating system or application to which a CCE entry
applies' in several places on
cce.mitre.org.
Regards,
--
Leland Steinke, Security+
DISA FSO Technical Support Contractor
tapestry technologies, llc
717-267-5797 (DSN 570)
leland.j.steinke.ctr(a)mail.mil (gov't)
lsteinke(a)tapestrytech.com (com'l)
-----Original Message-----
From: scap-security-guide-bounces(a)lists.fedorahosted.org
[mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Jeffrey Blank
Sent: Friday, August 31, 2012 5:14 PM
To: scap-security-guide(a)lists.fedorahosted.org
Subject: Re: /etc/shadow and gshadow mode 0400 or 0?
Just to add: CCEs don't actually require anything in themselves.
Technically, the CCE serves only to indicate that we are talking about
the permissions on that file (and perhaps provide a selection of
choices, from which baselines may select a requirement.)
http://cce.mitre.org/lists/cce_list.html
And thanks for the QA / improving the content!
On 08/31/2012 02:48 PM, Kenneth Stailey wrote:
Hi,
RHEL5 ships with /etc/shadow and gshadow set to mode 0400
while RHEL 6 uses mode 0 for those two files.
CCE-3932-1 and CCE-4130-1 require mode 0400.
Changing RHEL 6 to use 0400 causes CCE-14931 (verify
files against RPM database) to flag /etc/shadow
and gshadow as modified.
Is it better to change /etc/shadow and gshadow to 0400
or use the mode 0 that the files are distributed from Red Hat with?
Thanks
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide