Signed-off-by: David Smith <dsmith(a)eclipse.ncsc.mil>
---
RHEL6/input/auxiliary/transition_notes.xml | 8 ++------
.../system/accounts/restrictions/root_logins.xml | 19 +++++++++++++++++++
RHEL6/input/system/auditing.xml | 18 ++++++++++++++++++
3 files changed, 39 insertions(+), 6 deletions(-)
diff --git a/RHEL6/input/auxiliary/transition_notes.xml
b/RHEL6/input/auxiliary/transition_notes.xml
index f557120..3d1c7f9 100644
--- a/RHEL6/input/auxiliary/transition_notes.xml
+++ b/RHEL6/input/auxiliary/transition_notes.xml
@@ -811,14 +811,10 @@ This is desirable but not practical in many environments. Notably,
many other O
do not even support this capability.
</note>
-<note ref="780,12765" auth="JB">
+<note ref="12765" auth="JB">
This needs to be added to the RHEL6 content.
</note>
-<note ref="813" auth="JB">
-This needs to be added to the RHEL6 content; oddly OVAL checks already exist for it.
-</note>
-
<note ref="825,907,910,916,917" auth="JB">
Is this a concern on a modern system?
</note>
@@ -1634,7 +1630,7 @@ exist.
rule=sshd_enable_warning_banner manual=no
</note>
-<note ref="776,777,812,761,781,782,4382,11975" auth="DS">
+<note ref="776,777,780,812,761,781,782,813,4382,11975"
auth="DS">
This is covered in the RHEL6 content.
</note>
</notegroup>
diff --git a/RHEL6/input/system/accounts/restrictions/root_logins.xml
b/RHEL6/input/system/accounts/restrictions/root_logins.xml
index d5e3a07..ef597e7 100644
--- a/RHEL6/input/system/accounts/restrictions/root_logins.xml
+++ b/RHEL6/input/system/accounts/restrictions/root_logins.xml
@@ -87,6 +87,25 @@ using the root account.
<ref nist="AC-3, AC-6" disa="770" />
</Rule>
+<Rule id="GID_reserved_systemgroups">
+<title>GIDs Reserved for System Accounts Must Not Be Assigned to Non-System
Groups</title>
+<description>
+Change the primary group ID numbers for non-system accounts with reserved
+primary group IDs (those less than or equal to 499).
+</description>
+<ocil clause="any non-system accounts are using a reserved GID">
+Run the following command to confirm all accounts with a GID of 499
+or below are used by a system account:
+<pre># cut -d: -f 1,4 /etc/passwd|egrep
":[1-4][0-9]{2}$|:[0-9]{1,2}$"</pre>
+</ocil>
+<rationale>
+Reserved GIDs are typically used by system software packages. If non-system
+groups have GIDs in this range, they may conflict with system software - possibly leading
+to the group having permissions to modify system files.
+</rationale>
+<ref disa="366" />
+</Rule>
+
<Rule id="no_root_webbrowsing">
<title>Restrict Web Browser Use for Administrative Accounts</title>
<description>
diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml
index c53d16e..43e6789 100644
--- a/RHEL6/input/system/auditing.xml
+++ b/RHEL6/input/system/auditing.xml
@@ -646,6 +646,24 @@ audited.</rationale>
<ref nist="AU-2(a)" />
</Rule>
+<Rule id="audit_logs_permissions">
+<title>System Audit Logs Must Have Mode 0640 or Less Permissive</title>
+<description>
+Change the mode of the audit log files:
+<pre># chmod 0640 <i>audit_file</i></pre>
+</description>
+<ocil clause="any are more permissive">
+Run the following command to check the mode of the system audit logs:
+<pre>grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat
-c %a:%n</pre>
+Audit logs must be mode 0640 or less permissive.
+</ocil>
+<rationale>
+If users can write to audit logs, audit trails can be modified or destroyed.
+</rationale>
+<oval id="file_permissions_var_log_audit" />
+<ref disa="366" />
+</Rule>
+
<Rule id="audit_logs_rootowner">
<title>System Audit Logs Must Be Owned By Root</title>
<description>
--
1.7.1