Classification: UNCLASSIFIED
Caveats: NONE
Yes, I'll work on this; it has been too long since I submitted something! I'll
look into the NTP one as well, though this should be easier. Thanks for knocking out the
rsyslog one.
--
Ray Shaw
Contractor, STG
Unix support, Army Research Labs
-----Original Message-----
From: scap-security-guide-bounces(a)lists.fedorahosted.org [mailto:scap-
security-guide-bounces(a)lists.fedorahosted.org] On Behalf Of Shawn Wells
Sent: Friday, October 25, 2013 9:32 PM
To: scap-security-guide(a)lists.fedorahosted.org
Subject: Re: CCE-26801-1 - rsyslog suggestion/question (UNCLASSIFIED)
On 10/25/13, 9:02 PM, Shawn Wells wrote:
> On 10/25/13, 8:25 AM, Shaw, Ray V CTR USARMY ARL (US) wrote:
>> Classification: UNCLASSIFIED
>> Caveats: NONE
>>
>> There's more than one instance of things like this (e.g.
>> /etc/security/limits.d versus limits.conf), and this applies to us
>> too. I'd like both to be valid; when possible, we prefer to
>> configuration-manage a small, unique file in a foo.d directory than
>> make changes to existing config files. I'm not certain how best to
>> do this in OVAL; write a check for each location, with a condition
of
>> "at least one of these must be true"?
>
> Good find. Just submitted a patch to address this, pending ack will
be
> picked up in next build:
>
https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-
October/004387.html
>
>
> Ray - Perhaps you could use this as a template for limits.conf vs
> limits.d?
OK, patch got ack'd, it'll show up if you 'git pull'. Think you could
use it as a template? :)
>>> -----Original Message-----
>>> From: scap-security-guide-bounces(a)lists.fedorahosted.org
[mailto:scap-
>>> security-guide-bounces(a)lists.fedorahosted.org] On Behalf Of wm-
lists
>>> Sent: Friday, October 25, 2013 7:47 AM
>>> To: scap-security-guide(a)lists.fedorahosted.org
>>> Subject: CCE-26801-1 - rsyslog suggestion/question
>>>
>>> It appears the requirement check /etc/rsyslog.conf for an entry
such as
>>>
>>> *.* @loghost.example.com <
http://loghost.example.com/>
>>> or
>>>
>>>
>>> *.* @(a)loghost.example.com <
http://loghost.example.com/>
>>>
>>> <ind:textfilecontent54_object id="oval:ssg:obj:1907"
version="1">
>>> <ind:path>/etc</ind:path>
>>> <ind:filename>rsyslog.conf</ind:filename>
>>> <ind:pattern operation="pattern
>>> match">^\*\.\*[\s]+(?:@|\:omrelp\:)</ind:pattern>
>>> <ind:instance datatype="int">1</ind:instance>
>>> </ind:textfilecontent54_object>
>>>
>>>
>>> However in my case, we utilize multiple .conf files under
>>> /etc/rsyslog.d for destinations (log aggregators, etc...)
>>>
>>> I'm guessing the scap software doesn't follow include Directives?
>
> _______________________________________________
> scap-security-guide mailing list
> scap-security-guide(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
--
Shawn Wells
Director, Innovation Programs
shawn(a)redhat.com | 443.534.0130
@shawndwells
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide