Most of this was just cleanup. Within the services and system directories, "RHEL6" and "RHEL 6" appeared nearly the same number of times -- this patch changes all of them to "RHEL 6" for consistency.
David Smith (3): removed extraneous comma copy editing additional copy editing
RHEL6/input/intro/intro.xml | 2 +- RHEL6/input/services/dns.xml | 2 +- RHEL6/input/services/ldap.xml | 2 +- RHEL6/input/services/mail.xml | 2 +- RHEL6/input/services/nfs.xml | 2 +- RHEL6/input/services/obsolete.xml | 2 +- RHEL6/input/services/services.xml | 8 ++++---- RHEL6/input/system/accounts/accounts.xml | 2 +- RHEL6/input/system/logging.xml | 2 +- RHEL6/input/system/network/iptables.xml | 6 +++--- RHEL6/input/system/network/wireless.xml | 2 +- RHEL6/input/system/selinux.xml | 4 ++-- 12 files changed, 18 insertions(+), 18 deletions(-)
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/services/nfs.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL6/input/services/nfs.xml b/RHEL6/input/services/nfs.xml index c3514dd..2ea11ea 100644 --- a/RHEL6/input/services/nfs.xml +++ b/RHEL6/input/services/nfs.xml @@ -254,7 +254,7 @@ RPC then this service should be disabled. <description>Edit the file <tt>/etc/fstab</tt>. For each filesystem whose type (column 3) is <tt>nfs</tt> or <tt>nfs4</tt>, add the text <tt>,nodev,nosuid</tt> to the list of mount options in column 4. If -appropriate, also add <tt>,noexec</tt>. +appropriate, also add <tt>noexec</tt>. <br /><br /> See the section titled "Restrict Partition Mount Options" for a description of the effects of these options. In general, execution of files mounted via NFS
NACK. This is literal.
On 05/21/2013 04:43 PM, David Smith wrote:
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil
RHEL6/input/services/nfs.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL6/input/services/nfs.xml b/RHEL6/input/services/nfs.xml index c3514dd..2ea11ea 100644 --- a/RHEL6/input/services/nfs.xml +++ b/RHEL6/input/services/nfs.xml @@ -254,7 +254,7 @@ RPC then this service should be disabled. <description>Edit the file <tt>/etc/fstab</tt>. For each filesystem whose type (column 3) is <tt>nfs</tt> or <tt>nfs4</tt>, add the text <tt>,nodev,nosuid</tt> to the list of mount options in column 4. If -appropriate, also add <tt>,noexec</tt>. +appropriate, also add <tt>noexec</tt>. <br /><br /> See the section titled "Restrict Partition Mount Options" for a description of the effects of these options. In general, execution of files mounted via NFS
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/services/mail.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL6/input/services/mail.xml b/RHEL6/input/services/mail.xml index d4c62d5..b2ad09a 100644 --- a/RHEL6/input/services/mail.xml +++ b/RHEL6/input/services/mail.xml @@ -139,7 +139,7 @@ correct permissions: <title>Configure Postfix if Necessary</title> <description>Postfix stores its configuration files in the directory /etc/postfix by default. The primary configuration file is -/etc/postfix/main.cf. +<tt>/etc/postfix/main.cf</tt>. </description>
<Rule id="postfix_server_banner" severity="medium">
ACK. thanks.
On 05/21/2013 04:43 PM, David Smith wrote:
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil
RHEL6/input/services/mail.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL6/input/services/mail.xml b/RHEL6/input/services/mail.xml index d4c62d5..b2ad09a 100644 --- a/RHEL6/input/services/mail.xml +++ b/RHEL6/input/services/mail.xml @@ -139,7 +139,7 @@ correct permissions:
<title>Configure Postfix if Necessary</title> <description>Postfix stores its configuration files in the directory /etc/postfix by default. The primary configuration file is -/etc/postfix/main.cf. +<tt>/etc/postfix/main.cf</tt>. </description>
<Rule id="postfix_server_banner" severity="medium">
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/intro/intro.xml | 2 +- RHEL6/input/services/dns.xml | 2 +- RHEL6/input/services/ldap.xml | 2 +- RHEL6/input/services/obsolete.xml | 2 +- RHEL6/input/services/services.xml | 8 ++++---- RHEL6/input/system/accounts/accounts.xml | 2 +- RHEL6/input/system/logging.xml | 2 +- RHEL6/input/system/network/iptables.xml | 6 +++--- RHEL6/input/system/network/wireless.xml | 2 +- RHEL6/input/system/selinux.xml | 4 ++-- 10 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/RHEL6/input/intro/intro.xml b/RHEL6/input/intro/intro.xml index b579be7..6b34ec3 100644 --- a/RHEL6/input/intro/intro.xml +++ b/RHEL6/input/intro/intro.xml @@ -33,7 +33,7 @@ to passive monitoring. Whenever practical solutions for encrypting such data exist, they should be applied. Even if data is expected to be transmitted only over a local network, it should still be encrypted. Encrypting authentication data, such as passwords, is particularly -important. Networks of RHEL6 machines can and should be configured +important. Networks of RHEL 6 machines can and should be configured so that no unencrypted authentication data is ever transmitted between machines. </description> diff --git a/RHEL6/input/services/dns.xml b/RHEL6/input/services/dns.xml index 0a63e25..3e10347 100644 --- a/RHEL6/input/services/dns.xml +++ b/RHEL6/input/services/dns.xml @@ -11,7 +11,7 @@ on which it is not needed.</description> <description> DNS software should be disabled on any machine which does not need to be a nameserver. Note that the BIND DNS server software is -not installed on RHEL6 by default. The remainder of this section +not installed on RHEL 6 by default. The remainder of this section discusses secure configuration of machines which must be nameservers. </description> diff --git a/RHEL6/input/services/ldap.xml b/RHEL6/input/services/ldap.xml index 6eb1368..e70720b 100644 --- a/RHEL6/input/services/ldap.xml +++ b/RHEL6/input/services/ldap.xml @@ -82,7 +82,7 @@ https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/... <description>The <tt>openldap-servers</tt> package should be removed if not in use. Is this machine the OpenLDAP server? If not, remove the package. <pre># yum erase openldap-servers</pre> -The openldap-servers RPM is not installed by default on RHEL6 +The openldap-servers RPM is not installed by default on RHEL 6 machines. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed. diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml index 0c28d24..e78cfbe 100644 --- a/RHEL6/input/services/obsolete.xml +++ b/RHEL6/input/services/obsolete.xml @@ -4,7 +4,7 @@ services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best available guidance for some time. As a result of -this, many of these services are not installed as part of RHEL6 +this, many of these services are not installed as part of RHEL 6 by default. <br /><br /> Organizations which are running these services should diff --git a/RHEL6/input/services/services.xml b/RHEL6/input/services/services.xml index 088bdce..c2051a8 100644 --- a/RHEL6/input/services/services.xml +++ b/RHEL6/input/services/services.xml @@ -2,12 +2,12 @@ <title>Services</title> <description> The best protection against vulnerable software is running less software. This section describes how to review -the software which Red Hat Enterprise Linux installs on a system and disable software which is not needed. It -then enumerates the software packages installed on a default RHEL6 system and provides guidance about which +the software which Red Hat Enterprise Linux 6 installs on a system and disable software which is not needed. It +then enumerates the software packages installed on a default RHEL 6 system and provides guidance about which ones can be safely disabled. <br /><br /> -RHEL6 provides a convenient minimal install option that essentially installs the bare necessities for a functional -system. When building RHEL6 servers it is highly recommended to select the minimal packages and then build up +RHEL 6 provides a convenient minimal install option that essentially installs the bare necessities for a functional +system. When building RHEL 6 servers, it is highly recommended to select the minimal packages and then build up the system from there. </description> </Group> diff --git a/RHEL6/input/system/accounts/accounts.xml b/RHEL6/input/system/accounts/accounts.xml index 5ff3c18..087768f 100644 --- a/RHEL6/input/system/accounts/accounts.xml +++ b/RHEL6/input/system/accounts/accounts.xml @@ -7,6 +7,6 @@ making it more difficult for unauthorized people to gain shell access to accounts, particularly to privileged accounts, is a necessary part of securing a system. This section introduces mechanisms for restricting access to accounts under -RHEL6.</description> +RHEL 6.</description> </Group>
diff --git a/RHEL6/input/system/logging.xml b/RHEL6/input/system/logging.xml index 6139f98..341e284 100644 --- a/RHEL6/input/system/logging.xml +++ b/RHEL6/input/system/logging.xml @@ -261,7 +261,7 @@ place to view the status of multiple hosts within the enterprise. <Group id="rsyslog_accepting_remote_messages"> <title>Configure <tt>rsyslogd</tt> to Accept Remote Messages If Acting as a Log Server</title> <description> -By default, RHEL6's <tt>rsyslog</tt> does not listen over the network +By default, <tt>rsyslog</tt> does not listen over the network for log messages. If needed, modules can be enabled to allow the rsyslog daemon to receive messages from other systems and for the system thus to act as a log server. diff --git a/RHEL6/input/system/network/iptables.xml b/RHEL6/input/system/network/iptables.xml index ef129f5..ff6fcd2 100644 --- a/RHEL6/input/system/network/iptables.xml +++ b/RHEL6/input/system/network/iptables.xml @@ -1,5 +1,5 @@ <Group id="network-iptables"> -<title>IPTables and Ip6tables</title> +<title>iptables and ip6tables</title> <description>A host-based firewall called Netfilter is included as part of the Linux kernel distributed with the system. It is activated by default. This firewall is controlled by the program @@ -139,7 +139,7 @@ changes to the firewall configuration because it re-writes the saved configuration file.</warning>
<Rule id="set_iptables_default_rule" severity="medium"> -<title>Set Default IPTables Policy for Incoming Packets</title> +<title>Set Default iptables Policy for Incoming Packets</title> <description>To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in @@ -161,7 +161,7 @@ accepted.</rationale> </Rule>
<Rule id="set_iptables_default_rule_forward" severity="medium"> -<title>Set Default IPTables Policy for Forwarded Packets</title> +<title>Set Default iptables Policy for Forwarded Packets</title> <description>To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, diff --git a/RHEL6/input/system/network/wireless.xml b/RHEL6/input/system/network/wireless.xml index cd16e8c..209b65c 100644 --- a/RHEL6/input/system/network/wireless.xml +++ b/RHEL6/input/system/network/wireless.xml @@ -45,7 +45,7 @@ normal usage of the wireless capability. <br /><br /> First, identify the interfaces available with the command: <pre># ifconfig -a</pre> ->Additionally,the following command may also be used to +Additionally,the following command may also be used to determine whether wireless support ('extensions') is included for a particular interface, though this may not always be a clear indicator: diff --git a/RHEL6/input/system/selinux.xml b/RHEL6/input/system/selinux.xml index de30778..46413d4 100644 --- a/RHEL6/input/system/selinux.xml +++ b/RHEL6/input/system/selinux.xml @@ -5,7 +5,7 @@ used to guard against misconfigured or compromised programs. SELinux enforces the idea that programs should be limited in what files they can access and what actions they can take. <br /><br /> -The default SELinux policy, as configured on RHEL6, has been +The default SELinux policy, as configured on RHEL 6, has been sufficiently developed and debugged that it should be usable on almost any Red Hat machine with minimal configuration and a small amount of system administrator training. This policy prevents @@ -40,7 +40,7 @@ the mode back to enforcing after debugging, set the filesystems to be relabeled for consistency using the command <tt>touch /.autorelabel</tt>, and reboot. <br /><br /> -However, the RHEL6 default SELinux configuration should be +However, the RHEL 6 default SELinux configuration should be sufficiently reasonable that most systems will boot without serious problems. Some applications that require deep or unusual system privileges, such as virtual machine software, may not be compatible
ACK, but truly consistent style for IPtable or iptables or whatever is going to be difficult. (style reqs for titles may override others in that particular context.)
On 05/21/2013 04:43 PM, David Smith wrote:
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil
RHEL6/input/intro/intro.xml | 2 +- RHEL6/input/services/dns.xml | 2 +- RHEL6/input/services/ldap.xml | 2 +- RHEL6/input/services/obsolete.xml | 2 +- RHEL6/input/services/services.xml | 8 ++++---- RHEL6/input/system/accounts/accounts.xml | 2 +- RHEL6/input/system/logging.xml | 2 +- RHEL6/input/system/network/iptables.xml | 6 +++--- RHEL6/input/system/network/wireless.xml | 2 +- RHEL6/input/system/selinux.xml | 4 ++-- 10 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/RHEL6/input/intro/intro.xml b/RHEL6/input/intro/intro.xml index b579be7..6b34ec3 100644 --- a/RHEL6/input/intro/intro.xml +++ b/RHEL6/input/intro/intro.xml @@ -33,7 +33,7 @@ to passive monitoring. Whenever practical solutions for encrypting such data exist, they should be applied. Even if data is expected to be transmitted only over a local network, it should still be encrypted. Encrypting authentication data, such as passwords, is particularly -important. Networks of RHEL6 machines can and should be configured +important. Networks of RHEL 6 machines can and should be configured so that no unencrypted authentication data is ever transmitted between machines.
</description> diff --git a/RHEL6/input/services/dns.xml b/RHEL6/input/services/dns.xml index 0a63e25..3e10347 100644 --- a/RHEL6/input/services/dns.xml +++ b/RHEL6/input/services/dns.xml @@ -11,7 +11,7 @@ on which it is not needed.</description> <description> DNS software should be disabled on any machine which does not need to be a nameserver. Note that the BIND DNS server software is -not installed on RHEL6 by default. The remainder of this section +not installed on RHEL 6 by default. The remainder of this section discusses secure configuration of machines which must be nameservers. </description> diff --git a/RHEL6/input/services/ldap.xml b/RHEL6/input/services/ldap.xml index 6eb1368..e70720b 100644 --- a/RHEL6/input/services/ldap.xml +++ b/RHEL6/input/services/ldap.xml @@ -82,7 +82,7 @@ https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/ht <description>The <tt>openldap-servers</tt> package should be removed if not in use. Is this machine the OpenLDAP server? If not, remove the package. <pre># yum erase openldap-servers</pre> -The openldap-servers RPM is not installed by default on RHEL6 +The openldap-servers RPM is not installed by default on RHEL 6 machines. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed. diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml index 0c28d24..e78cfbe 100644 --- a/RHEL6/input/services/obsolete.xml +++ b/RHEL6/input/services/obsolete.xml @@ -4,7 +4,7 @@ services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best available guidance for some time. As a result of -this, many of these services are not installed as part of RHEL6 +this, many of these services are not installed as part of RHEL 6 by default. <br /><br /> Organizations which are running these services should diff --git a/RHEL6/input/services/services.xml b/RHEL6/input/services/services.xml index 088bdce..c2051a8 100644 --- a/RHEL6/input/services/services.xml +++ b/RHEL6/input/services/services.xml @@ -2,12 +2,12 @@ <title>Services</title> <description> The best protection against vulnerable software is running less software. This section describes how to review -the software which Red Hat Enterprise Linux installs on a system and disable software which is not needed. It -then enumerates the software packages installed on a default RHEL6 system and provides guidance about which +the software which Red Hat Enterprise Linux 6 installs on a system and disable software which is not needed. It +then enumerates the software packages installed on a default RHEL 6 system and provides guidance about which ones can be safely disabled. <br /><br /> -RHEL6 provides a convenient minimal install option that essentially installs the bare necessities for a functional -system. When building RHEL6 servers it is highly recommended to select the minimal packages and then build up +RHEL 6 provides a convenient minimal install option that essentially installs the bare necessities for a functional +system. When building RHEL 6 servers, it is highly recommended to select the minimal packages and then build up the system from there. </description> </Group> diff --git a/RHEL6/input/system/accounts/accounts.xml b/RHEL6/input/system/accounts/accounts.xml index 5ff3c18..087768f 100644 --- a/RHEL6/input/system/accounts/accounts.xml +++ b/RHEL6/input/system/accounts/accounts.xml @@ -7,6 +7,6 @@ making it more difficult for unauthorized people to gain shell access to accounts, particularly to privileged accounts, is a necessary part of securing a system. This section introduces mechanisms for restricting access to accounts under -RHEL6.</description> +RHEL 6.</description> </Group>
diff --git a/RHEL6/input/system/logging.xml b/RHEL6/input/system/logging.xml index 6139f98..341e284 100644 --- a/RHEL6/input/system/logging.xml +++ b/RHEL6/input/system/logging.xml @@ -261,7 +261,7 @@ place to view the status of multiple hosts within the enterprise.
<Group id="rsyslog_accepting_remote_messages"> <title>Configure <tt>rsyslogd</tt> to Accept Remote Messages If Acting as a Log Server</title> <description> -By default, RHEL6's <tt>rsyslog</tt> does not listen over the network +By default, <tt>rsyslog</tt> does not listen over the network for log messages. If needed, modules can be enabled to allow the rsyslog daemon to receive messages from other systems and for the system thus to act as a log server. diff --git a/RHEL6/input/system/network/iptables.xml b/RHEL6/input/system/network/iptables.xml index ef129f5..ff6fcd2 100644 --- a/RHEL6/input/system/network/iptables.xml +++ b/RHEL6/input/system/network/iptables.xml @@ -1,5 +1,5 @@ <Group id="network-iptables"> -<title>IPTables and Ip6tables</title> +<title>iptables and ip6tables</title> <description>A host-based firewall called Netfilter is included as part of the Linux kernel distributed with the system. It is activated by default. This firewall is controlled by the program @@ -139,7 +139,7 @@ changes to the firewall configuration because it re-writes the saved configuration file.</warning>
<Rule id="set_iptables_default_rule" severity="medium"> -<title>Set Default IPTables Policy for Incoming Packets</title> +<title>Set Default iptables Policy for Incoming Packets</title> <description>To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in @@ -161,7 +161,7 @@ accepted.</rationale> </Rule>
<Rule id="set_iptables_default_rule_forward" severity="medium"> -<title>Set Default IPTables Policy for Forwarded Packets</title> +<title>Set Default iptables Policy for Forwarded Packets</title> <description>To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, diff --git a/RHEL6/input/system/network/wireless.xml b/RHEL6/input/system/network/wireless.xml index cd16e8c..209b65c 100644 --- a/RHEL6/input/system/network/wireless.xml +++ b/RHEL6/input/system/network/wireless.xml @@ -45,7 +45,7 @@ normal usage of the wireless capability. <br /><br /> First, identify the interfaces available with the command: <pre># ifconfig -a</pre> ->Additionally,the following command may also be used to +Additionally,the following command may also be used to determine whether wireless support ('extensions') is included for a particular interface, though this may not always be a clear indicator: diff --git a/RHEL6/input/system/selinux.xml b/RHEL6/input/system/selinux.xml index de30778..46413d4 100644 --- a/RHEL6/input/system/selinux.xml +++ b/RHEL6/input/system/selinux.xml @@ -5,7 +5,7 @@ used to guard against misconfigured or compromised programs. SELinux enforces the idea that programs should be limited in what files they can access and what actions they can take. <br /><br /> -The default SELinux policy, as configured on RHEL6, has been +The default SELinux policy, as configured on RHEL 6, has been sufficiently developed and debugged that it should be usable on almost any Red Hat machine with minimal configuration and a small amount of system administrator training. This policy prevents @@ -40,7 +40,7 @@ the mode back to enforcing after debugging, set the filesystems to be relabeled for consistency using the command <tt>touch /.autorelabel</tt>, and reboot. <br /><br /> -However, the RHEL6 default SELinux configuration should be +However, the RHEL 6 default SELinux configuration should be sufficiently reasonable that most systems will boot without serious problems. Some applications that require deep or unusual system privileges, such as virtual machine software, may not be compatible
scap-security-guide@lists.fedorahosted.org
-
David Smith -
Jeffrey Blank