Hi,
RHEL5 ships with /etc/shadow and gshadow set to mode 0400 while RHEL 6 uses mode 0 for those two files.
CCE-3932-1 and CCE-4130-1 require mode 0400.
Changing RHEL 6 to use 0400 causes CCE-14931 (verify files against RPM database) to flag /etc/shadow and gshadow as modified.
Is it better to change /etc/shadow and gshadow to 0400 or use the mode 0 that the files are distributed from Red Hat with?
Thanks
On 8/31/12 3:02 PM, Steve Grubb wrote:
On Friday, August 31, 2012 02:48:24 PM Kenneth Stailey wrote:
Is it better to change /etc/shadow and gshadow to 0400 or use the mode 0 that the files are distributed from Red Hat with?
Use the mode RHEL6 is shipped with. Its more restrictive.
-Steve
Also note those CCE's are for RHEL5 [buried in cce.mitre.org/lists/data/downloads/cce-rhel5-5.20111007.xls ]. We inherited them when creating the initial port/update of the SSG from RHEL5 to RHEL6... eventually RHEL6 CCEs will be created.
From: "Kenneth Stailey" kstailey.lists@gmail.com
By using mode 0 for the /etc/shadow and /etc/gshadow files we avoid switching to a less restrictive protection mode and avoid having the file permissions to deviate from the permissions recorded in the RPM database.
Kenneth Stailey (1): Use mode 0 instead of 0400 for shadow and gshadow files
.../input/checks/file_permissions_etc_gshadow.xml | 2 +- RHEL6/input/checks/file_permissions_etc_shadow.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
From: "Kenneth Stailey" kstailey.lists@gmail.com
RHEL6 distributions use mode 0 for the /etc/shadow and /etc/gshadow files.
Signed-off-by: "Kenneth Stailey" kstailey.lists@gmail.com --- .../input/checks/file_permissions_etc_gshadow.xml | 2 +- RHEL6/input/checks/file_permissions_etc_shadow.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/checks/file_permissions_etc_gshadow.xml b/RHEL6/input/checks/file_permissions_etc_gshadow.xml index ee09d71..077459c 100644 --- a/RHEL6/input/checks/file_permissions_etc_gshadow.xml +++ b/RHEL6/input/checks/file_permissions_etc_gshadow.xml @@ -22,7 +22,7 @@ </unix:file_test> <unix:file_state id="state_1000400" version="1"> - <unix:uread datatype="boolean">true</unix:uread> + <unix:uread datatype="boolean">false</unix:uread> <unix:uwrite datatype="boolean">false</unix:uwrite> <unix:uexec datatype="boolean">false</unix:uexec> <unix:gread datatype="boolean">false</unix:gread> diff --git a/RHEL6/input/checks/file_permissions_etc_shadow.xml b/RHEL6/input/checks/file_permissions_etc_shadow.xml index 4585ac2..d1e42ae 100644 --- a/RHEL6/input/checks/file_permissions_etc_shadow.xml +++ b/RHEL6/input/checks/file_permissions_etc_shadow.xml @@ -22,7 +22,7 @@ </unix:file_test> <unix:file_state id="state_1000401" version="1"> - <unix:uread datatype="boolean">true</unix:uread> + <unix:uread datatype="boolean">false</unix:uread> <unix:uwrite datatype="boolean">false</unix:uwrite> <unix:uexec datatype="boolean">false</unix:uexec> <unix:gread datatype="boolean">false</unix:gread>
On 9/4/12 8:50 PM, Kenneth Stailey wrote:
From: "Kenneth Stailey" kstailey.lists@gmail.com
RHEL6 distributions use mode 0 for the /etc/shadow and /etc/gshadow files.
Signed-off-by: "Kenneth Stailey" kstailey.lists@gmail.com
.../input/checks/file_permissions_etc_gshadow.xml | 2 +- RHEL6/input/checks/file_permissions_etc_shadow.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/checks/file_permissions_etc_gshadow.xml b/RHEL6/input/checks/file_permissions_etc_gshadow.xml index ee09d71..077459c 100644 --- a/RHEL6/input/checks/file_permissions_etc_gshadow.xml +++ b/RHEL6/input/checks/file_permissions_etc_gshadow.xml @@ -22,7 +22,7 @@ </unix:file_test> <unix:file_state id="state_1000400" version="1">
- <unix:uread datatype="boolean">true</unix:uread>
- <unix:uread datatype="boolean">false</unix:uread> <unix:uwrite datatype="boolean">false</unix:uwrite> <unix:uexec datatype="boolean">false</unix:uexec> <unix:gread datatype="boolean">false</unix:gread>
diff --git a/RHEL6/input/checks/file_permissions_etc_shadow.xml b/RHEL6/input/checks/file_permissions_etc_shadow.xml index 4585ac2..d1e42ae 100644 --- a/RHEL6/input/checks/file_permissions_etc_shadow.xml +++ b/RHEL6/input/checks/file_permissions_etc_shadow.xml @@ -22,7 +22,7 @@ </unix:file_test> <unix:file_state id="state_1000401" version="1">
- <unix:uread datatype="boolean">true</unix:uread>
- <unix:uread datatype="boolean">false</unix:uread> <unix:uwrite datatype="boolean">false</unix:uwrite> <unix:uexec datatype="boolean">false</unix:uexec> <unix:gread datatype="boolean">false</unix:gread>
Ack. Please push or indicate you need someone to do so for you.
Thanks for doing this!
Just to add: CCEs don't actually require anything in themselves. Technically, the CCE serves only to indicate that we are talking about the permissions on that file (and perhaps provide a selection of choices, from which baselines may select a requirement.)
http://cce.mitre.org/lists/cce_list.html
And thanks for the QA / improving the content!
On 08/31/2012 02:48 PM, Kenneth Stailey wrote:
Hi,
RHEL5 ships with /etc/shadow and gshadow set to mode 0400 while RHEL 6 uses mode 0 for those two files.
CCE-3932-1 and CCE-4130-1 require mode 0400.
Changing RHEL 6 to use 0400 causes CCE-14931 (verify files against RPM database) to flag /etc/shadow and gshadow as modified.
Is it better to change /etc/shadow and gshadow to 0400 or use the mode 0 that the files are distributed from Red Hat with?
Thanks _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
I'm certain others will correct me if I am wrong, but...
CCEs should not be shared between successive generations of operating system software. I just did a quick compare of the CCEs for RHEL5 and RHEL4 and the CCE IDs do not overlap. The only RHEL4 CCE corresponding to the RHEL5 /etc/*shadow permissions CCEs is CCE-5735-6 for /etc/shadow perms; there is no RHEL4 CCE referencing /etc/gshadow perms.
I cannot find a specific FAQ entry or explanation, beyond 'A CCE "platform group" roughly identifies the operating system or application to which a CCE entry applies' in several places on cce.mitre.org.
Regards, -- Leland Steinke, Security+ DISA FSO Technical Support Contractor tapestry technologies, llc 717-267-5797 (DSN 570) leland.j.steinke.ctr@mail.mil (gov't) lsteinke@tapestrytech.com (com'l)
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Jeffrey Blank Sent: Friday, August 31, 2012 5:14 PM To: scap-security-guide@lists.fedorahosted.org Subject: Re: /etc/shadow and gshadow mode 0400 or 0?
Just to add: CCEs don't actually require anything in themselves. Technically, the CCE serves only to indicate that we are talking about the permissions on that file (and perhaps provide a selection of choices, from which baselines may select a requirement.)
http://cce.mitre.org/lists/cce_list.html
And thanks for the QA / improving the content!
On 08/31/2012 02:48 PM, Kenneth Stailey wrote:
Hi,
RHEL5 ships with /etc/shadow and gshadow set to mode 0400 while RHEL 6 uses mode 0 for those two files.
CCE-3932-1 and CCE-4130-1 require mode 0400.
Changing RHEL 6 to use 0400 causes CCE-14931 (verify files against RPM database) to flag /etc/shadow and gshadow as modified.
Is it better to change /etc/shadow and gshadow to 0400 or use the mode 0 that the files are distributed from Red Hat with?
Thanks _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
You are entirely right. This is being worked.
The only reason the RHEL 5 CCEs are currently in the content is to facilitate their easy replacement with RHEL 6 ones (if a mapping is provided), once they are available.
This transform was provided in order to enable correction of the ones that are simply wrong (as in wrong semantically, and not just with regard to version mismatch): http://people.redhat.com/swells/scap-security-guide/RHEL6/output/rhel6-table...
On 08/31/2012 06:04 PM, Steinke, Leland J CTR DISA FSO (US) wrote:
I'm certain others will correct me if I am wrong, but...
CCEs should not be shared between successive generations of operating system software. I just did a quick compare of the CCEs for RHEL5 and RHEL4 and the CCE IDs do not overlap. The only RHEL4 CCE corresponding to the RHEL5 /etc/*shadow permissions CCEs is CCE-5735-6 for /etc/shadow perms; there is no RHEL4 CCE referencing /etc/gshadow perms.
I cannot find a specific FAQ entry or explanation, beyond 'A CCE "platform group" roughly identifies the operating system or application to which a CCE entry applies' in several places on cce.mitre.org.
Regards, -- Leland Steinke, Security+ DISA FSO Technical Support Contractor tapestry technologies, llc 717-267-5797 (DSN 570) leland.j.steinke.ctr@mail.mil (gov't) lsteinke@tapestrytech.com (com'l)
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Jeffrey Blank Sent: Friday, August 31, 2012 5:14 PM To: scap-security-guide@lists.fedorahosted.org Subject: Re: /etc/shadow and gshadow mode 0400 or 0?
Just to add: CCEs don't actually require anything in themselves. Technically, the CCE serves only to indicate that we are talking about the permissions on that file (and perhaps provide a selection of choices, from which baselines may select a requirement.)
http://cce.mitre.org/lists/cce_list.html
And thanks for the QA / improving the content!
On 08/31/2012 02:48 PM, Kenneth Stailey wrote:
Hi,
RHEL5 ships with /etc/shadow and gshadow set to mode 0400 while RHEL 6 uses mode 0 for those two files.
CCE-3932-1 and CCE-4130-1 require mode 0400.
Changing RHEL 6 to use 0400 causes CCE-14931 (verify files against RPM database) to flag /etc/shadow and gshadow as modified.
Is it better to change /etc/shadow and gshadow to 0400 or use the mode 0 that the files are distributed from Red Hat with?
Thanks _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On 08/31/2012 06:04 PM, Steinke, Leland J CTR DISA FSO (US) wrote:
I'm certain others will correct me if I am wrong, but...
CCEs should not be shared between successive generations of operating system software.
I will not correct you, but ask for a citation for such an assertion. It may well be a doctrine held by some. Best that the proponents be outed. At a minimum, it would be a good idea to have a reference to the origin of the idea at which to focus adversity thereon.
Whether or not one can be provided, I'll additionally assert that such an idea is sadly deficient in common sense.
If indeed there exists such a citation, it provides a locus at which such an idea can be reviled, as is proper for such ideas.
Regards,
Gary
scap-security-guide@lists.fedorahosted.org
-
Gary Gapinski -
Jeffrey Blank -
Kenneth Stailey -
Shawn Wells -
Steinke, Leland J Sr CTR DISA DD (US) -
Steve Grubb