I see the wording as literal: "Run the following command to
verify that
|/(whateverfs)| lives on its own partition:" -- The text in question was
automatically generated from the macros that were pushed early last week.
There is nothing below to me that indicates that your system is
"compliant", (I am not sure how you determined that. ) It simply
informed you that your /tmp slice lives on:
"/dev/mapper/vg_rhel6-lv_root" -- which tells you that you aren't
compliant with the policy, right?
Right -- but I think we're after making it a little more obvious.
When I asked the same question, I was told that it was up to the user
to
interpret the output of the provided texts -- in order to determine if
the system in question is compliant, or non compliant.
Right -- but I think we want to make it a little more obvious.
Not to script
the Check Text commands -- to provide a response which then informs the
end user how to the response. I started down a similar path (which I
think you're also forseeing) and was asked to curb that for the time
being. I was in fact getting a bit too granular, and scripty with the
checks that I was writing, which now is a mute point since the macros
that were implemented (pretty much) took care of the bulk of the text
that we now see in that column, negating and/or erasing what I had
provided in the weeks prior - which was more along the lines of what I
think you would like to see.
Not sure how you want to handle this one, but that is what I have been
told. What would you prefer to do for all of the FS / Slice / LV checks?
If you see here:
http://people.redhat.com/swells/scap-security-guide/RHEL6/output/rhel5-ta...
...and then look for "V-23739" you can see the approach taken for the
RHEL 5 STIG. It's okay, if a bit scripty. The goal is to provide a
command that is:
1) easy to enter
2) easy to understand the output of
And this is for humans, not machines. For most of these, the OVAL will
get evaluated and that will be just fine.
The approach for the RHEL 5 STIG was okay, but could perhaps be easier.
(I'm not asserting, just suggesting.) Please edit the macros if they
can be improved.
On 09/30/2012 02:57 PM, Shawn Wells wrote:
> On 9/28/12 1:17 PM, Michael J. McConachie wrote:
>>
>> 0001-Test-tags-added-to-input-system-software-disk_partit.patch
>> From 6c89fda05476255dc941b8ebe6c72d989ca3a3b7 Mon Sep 17 00:00:00 2001
>> From: Michael McConachie <michael(a)redhat.com>
<mailto:michael@redhat.com>
>> Date: Fri, 28 Sep 2012 13:17:03 -0400
>> Subject: [PATCH] Test tags added to
>> input/system/software/disk_partitioning.xml
>>
>> ---
>> RHEL6/input/system/software/disk_partitioning.xml | 7 ++++++-
>> 1 file changed, 6 insertions(+), 1 deletion(-)
>>
>> diff --git a/RHEL6/input/system/software/disk_partitioning.xml
b/RHEL6/input/system/software/disk_partitioning.xml
>> index e678d61..ef2ef29 100644
>> --- a/RHEL6/input/system/software/disk_partitioning.xml
>> +++ b/RHEL6/input/system/software/disk_partitioning.xml
>> @@ -38,8 +38,9 @@ Placing <tt>/tmp</tt> in its own partition enables
the setting of more
>> restrictive mount options, which can help protect programs which use it.
>> </rationale>
>> <ident cce="14161-4"/>
>> -<oval id="mount_tmp_own_partition" />
>> +<oval id="mount_tmp_own_partition"/>
>> <ref nist="CM-6" />
>> +<tested by="MM" on="20120928"/>
>> </Rule>
>>
>> <Rule id="partition_for_var">
>> @@ -59,6 +60,7 @@ world-writable directories, installed by other software
packages.
>> <ident cce="14777-7"/>
>> <oval id="mount_var_own_partition" />
>> <ref nist="CM-6" />
>> +<tested by="MM" on="20120928"/>
>> </Rule>
>>
>> <Rule id="partition_for_var_log">
>> @@ -77,6 +79,7 @@ and other files in <tt>//var//</tt>.
>> <ident cce="14011-1" />
>> <oval id="mount_var_log_own_partition" />
>> <ref nist="CM-6, AU-9" />
>> +<tested by="MM" on="20120928"/>
>> </Rule>
>>
>> <Rule id="partition_for_var_log_audit">
>> @@ -98,6 +101,7 @@ of space.
>> <ident cce="14171-3" />
>> <oval id="mount_var_log_audit_own_partition" />
>> <ref nist="CM-6, AU-9" disa="137"/>
>> +<tested by="MM" on="20120928"/>
>> </Rule>
>>
>> <Rule id="partition_for_home">
>> @@ -118,6 +122,7 @@ users cannot trivially fill partitions used for log or audit
data storage.
>> <ident cce="14559-9" />
>> <oval id="mount_home_own_partition" />
>> <ref nist="CM-6"/>
>> +<tested by="MM" on="20120928"/>
>> </Rule>
>>
>> <Group id="partition_encryption" >
>> -- 1.7.11.4
>
> Nack
>
>
> OCIL unclear. According to current wording, my system config is compliant:
> $ df -h /tmp
> Filesystem Size Used Avail Use% Mounted on
> /dev/mapper/vg_rhel6-lv_root
> 5.5G 3.0G 2.2G 58% /
>
> clearly it is not
>
>
> _______________________________________________
> scap-security-guide mailing list
> scap-security-guide(a)lists.fedorahosted.org
<mailto:scap-security-guide@lists.fedorahosted.org>
>
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
--
___________________________
Jeffrey Blank
410-854-8675
Technology and Systems Analysis / Network Components
NSA Information Assurance