Add remaining STIG XCCDF content for RHEL6 and RHEL7#2439
Add remaining STIG XCCDF content for RHEL6 and RHEL7#2439shawndwells merged 4 commits intoComplianceAsCode:masterfrom
Conversation
redhatrises
added
bugfix
redhatrises
force-pushed
the
add_remaining_xccdf
branch
from
1882ad0 to
625c2ac
Compare
| be forwarded to at least one monitored email address. | ||
| </rationale> | ||
| <ident cce="80508-5"/> | ||
| <oval id="postfix_client_configure_mail_alias" value="var_postfix_root_mail_alias" /> |
There was a problem hiding this comment.
Wouldn't this check fail unless root aliases are set to system.administrator@mail.mil?
There was a problem hiding this comment.
Because postfix_client_configure_mail_alias doesn't have OVAL yet, should this line be removed? Would rather have notchecked and not have to think there is unlinked OVAL lurking around
There was a problem hiding this comment.
Shouldn't:
WARNING: OVAL check 'postfix_client_configure_mail_alias' was not found, removing <check-content> element from the XCCDF rule.
| <ref nist="AC-2" disa="178" /> | ||
| </Rule> | ||
|
|
||
| <Rule id="no_password_auth_for_systemaccounts" severity="medium"> |
There was a problem hiding this comment.
Why is this a medium severity? Shouldn't it be low, given there are no logins permitted to system accounts in the first place?
There was a problem hiding this comment.
Edit: Nevermind. I see this is just to fall in line with DISA
| run the following command: | ||
| <pre>$ sudo grep "set root='hd0" /boot/grub2/grub.cfg</pre> | ||
| The output should return something similar to: | ||
| <pre>set root='hd0,msdos1'</pre> |
There was a problem hiding this comment.
Should we give examples of removable media?
set root='hd0,msdos1,cdrom' is similar to the example output
There was a problem hiding this comment.
@shawndwells added this:
<tt>usb0</tt>, <tt>cd</tt>, <tt>fd0</tt>, etc. are some examples of removeable
media which should not exist in the line:
<pre>set root='hd0,msdos1'</pre>
| run the following command: | ||
| <pre>$ sudo grep "set root='hd0" /boot/efi/EFI/redhat/grub.cfg</pre> | ||
| The output should return something similar to: | ||
| <pre>set root='hd0,msdos1'</pre> |
There was a problem hiding this comment.
Example of what a removable media entry would be?
There was a problem hiding this comment.
@shawndwells added this:
<tt>usb0</tt>, <tt>cd</tt>, <tt>fd0</tt>, etc. are some examples of removeable
media which should not exist in the line:
<pre>set root='hd0,msdos1'</pre>
|
Thanks @shawndwells |
2 participants
Description:
Rationale: