[Clip] CLIP kickstart file adds overly restrictive permissions tocron files
Joe_Wulf
Joe_Wulf at yahoo.com
Sat Mar 28 22:17:08 CDT 2009
I believe the Unix Checklist is from DISA, at iase.disa.mil, and it is publicly
available at the following link:
http://iase.disa.mil/stigs/checklist/unix_checklist_v5r1-16_20090215.ZIP
The companion Security Technical Implementation Guide (STIG) is also publicly
available, at:
http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf
R,
-Joe Wulf, CISSP, VCP, USN(RET)
Senior IA Engineer
ProSync Technology Group, LLC
www.prosync.com
-----Original Message-----
From: clip-bounces at oss.tresys.com [mailto:clip-bounces at oss.tresys.com] On Behalf
Of James Homer
Sent: Friday, March 27, 2009 13:05
To: clip at oss.tresys.com
Subject: [Clip] CLIP kickstart file adds overly restrictive permissions tocron
files
I have been doing some testing customised logrotate configuration and I think
that the files in
/etc/cron.daily (and others)
Have the permissions set to be too restrictive to allow them to function as
expected. I have set the permissions as follows
-rwx------ 1 root root 183 Mar 27 04:07 /etc/cron.daily/logrotate
and the log rotation appears to know work under the control of crond. This may be
the desired behaviour however the notes in the kickstart file suggest that some
may require 700 but I don't have access to the UNIX checklist mentioned
<snip>
## ... The SA will ensure crontabs have
## permissions of 600, or more restrictive, (700 for some Linux crontabs, which
## is detailed in the UNIX Checklist).
chmod -R 600 /etc/cron.daily
chmod -R 600 /etc/cron.hourly
chmod -R 600 /etc/cron.weekly
chmod -R 600 /etc/cron.monthly
chmod 600 /etc/crontab
chmod -R 600 /etc/cron.d
</snip>
I am happy to update this locally for my purposes but thought I should bring it
to light. The lines I would suggest need changing are
chmod -R 700 /etc/cron.daily
chmod -R 700 /etc/cron.hourly
chmod -R 700 /etc/cron.weekly
chmod -R 700 /etc/cron.monthly
--
James Homer CEng MBCS CITP
Senior Technical Consultant
CESG Listed Advisor Scheme Member
Nexor
DDI: +44 (0) 115 952 0587
Tel: +44 (0) 115 952 0500
Fax: +44 (0) 115 952 0519
mailto:james.homer at nexor.com
http://www.nexor.com
Nexor is recognised as an Investor in People and is accredited to ISO 9001/TickIT
and ISO/IEC27001:2005. Further details of Nexor's accreditations can be found on
our website.
DISCLAIMER: Privileged or confidential information may be contained in this
message or within any files transmitted with it. If you are not the intended
recipient, kindly destroy the message and notify the sender by reply email.
Opinions, conclusions and other information in this message that do not relate to
the official business of Nexor are neither given nor endorsed by it.
Nexor Limited, Bell House, Nottingham Science and Technology Park, University
Boulevard, Nottingham, NG7 2RL A company registered in England, No: 05152465
_______________________________________________
Clip mailing list
Clip at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/clip
More information about the Clip
mailing list