[Clip] DISA STIG SRR Scripts
Eric Gearhart
eric at nixwizard.net
Tue Sep 8 18:46:19 CDT 2009
On Tue, Sep 8, 2009 at 10:25 AM, Bryan Schneiders <bschneiders at woti.com>wrote:
> How often are the CLIP releases tested against the DISA STIG System
> Readiness Review scripts?
> http://iase.disa.mil/stigs/SRR/unix.html
>
>
Bryan,
I used the CLIP rpms as as starting off point, but I did have to script in
several fixes in order to get a clean Unix SRR. Sometimes the Unix SRR looks
in the wrong place as well, for example some of the PAM settings are in
/etc/pam.d/system-auth and that file is included from other PAM files... the
SRR script wasn't expecting that to be the case. That's just one example off
the top of my head
Here's a small sample of fixes I happen to have open in Notepad right now
that I've implemented on the boxes we are DIACAPing:
find /usr/share/man -type f -print | xargs -n 1 chmod -w
find /usr/share/info -type f -print | xargs -n 1 chmod -w
find /var/log -type f | grep -v acpid | xargs -n 1 chmod 640
chmod 740 /home/*/.login
chmod 740 /home/*/.cshrc
chmod 740 /home/*/.logout
chmod 740 /home/*/.profile
chmod 740 /home/*/.bash_profile
chmod 740 /home/*/.bashrc
chmod 740 /home/*/.bash_logout
chmod 740 /home/*/.env
chmod 740 /home/*/.dispatch
chmod 740 /home/*/.emacs
chmod 740 /home/*/.exrc
perl -i -pe 's/#ClientAliveInterval 0/ClientAliveInterval 60/g'
/etc/ssh/sshd_config
perl -i -pe 's/#ClientAliveCountMax 3/ClientAliveCountMax 3/g'
/etc/ssh/sshd_config
perl -i -pe 's/minlen=12/minlen=14/g' /etc/pam.d/system-auth
chmod 700 /etc/cron.daily/cups
chmod 640 /selinux/member
chmod 640 /selinux/user
chmod 640 /selinux/relabel
chmod 640 /selinux/create
chmod 640 /selinux/access
chmod 640 /selinux/context
--
Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/clip/attachments/20090908/c5c8f76e/attachment.html
More information about the Clip
mailing list