[Clip] DISA STIG SRR Scripts

Stephen Smalley sds at tycho.nsa.gov
Wed Sep 9 06:48:15 CDT 2009 

On Tue, 2009-09-08 at 16:46 -0700, Eric Gearhart wrote:
> On Tue, Sep 8, 2009 at 10:25 AM, Bryan Schneiders
> <bschneiders at woti.com> wrote:
>         How often are the CLIP releases tested against the DISA STIG
>         System Readiness Review scripts?
>         http://iase.disa.mil/stigs/SRR/unix.html
>         
> 
> Bryan, 
> 
> I used the CLIP rpms as as starting off point, but I did have to
> script in several fixes in order to get a clean Unix SRR. Sometimes
> the Unix SRR looks in the wrong place as well, for example some of the
> PAM settings are in /etc/pam.d/system-auth and that file is included
> from other PAM files... the SRR script wasn't expecting that to be the
> case. That's just one example off the top of my head
> 
> 
> Here's a small sample of fixes I happen to have open in Notepad right
> now that I've implemented on the boxes we are DIACAPing:
> 
> find /usr/share/man  -type f -print | xargs -n 1 chmod -w
> find /usr/share/info -type f -print | xargs -n 1 chmod -w
> 
> find /var/log -type f | grep -v acpid | xargs -n 1 chmod 640
> 
> chmod 740 /home/*/.login
> chmod 740 /home/*/.cshrc
> chmod 740 /home/*/.logout
> chmod 740 /home/*/.profile
> chmod 740 /home/*/.bash_profile
> chmod 740 /home/*/.bashrc
> chmod 740 /home/*/.bash_logout
> chmod 740 /home/*/.env
> chmod 740 /home/*/.dispatch
> chmod 740 /home/*/.emacs
> chmod 740 /home/*/.exrc
> 
> perl -i -pe 's/#ClientAliveInterval 0/ClientAliveInterval
> 60/g' /etc/ssh/sshd_config
> perl -i -pe 's/#ClientAliveCountMax 3/ClientAliveCountMax
> 3/g'  /etc/ssh/sshd_config
> 
> perl -i -pe 's/minlen=12/minlen=14/g'  /etc/pam.d/system-auth
> 
> chmod 700  /etc/cron.daily/cups
> 
> chmod 640 /selinux/member
> chmod 640 /selinux/user
> chmod 640 /selinux/relabel
> chmod 640 /selinux/create
> chmod 640 /selinux/access
> chmod 640 /selinux/context

/selinux is a pseudo filesystem generated by the kernel, so the chmod
commands above won't persist across reboot.  And they may break
functionality, as existing applications expect to be able to use the
SELinux APIs without having to be root (SELinux itself controls the
ability to use those interfaces).  Those pseudo files are transaction
files - the application writes a request to them and reads back a reply
from the kernel.

-- 
Stephen Smalley
National Security Agency

More information about the Clip mailing list