Manualshelf

Release Notes

ManualsBrandsCisco ManualsDistribution Suite for TelevisionCisco Visual Quality Experience Application
21222324252627282930
26
Release Notes for Cisco CDA Visual Quality Experience Application Release 3.10
Supporting Software Hardening Guides and VQE
Linux Security Checklist
Document: Linux Security Checklist, Version 2
Document URL:
http://www.sans.org/score/checklists/linuxchecklist.pdf
For the Linux operating system, the following are SANS requirements where it appears that if the user
were to follow the specific recommendations of the guide it would likely break behavior that VQE
implements.
Page 2, item 2: “System Patches”. Customers should obtain all system patches through Cisco
support, and not directly from RedHat. Cisco will provide timely patches and notifications to
customers to address security concerns that may arise within the components of the linux
distribution.
Page 3, item 3: “Disabling Unnecessary Services”. All unnecessary services have been disabled on
the shipped product. VQE customers should not normally need to disable any of the services that
are enabled by default after the product is installed.
Page 3, item 5: “Default Password Policy”. The default password settings for the VQE-S are set in
/etc/pam.d/system-auth-ac rather than in /etc/login.defs See 'man pam_passwdqc' for more
information.
Page 7, item 13: “System Logging”. The VQE-S includes a modified version of syslogd, which is
customized in order to support certain VQE-S functions. VQE customers must therefore not replace
syslog with syslog-ng, as suggested in this item.
Page 11, item 20: “Selinux”. Selinux functionality is disabled on the VQE-S in its factory
configuration, and it should not be enabled. Enabling the Selinux functions on the VQE-S may have
unexpected consequences.
The 60 Minute Network Security Guide
The NSAs The 60 Minute Network Security Guide has guidance relevant to the Apache web server and
the VQE Server software.
Document: The 60 Minute Network Security Guide, Version 2.1
Document URL: http://www.nsa.gov/ia/_files/support/I33-011R-2006.pdf
If VQE customers follow instructions in the "Unix Web Servers" section of The 60 Minute Network
Security Guide, it will not break the VQE web application system.
The following guidance applies to VQE Server software except for the Apache web server, which was
discussed in the preceding paragraph.
Page 10 and 40: “Follow The Concept Of Least Privilege”. This section recommends reducing the
privileges of common system utilities such as configuration tools and script interpreters. Some of
these utilities may be used by the VQE-S software and their permissions should not be modified.
Page 35, item 2: “Services and Port”. All unnecessary services have been disabled on the shipped
product. VQE customers should not normally need to disable any of the services that are enabled by
default after the product is installed.
Page 36, item 2: “Permissions”. Some VQE-S services require SUID/SGID permissions. The
permissions of these files, along with every other VQE-S related file, should not be modified.