Doug, What *nix flavors are you seeing this on (uname -a)? Also, would you please send me the pertinent .audit file portions, I'd like to test this. Thanks!
Paul Davis Doug Nordwall wrote: > so, we have boxes (many) with 2 UID 0 accounts. most compliance checks > that look for root ownership report back that the file is owned by the > second UID 0 account. For instance > > 6.4 Verify /etc/shadow File Permissions : [FAILED]\n\nFile : > /etc/shadow\nRemote value: owner: mymyroot group: root mode: 0400 attr: > ------------- \nPolicy value: owner: root group: root mode: 0400 \n\n > > > when in fact it's owned by UID 0. here's some other interesting nuances > to that > > [10:43 AM - [EMAIL PROTECTED] ~] getent passwd root > root:x:0:0:root:/root:/bin/bash > > [10:43 AM - [EMAIL PROTECTED] ~] getent passwd myroot > myroot:x:0:0:My Root:/myroot:/bin/csh > > [10:43 AM - [EMAIL PROTECTED] ~] getent passwd 0 > root:x:0:0:root:/root:/bin/bash > > [10:43 AM - [EMAIL PROTECTED] ~] ls -al /etc/shadow > -r-------- 1 root root 1097 Jun 2 03:04 /etc/shadow > > [10:45 AM - [EMAIL PROTECTED] ~] cat /etc/passwd | grep ":0:" > root:x:0:0:root:/root:/bin/bash > myroot:x:0:0:My Root:/myroot:/bin/csh > > > So, the second UID 0 account is after root in the passwd file. getent > returns the right value, listing the root account. Also, my own test > using a sudo account shows that it's doing an ls -lnd on /etc/passwd, > and that even reports back uid 0. So, i'm guessing that the compliance > check is taking the last entry. This is causing a false positive > -- > Doug Nordwall > Unix, Network, and Security Administrator > You mean the vision is subject to low subscription rates?!!? - Scott > Stone, on MMORPGs > > > ------------------------------------------------------------------------ > > _______________________________________________ > Nessus mailing list > [email protected] > http://mail.nessus.org/mailman/listinfo/nessus -- Best Regards, Paul Davis Research Engineer Tenable Network Security Inc Phone: 410.872.0555 www.tenablesecurity.com Is your network TENABLE? _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
