The updates validated with OSCAP, but the verify-references.py script spat it up. It looks good to me, otherwise.
Thanks, Leland -- Leland Steinke, Security+ DISA FSO Technical Support Contractor tapestry technologies, Inc 717-267-5797 (DSN 570) [email protected] (gov't) [email protected] (com'l)
>From b1043abacb74c1f87fb634e759191a30506e06e7 Mon Sep 17 00:00:00 2001 From: steinkel <[email protected]> Date: Mon, 9 Dec 2013 15:11:27 -0500 Subject: [PATCH] New Rule for RHEL-06-000029 -- Lock non-root system accounts --- RHEL6/input/auxiliary/stig_overlay.xml | 2 +- .../checks/locked_password_for_systemaccounts.xml | 34 ++++++++++++++++++++ .../system/accounts/restrictions/root_logins.xml | 33 +++++++++++++++++++ 3 files changed, 68 insertions(+), 1 deletions(-) create mode 100644 RHEL6/input/checks/locked_password_for_systemaccounts.xml diff --git a/RHEL6/input/auxiliary/stig_overlay.xml b/RHEL6/input/auxiliary/stig_overlay.xml index 32eb751..05075e4 100644 --- a/RHEL6/input/auxiliary/stig_overlay.xml +++ b/RHEL6/input/auxiliary/stig_overlay.xml @@ -72,7 +72,7 @@ <VMSinfo VKey="38494" SVKey="50295" VRelease="1" /> <title>The system must prevent the root account from logging in from serial consoles.</title> </overlay> - <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000029" disa="366" severity="medium"> + <overlay owner="disastig" ruleid="systemaccounts_locked" ownerid="RHEL-06-000029" disa="366" severity="medium"> <VMSinfo VKey="38496" SVKey="50297" VRelease="1" /> <title>Default system accounts, other than root, must be locked.</title> </overlay> diff --git a/RHEL6/input/checks/locked_password_for_systemaccounts.xml b/RHEL6/input/checks/locked_password_for_systemaccounts.xml new file mode 100644 index 0000000..e1ce5bf --- /dev/null +++ b/RHEL6/input/checks/locked_password_for_systemaccounts.xml @@ -0,0 +1,34 @@ +<def-group> + <definition class="compliance" id="locked_password_for_systemaccounts" version="1"> + <metadata> + <title>Locked System Accounts</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>The root account is the only system account that should not be locked.</description> + </metadata> + <criteria> + <criterion comment="tests for the presence of unlocked passwords for system accounts in /etc/shadow file" test_ref="test_locked_password_for_systemaccounts" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="tests for the presence of unlocked passwords for system accounts in /etc/shadow file" id="test_locked_password_for_systemaccounts" version="1"> + <ind:object object_ref="object_unlocked_systemaccounts_not_root" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_systemaccounts_not_root" version="1"> + <ind:filepath>/etc/passwd</ind:filepath> + <ind:pattern operation="pattern match">^(?!root)([^:]+):x:(?:0*[0-9]{1,2}|[1-4][0-9]{2}):.*$</ind:pattern> + <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> + </ind:textfilecontent54_object> + <ind:textfilecontent54_object id="object_unlocked_systemaccounts_not_root" version="1"> + <ind:filepath>/etc/shadow</ind:filepath> + <ind:pattern operation="pattern match" var_ref="var_shadow_regex_systemaccounts_not_root" var_check="at least one" /> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + <local_variable comment="shadow regexes of non-root system accounts" id="var_shadow_regex_systemaccounts_not_root" version="1" datatype="string"> + <concat> + <literal_component>^</literal_component> + <object_component object_ref="object_systemaccounts_not_root" item_field="subexpression" /> + <literal_component>:[^!*]</literal_component> + </concat> + </local_variable> +</def-group> diff --git a/RHEL6/input/system/accounts/restrictions/root_logins.xml b/RHEL6/input/system/accounts/restrictions/root_logins.xml index 119931b..3a765a2 100644 --- a/RHEL6/input/system/accounts/restrictions/root_logins.xml +++ b/RHEL6/input/system/accounts/restrictions/root_logins.xml @@ -167,6 +167,39 @@ become inaccessible. </Rule> +<Rule id="systemaccounts_locked" severity="medium"> +<title>Ensure that System Accounts Are Locked</title> +<description> +Some accounts are not associated with a human +user of the system, and exist to perform some administrative +function. An attacker should not be able to log into these accounts. +<br /> +Disable login access to these accounts with the command: +<pre># passwd -l <i>SYSACCT</i></pre> +</description> +<ocil clause="any system account (other than root) has a valid password hash"> +To obtain a listing of all users and the content of their shadow +password field, run the command: +<pre>$ awk -F: '{print $1 ":" $2}' /etc/shadow</pre> +Identify the system accounts from this listing. These will +primarily be the accounts with UID numbers less than 500, other +than root. +</ocil> +<rationale> +Disabling authentication for default system accounts +makes it more difficult for attackers to make use of +them to compromise a system. +</rationale> +<warning category="functionality"> +Do not perform the steps in this +section on the root account. Doing so might cause the system to +become inaccessible. +</warning> +<oval id="locked_password_for_systemaccounts" /> +<ref disa="366" /> +</Rule> + + <Rule id="accounts_no_uid_except_zero" severity="medium"> <title>Verify Only Root Has UID 0</title> <description> -- 1.7.1
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
