----- Original Message ----- > From: "Shawn Wells" <[email protected]> > To: [email protected] > Sent: Tuesday, December 10, 2013 3:21:15 AM > Subject: Re: FW: [PATCH] New Rule for RHEL-06-000029 -- Lock non-root system > accounts > > On 12/9/13, 6:17 PM, Steinke, Leland J Sr CTR DISA FSO (US) wrote: > > > > Hi Shawn, > > > > > Could the title explicitly say "operating system" accounts, since this > is > > the RHEL6 STIG? Let the application guys worry about their accounts > as > > they conform to the AppServer and App STIGs. > Done. The proposed patch is in the attached file. > > Had a chance to read this closer. What's the reason for inclusion? This would > step beyond the baseline of even USGCB. > > RHEL5 CCE-3987-5: > > CCE-3987-5 Login access to non-root system accounts should be > enabled or > disabled as appropriate disabled via /etc/passwd > List all users, their > UIDs, and their shells by running: > # awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd > For each identified system account SYSACCT , lock the account: > # usermod -L SYSACCT > and disable its shell: > # usermod -s /sbin/nologin SYSACCT > > Maps to RHEL6 CCE-26966-2:
Yes, RHEL-6's SSG rule: https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/system/accounts/restrictions/root_logins.xml "Ensure that System Accounts Do Not Run a Shell Upon Login" maps to RHEL5's CCE-3987-5: http://nvd.nist.gov/scap/content/stylesheet/scap-rhel5-document.htm (fix would be to use /sbin/nologin | /bin/false | /dev/null as user's login shell in /etc/passwd). Compared to that C-RHEL-6-000029_chk description: http://www.stigviewer.com/check/RHEL-06-000029 mentions # passwd -l [SYSACCT] as a fix how to disable the account. So basically these two seems to be just two different ways how to achieve the same. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > > > Some accounts are not associated with a human user of the system, and exist > to perform some administrative function. Should an attacker be able to log > into these accounts, they should not be granted access to a shell. > > The login shell for each local account is stored in the last field of each > line in /etc/passwd . System accounts are those user accounts with a user ID > less than 500. The user ID is stored in the third field. If any system > account SYSACCT (other than root) has a login shell, disable it with the > command: > # usermod -s /sbin/nologin SYSACCT > > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
