Re: [PATCH] New Rule for RHEL-06-000029 -- Lock non-root system accounts

Tue, 10 Dec 2013 10:44:28 -0800 

On 12/10/13, 4:51 AM, Jan Lieskovsky wrote:

----- Original Message -----

>From: "Shawn Wells"<[email protected]>
>To:[email protected]
>Sent: Tuesday, December 10, 2013 3:21:15 AM
>Subject: Re: FW: [PATCH] New Rule for RHEL-06-000029 -- Lock non-root system   
     accounts
>
>On 12/9/13, 6:17 PM, Steinke, Leland J Sr CTR DISA FSO (US) wrote:
>
>
>
>Hi Shawn,
>
>
>

> >Could the title explicitly say "operating system" accounts, since this > is
> >the RHEL6 STIG? Let the application guys worry about their accounts > as
> >they conform to the AppServer and App STIGs.

>Done.  The proposed patch is in the attached file.
>
>Had a chance to read this closer. What's the reason for inclusion? This would
>step beyond the baseline of even USGCB.
>
>RHEL5 CCE-3987-5:
>
>    CCE-3987-5      Login access to non-root system accounts should be enabled 
or
>    disabled as appropriate         disabled        via /etc/passwd         
List all users, their
>    UIDs, and their shells by running:
># awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd
>For each identified system account SYSACCT , lock the account:
># usermod -L SYSACCT
>and disable its shell:
># usermod -s /sbin/nologin SYSACCT
>
>Maps to RHEL6 CCE-26966-2:

Yes, RHEL-6's SSG rule:
   
https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/system/accounts/restrictions/root_logins.xml

   "Ensure that System Accounts Do Not Run a Shell Upon Login"

maps to RHEL5's CCE-3987-5:
   http://nvd.nist.gov/scap/content/stylesheet/scap-rhel5-document.htm

(fix would be to use /sbin/nologin | /bin/false | /dev/null as user's
  login shell in /etc/passwd).

Compared to that C-RHEL-6-000029_chk description:
   http://www.stigviewer.com/check/RHEL-06-000029

mentions
   # passwd -l [SYSACCT]

as a fix how to disable the account.

So basically these two seems to be just two different ways how to achieve
the same.
Welllllll that's interesting. How did C-RHEL-6-00029 get included in the RHEL6 STIG without Red Hat and NSA signoff? ::: glances at FSO :::
So I propose a swap: Delete the existing "Ensure that System Accounts Do Not Run a Shell Upon Login" rule and replace it with this new, DISA FSO proposed, C-RHEL-6-000029. 

Leland? Jeff?


_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Reply via email to