On 12/11/13, 8:31 AM, Jan Lieskovsky wrote:
----- Original Message -----
From: "Shawn Wells" <[email protected]>
To: [email protected]
Sent: Tuesday, December 10, 2013 7:43:33 PM
Subject: Re: [PATCH] New Rule for RHEL-06-000029 -- Lock non-root system
accounts
On 12/10/13, 4:51 AM, Jan Lieskovsky wrote:
----- Original Message -----
From: "Shawn Wells"<[email protected]>
To:[email protected]
Sent: Tuesday, December 10, 2013 3:21:15 AM
Subject: Re: FW: [PATCH] New Rule for RHEL-06-000029 -- Lock non-root
system accounts
On 12/9/13, 6:17 PM, Steinke, Leland J Sr CTR DISA FSO (US) wrote:
Hi Shawn,
Could the title explicitly say "operating system" accounts, since this
is
the RHEL6 STIG? Let the application guys worry about their accounts >
as
they conform to the AppServer and App STIGs.
Done. The proposed patch is in the attached file.
Had a chance to read this closer. What's the reason for inclusion? This
would
step beyond the baseline of even USGCB.
RHEL5 CCE-3987-5:
CCE-3987-5 Login access to non-root system accounts should be
enabled
or
disabled as appropriate disabled via /etc/passwd
List all users,
their
UIDs, and their shells by running:
# awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd
For each identified system account SYSACCT , lock the account:
# usermod -L SYSACCT
and disable its shell:
# usermod -s /sbin/nologin SYSACCT
Maps to RHEL6 CCE-26966-2:
Yes, RHEL-6's SSG rule:
https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/system/accounts/restrictions/root_logins.xml
"Ensure that System Accounts Do Not Run a Shell Upon Login"
maps to RHEL5's CCE-3987-5:
http://nvd.nist.gov/scap/content/stylesheet/scap-rhel5-document.htm
(fix would be to use /sbin/nologin | /bin/false | /dev/null as user's
login shell in /etc/passwd).
Compared to that C-RHEL-6-000029_chk description:
http://www.stigviewer.com/check/RHEL-06-000029
mentions
# passwd -l [SYSACCT]
as a fix how to disable the account.
So basically these two seems to be just two different ways how to achieve
the same.
Welllllll that's interesting. How did C-RHEL-6-00029 get included in the
RHEL6 STIG without Red Hat and NSA signoff? ::: glances at FSO :::
So I propose a swap: Delete the existing "Ensure that System Accounts
Do Not Run a Shell Upon Login" rule and replace it with this new, DISA
FSO proposed, C-RHEL-6-000029.
+1 from me for the swap (since "Ensure that System Accounts Do Not Run a Shell Upon
Login"
is known to be problematic for example for PostgreSQL service and it would
require rewrite anyway, better to replace it with same system semantics rule
that works).
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
Leland? Jeff?
.....Bueller? ;)
But really, what do you think of this approach Leland (+Jeff?)?
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
