On 1/2/14, 1:24 PM, Steinke, Leland J Sr CTR DISA FSO (US) wrote:
This has been overlooked for a long time.
Thanks,
Leland
--
Leland Steinke, Security+
DISA FSO Technical Support Contractor
tapestry technologies, Inc
717-267-5797 (DSN 570)
[email protected] (gov't)
[email protected] (com'l)
0001-add-disable_user_list-to-STIG-RHEL-06-000527.patch
From cf5e12f17f295eb04e66472f81f8b2ec89d84acb Mon Sep 17 00:00:00 2001
From: steinkel<[email protected]>
Date: Thu, 2 Jan 2014 13:13:34 -0500
Subject: [PATCH] add disable_user_list to STIG/RHEL-06-000527
---
RHEL/6/input/auxiliary/stig_overlay.xml | 4 ++++
RHEL/6/input/system/accounts/banners.xml | 2 +-
2 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml
b/RHEL/6/input/auxiliary/stig_overlay.xml
index 051f22e..dd91cb6 100644
--- a/RHEL/6/input/auxiliary/stig_overlay.xml
+++ b/RHEL/6/input/auxiliary/stig_overlay.xml
@@ -1317,6 +1317,10 @@
<VMSinfo VKey="38437" SVKey="50237" VRelease="1" />
<title>Automated file system mounting tools must not be enabled
unless needed.</title>
</overlay>
+ <overlay owner="disastig" ruleid="disable_user_list" ownerid="RHEL-06-000527"
disa="366" severity="medium">
+ <VMSinfo VKey="43150" SVKey="55880" VRelease="1" />
+ <title>The login user list must be disabled.</title>
+ </overlay>
<overlay owner="disastig" ruleid="unmet_nonfinding_scope" ownerid="SRG-OS-000006-NA"
disa="21" severity="medium">
<title>The operating system must enforce dual authorization, based on
organizational policies and procedures for organization defined privileged
commands.</title>
</overlay>
diff --git a/RHEL/6/input/system/accounts/banners.xml
b/RHEL/6/input/system/accounts/banners.xml
index 0b8dc83..a9fb433 100644
--- a/RHEL/6/input/system/accounts/banners.xml
+++ b/RHEL/6/input/system/accounts/banners.xml
@@ -161,7 +161,7 @@ The output should be <tt>true</tt>.
with physical access to the system to quickly enumerate known user accounts
without logging in.</rationale>
<ident cce="27230-2" />
-<ref nist="AC-23" />
+<ref nist="AC-23" disa="366" />
</Rule>
</Group>
--
Not opposed to the idea of adding this to the RHEL6 STIG. A few things
before an ack:
(1) disable_user_list is not selected in the stig-rhel6-server-upstream
XCCDF profile;
(2) No OVAL exists for this check
Do you feel comfortable authoring the OVAL?
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
