On 6/7/17 4:21 PM, Fen Labalme wrote: > On Wed, Jun 7, 2017 at 1:41 PM, Shawn Wells <[email protected] > <mailto:[email protected]>> wrote: > > OVAL has the ability to do conditional clauses, e.g. most of the > SSH checks will be notapplicable/pass if sshd is not installed. > > > This is great, and on a cloud server in a fedramp certified facility > one might think it enough, as how would someone log in other than by > using SSH? > > Can evaluate password access in sshd configs, but that's only for > ssh server.... what do we check to see if password access is > disabled for the entire system? > > > I can't remember the process offhand, but I believe disabling pam_unix > will prevent access to /etc/passwd or /etc/shadow.
If you have the interest + time to document how to set this up, it'd be a worthwhile extension to the OVAL checks. https://serverfault.com/questions/783082/how-to-use-the-ssh-server-with-pam-but-disallow-password-auth might get you started
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
