On 1/5/18 2:21 PM, Paige, David B CTR USARMY ICOE (US) wrote: > Steve, > > What you said about the root account makes sense. We do not allow direct > root logins. I was trying to reconcile this check with RHEL-06-000197 where > the STIG fix text actually includes a line for auid=0.
The original approved language for RHEL-06-000197 can be found here: https://github.com/OpenSCAP/scap-security-guide/blob/master/rhel6/xccdf/system/auditing.xml#L1380#L1404 And the automated (OVAL) check: https://github.com/OpenSCAP/scap-security-guide/blob/master/rhel6/checks/oval/audit_rules_unsuccessful_file_modification.xml Evaluating for auid=0 was not part of the NSA and Red Hat approved content. If DISA added it into their content, they did so without going through the DoD consensus process, notifying NSA, notifying DoD CIO, or notifying the vendor. _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
