The updates validated with OSCAP, but the verify-references.py script spat it up. It looks good to me, otherwise.
Thanks,
Leland
--
Leland Steinke, Security+
DISA FSO Technical Support Contractor
tapestry technologies, Inc
717-267-5797 (DSN 570)
leland.j.steinke.ctr@mail.mil (gov't)
lsteinke@tapestrytech.com (com'l)
From b1043abacb74c1f87fb634e759191a30506e06e7 Mon Sep 17 00:00:00 2001
From: steinkel <leland.j.steinke.ctr@mail.mil>
Date: Mon, 9 Dec 2013 15:11:27 -0500
Subject: [PATCH] New Rule for RHEL-06-000029 -- Lock non-root system accounts
---
RHEL6/input/auxiliary/stig_overlay.xml | 2 +-
.../checks/locked_password_for_systemaccounts.xml | 34 ++++++++++++++++++++
.../system/accounts/restrictions/root_logins.xml | 33 +++++++++++++++++++
3 files changed, 68 insertions(+), 1 deletions(-)
create mode 100644 RHEL6/input/checks/locked_password_for_systemaccounts.xml
diff --git a/RHEL6/input/auxiliary/stig_overlay.xml b/RHEL6/input/auxiliary/stig_overlay.xml
index 32eb751..05075e4 100644
--- a/RHEL6/input/auxiliary/stig_overlay.xml
+++ b/RHEL6/input/auxiliary/stig_overlay.xml
@@ -72,7 +72,7 @@
<VMSinfo VKey="38494" SVKey="50295" VRelease="1" />
<title>The system must prevent the root account from logging in from serial consoles.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000029" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="systemaccounts_locked" ownerid="RHEL-06-000029" disa="366" severity="medium">
<VMSinfo VKey="38496" SVKey="50297" VRelease="1" />
<title>Default system accounts, other than root, must be locked.</title>
</overlay>
diff --git a/RHEL6/input/checks/locked_password_for_systemaccounts.xml b/RHEL6/input/checks/locked_password_for_systemaccounts.xml
new file mode 100644
index 0000000..e1ce5bf
--- /dev/null
+++ b/RHEL6/input/checks/locked_password_for_systemaccounts.xml
@@ -0,0 +1,34 @@
+<def-group>
+ <definition class="compliance" id="locked_password_for_systemaccounts" version="1">
+ <metadata>
+ <title>Locked System Accounts</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <description>The root account is the only system account that should not be locked.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="tests for the presence of unlocked passwords for system accounts in /etc/shadow file" test_ref="test_locked_password_for_systemaccounts" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="tests for the presence of unlocked passwords for system accounts in /etc/shadow file" id="test_locked_password_for_systemaccounts" version="1">
+ <ind:object object_ref="object_unlocked_systemaccounts_not_root" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_systemaccounts_not_root" version="1">
+ <ind:filepath>/etc/passwd</ind:filepath>
+ <ind:pattern operation="pattern match">^(?!root)([^:]+):x:(?:0*[0-9]{1,2}|[1-4][0-9]{2}):.*$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+ <ind:textfilecontent54_object id="object_unlocked_systemaccounts_not_root" version="1">
+ <ind:filepath>/etc/shadow</ind:filepath>
+ <ind:pattern operation="pattern match" var_ref="var_shadow_regex_systemaccounts_not_root" var_check="at least one" />
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+ <local_variable comment="shadow regexes of non-root system accounts" id="var_shadow_regex_systemaccounts_not_root" version="1" datatype="string">
+ <concat>
+ <literal_component>^</literal_component>
+ <object_component object_ref="object_systemaccounts_not_root" item_field="subexpression" />
+ <literal_component>:[^!*]</literal_component>
+ </concat>
+ </local_variable>
+</def-group>
diff --git a/RHEL6/input/system/accounts/restrictions/root_logins.xml b/RHEL6/input/system/accounts/restrictions/root_logins.xml
index 119931b..3a765a2 100644
--- a/RHEL6/input/system/accounts/restrictions/root_logins.xml
+++ b/RHEL6/input/system/accounts/restrictions/root_logins.xml
@@ -167,6 +167,39 @@ become inaccessible.
</Rule>
+<Rule id="systemaccounts_locked" severity="medium">
+<title>Ensure that System Accounts Are Locked</title>
+<description>
+Some accounts are not associated with a human
+user of the system, and exist to perform some administrative
+function. An attacker should not be able to log into these accounts.
+<br />
+Disable login access to these accounts with the command:
+<pre># passwd -l <i>SYSACCT</i></pre>
+</description>
+<ocil clause="any system account (other than root) has a valid password hash">
+To obtain a listing of all users and the content of their shadow
+password field, run the command:
+<pre>$ awk -F: '{print $1 ":" $2}' /etc/shadow</pre>
+Identify the system accounts from this listing. These will
+primarily be the accounts with UID numbers less than 500, other
+than root.
+</ocil>
+<rationale>
+Disabling authentication for default system accounts
+makes it more difficult for attackers to make use of
+them to compromise a system.
+</rationale>
+<warning category="functionality">
+Do not perform the steps in this
+section on the root account. Doing so might cause the system to
+become inaccessible.
+</warning>
+<oval id="locked_password_for_systemaccounts" />
+<ref disa="366" />
+</Rule>
+
+
<Rule id="accounts_no_uid_except_zero" severity="medium">
<title>Verify Only Root Has UID 0</title>
<description>
--
1.7.1