----- Original Message -----
From: "Shawn Wells" <shawn(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Sent: Tuesday, December 10, 2013 3:21:15 AM
Subject: Re: FW: [PATCH] New Rule for RHEL-06-000029 -- Lock non-root system accounts
On 12/9/13, 6:17 PM, Steinke, Leland J Sr CTR DISA FSO (US) wrote:
Hi Shawn,
> Could the title explicitly say "operating system" accounts, since this
> is
> the RHEL6 STIG? Let the application guys worry about their accounts > as
> they conform to the AppServer and App STIGs.
Done. The proposed patch is in the attached file.
Had a chance to read this closer. What's the reason for inclusion? This would
step beyond the baseline of even USGCB.
RHEL5 CCE-3987-5:
CCE-3987-5 Login access to non-root system accounts should be enabled or
disabled as appropriate disabled via /etc/passwd List all users, their
UIDs, and their shells by running:
# awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd
For each identified system account SYSACCT , lock the account:
# usermod -L SYSACCT
and disable its shell:
# usermod -s /sbin/nologin SYSACCT
Maps to RHEL6 CCE-26966-2:
Yes, RHEL-6's SSG rule:
https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/inpu...
"Ensure that System Accounts Do Not Run a Shell Upon Login"
maps to RHEL5's CCE-3987-5:
http://nvd.nist.gov/scap/content/stylesheet/scap-rhel5-document.htm
(fix would be to use /sbin/nologin | /bin/false | /dev/null as user's
login shell in /etc/passwd).
Compared to that C-RHEL-6-000029_chk description:
http://www.stigviewer.com/check/RHEL-06-000029
mentions
# passwd -l [SYSACCT]
as a fix how to disable the account.
So basically these two seems to be just two different ways how to achieve
the same.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
Some accounts are not associated with a human user of the system, and exist
to perform some administrative function. Should an attacker be able to log
into these accounts, they should not be granted access to a shell.
The login shell for each local account is stored in the last field of each
line in /etc/passwd . System accounts are those user accounts with a user ID
less than 500. The user ID is stored in the third field. If any system
account SYSACCT (other than root) has a login shell, disable it with the
command:
# usermod -s /sbin/nologin SYSACCT
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide