Classification: UNCLASSIFIED Caveats: NONE
Oh, you've heard quite a bit from us :) (Adam and I are co-workers). Aside from the patches I said I'd write (e.g. for accounts_max_concurrent_login_sessions also checking /etc/security/limits.d/*), which I really will have time to do one of these days...
- The "world_writeable_files" check is flagging a ton of stuff in /proc
- The "no_shelllogin_for_systemaccounts" check doesn't allow /bin/false as one of the options. This seems to be the default for most system accounts on our RHEL6 systems; I don't think that's something we're setting, but I could be wrong:
bin:x:1:1:bin:/bin:/bin/false daemon:x:2:2:daemon:/sbin:/bin/false adm:x:3:4:adm:/var/adm:/bin/false lp:x:4:7:lp:/var/spool/lpd:/bin/false mail:x:8:12:mail:/var/spool/mail:/bin/false uucp:x:10:14:uucp:/var/spool/uucp:/bin/false nobody:x:99:99:Nobody:/:/bin/false dbus:x:81:81:System message bus:/:/bin/false usbmuxd:x:113:113:usbmuxd user:/:/bin/false
It also seems to be flagging people with UIDs well over 1000, but GIDs of 100; do accounts like these fall into the category of "system accounts"? I'm not sure where the logic for this is located.
Another oddity with this check is that --oval-results only ever gives me one entry, when it clearly would flag a bunch of stuff as failures.
Note that the above are using the version of OpenSCAP shipped with RHEL6.
That's mostly it; I do have one other thing (for which, amazingly, I have actually written a patch), but that's not exactly a false positive, so I'd rather start a new topic for it.
-- Ray Shaw (Contractor, STG) Army Research Laboratory CIO, Unix Support
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap- security-guide-bounces@lists.fedorahosted.org] On Behalf Of Shawn Wells Sent: Tuesday, May 13, 2014 3:55 PM To: scap-security-guide@lists.fedorahosted.org Subject: Re: Problem with Setting faillock Account Lock Time
On 5/13/14, 3:32 PM, Spice, Adam M CTR USARMY ARL (US) wrote:
Another member of my organization has spoken with me and let me know he resolved this independently; apparently, we had a configuration error in another file, which caused this issue. Please disregard my request and thank you for your help.
Glad SSG is useful to you guys!
It sounds like you're going through STIGing; would be most interested in false positive feedback.
Shawn _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Classification: UNCLASSIFIED Caveats: NONE