Hello,
I have been working on automating some of the manual items within the RHEL7 STIG that are not covered by the DISA-provided SCAP benchmark nor are they covered by OpenSCAP content. Specifically, I have been working on automating the items that pertain to what the STIG describes as "local interactive users." A significant portion of these items use specific commands referencing /etc/passwd to check the home directory assignment for all local interactive users.
For example, in the Check Text section of RHEL-07-020620 (All local interactive users must have a home directory assigned and defined in the /etc/passwd file):
awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd
However, nearly all of the RHEL7 systems that I support are joined to an Active Directory domain using realmd and SSSD. Therefore, the above check command does not work out-of-the-box for AD-authenticated users since none of them have an entry in /etc/passwd.
Therefore, I wanted to discuss what others have done for these STIG items and to bring up the subject of what constitutes as a "local interactive user," or at least what DISA is defining such user as. I presume local interactive users would mean root and various service accounts, but I am unsure if this is what DISA is targeting.
V/r,
Ryan Parker
Research Scientist I
GTRI | ISD - Secure Computing Department
w: 404-407-7320
e: ryan.parker@gtri.gatech.edumailto:ryan.parker@gtri.gatech.edumailto:Ryan.Parker@gtri.gatech.edu
On Fri, Apr 30, 2021, at 12:44 PM, Parker, Ryan wrote:
Hello,
I have been working on automating some of the manual items within the RHEL7 STIG that are not covered by the DISA-provided SCAP benchmark nor are they covered by OpenSCAP content. Specifically, I have been working on automating the items that pertain to what the STIG describes as "local interactive users." A significant portion of these items use specific commands referencing /etc/passwd to check the home directory assignment for all local interactive users.
For example, in the Check Text section of *RHEL-07-020620* (All local interactive users must have a home directory assigned and defined in the /etc/passwd file):
awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd
However, nearly all of the RHEL7 systems that I support are joined to an Active Directory domain using realmd and SSSD. Therefore, the above check command does not work out-of-the-box for AD-authenticated users since none of them have an entry in /etc/passwd.
Therefore, I wanted to discuss what others have done for these STIG items and to bring up the subject of what constitutes as a "local interactive user," or at least what DISA is defining such user as. I presume local interactive users would mean root and various service accounts, but I am unsure if this is what DISA is targeting.
DISA also provides their own benchmark you can use. Don't talk whether they cover this rule, but I've interpreted it to mean only users defined in /etc/passwd, with AD users' home dirs being created on-demand.
V/r, James Cassell
scap-security-guide@lists.fedorahosted.org
-
James Cassell -
Parker, Ryan