Classification: UNCLASSIFIED
Caveats: NONE
Oh, you've heard quite a bit from us :) (Adam and I are co-workers). Aside
from the patches I said I'd write (e.g. for
accounts_max_concurrent_login_sessions also checking
/etc/security/limits.d/*), which I really will have time to do one of these
days...
- The "world_writeable_files" check is flagging a ton of stuff in /proc
- The "no_shelllogin_for_systemaccounts" check doesn't allow /bin/false as
one
of the options. This seems to be the default for most system accounts on our
RHEL6 systems; I don't think that's something we're setting, but I could be
wrong:
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/adm:/bin/false
lp:x:4:7:lp:/var/spool/lpd:/bin/false
mail:x:8:12:mail:/var/spool/mail:/bin/false
uucp:x:10:14:uucp:/var/spool/uucp:/bin/false
nobody:x:99:99:Nobody:/:/bin/false
dbus:x:81:81:System message bus:/:/bin/false
usbmuxd:x:113:113:usbmuxd user:/:/bin/false
It also seems to be flagging people with UIDs well over 1000, but GIDs of 100;
do accounts like these fall into the category of "system accounts"? I'm not
sure where the logic for this is located.
Another oddity with this check is that --oval-results only ever gives me one
entry, when it clearly would flag a bunch of stuff as failures.
Note that the above are using the version of OpenSCAP shipped with RHEL6.
That's mostly it; I do have one other thing (for which, amazingly, I have
actually written a patch), but that's not exactly a false positive, so I'd
rather start a new topic for it.
--
Ray Shaw (Contractor, STG)
Army Research Laboratory
CIO, Unix Support
-----Original Message-----
From: scap-security-guide-bounces(a)lists.fedorahosted.org [mailto:scap-
security-guide-bounces(a)lists.fedorahosted.org] On Behalf Of Shawn Wells
Sent: Tuesday, May 13, 2014 3:55 PM
To: scap-security-guide(a)lists.fedorahosted.org
Subject: Re: Problem with Setting faillock Account Lock Time
On 5/13/14, 3:32 PM, Spice, Adam M CTR USARMY ARL (US) wrote:
> Another member of my organization has spoken with me and let me know
> he resolved this independently; apparently, we had a configuration
> error in another file, which caused this issue. Please disregard my
> request and thank you for your help.
Glad SSG is useful to you guys!
It sounds like you're going through STIGing; would be most interested
in false positive feedback.
Shawn
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Classification: UNCLASSIFIED
Caveats: NONE