RE: Problem with Setting faillock Account Lock Time (UNCLASSIFIED)

Classification: UNCLASSIFIED Caveats: NONE Oh, you've heard quite a bit from us :) (Adam and I are co-workers). Aside from the patches I said I'd write (e.g. for accounts_max_concurrent_login_sessions also checking /etc/security/limits.d/*), which I really will have time to do one of these days... - The "world_writeable_files" check is flagging a ton of stuff in /proc - The "no_shelllogin_for_systemaccounts" check doesn't allow /bin/false as one of the options. This seems to be the default for most system accounts on our RHEL6 systems; I don't think that's something we're setting, but I could be wrong: bin:x:1:1:bin:/bin:/bin/false daemon:x:2:2:daemon:/sbin:/bin/false adm:x:3:4:adm:/var/adm:/bin/false lp:x:4:7:lp:/var/spool/lpd:/bin/false mail:x:8:12:mail:/var/spool/mail:/bin/false uucp:x:10:14:uucp:/var/spool/uucp:/bin/false nobody:x:99:99:Nobody:/:/bin/false dbus:x:81:81:System message bus:/:/bin/false usbmuxd:x:113:113:usbmuxd user:/:/bin/false It also seems to be flagging people with UIDs well over 1000, but GIDs of 100; do accounts like these fall into the category of "system accounts"? I'm not sure where the logic for this is located. Another oddity with this check is that --oval-results only ever gives me one entry, when it clearly would flag a bunch of stuff as failures. Note that the above are using the version of OpenSCAP shipped with RHEL6. That's mostly it; I do have one other thing (for which, amazingly, I have actually written a patch), but that's not exactly a false positive, so I'd rather start a new topic for it. -- Ray Shaw (Contractor, STG) Army Research Laboratory CIO, Unix Support Classification: UNCLASSIFIED Caveats: NONE