On 12/11/13, 8:31 AM, Jan Lieskovsky wrote:
----- Original Message -----
From: "Shawn Wells" shawn@redhat.com To: scap-security-guide@lists.fedorahosted.org Sent: Tuesday, December 10, 2013 7:43:33 PM Subject: Re: [PATCH] New Rule for RHEL-06-000029 -- Lock non-root system accounts
On 12/10/13, 4:51 AM, Jan Lieskovsky wrote:
----- Original Message -----
From: "Shawn Wells"shawn@redhat.com To:scap-security-guide@lists.fedorahosted.org Sent: Tuesday, December 10, 2013 3:21:15 AM Subject: Re: FW: [PATCH] New Rule for RHEL-06-000029 -- Lock non-root system accounts
On 12/9/13, 6:17 PM, Steinke, Leland J Sr CTR DISA FSO (US) wrote:
Hi Shawn,
> Could the title explicitly say "operating system" accounts, since this >> is > the RHEL6 STIG? Let the application guys worry about their accounts > > as > they conform to the AppServer and App STIGs.
Done. The proposed patch is in the attached file.
Had a chance to read this closer. What's the reason for inclusion? This would step beyond the baseline of even USGCB.
RHEL5 CCE-3987-5:
CCE-3987-5 Login access to non-root system accounts should be enabled or disabled as appropriate disabled via /etc/passwd List all users, their UIDs, and their shells by running: # awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd For each identified system account SYSACCT , lock the account: # usermod -L SYSACCT and disable its shell: # usermod -s /sbin/nologin SYSACCT
Maps to RHEL6 CCE-26966-2:
Yes, RHEL-6's SSG rule: https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/s...
"Ensure that System Accounts Do Not Run a Shell Upon Login"maps to RHEL5's CCE-3987-5: http://nvd.nist.gov/scap/content/stylesheet/scap-rhel5-document.htm
(fix would be to use /sbin/nologin | /bin/false | /dev/null as user's login shell in /etc/passwd).
Compared to that C-RHEL-6-000029_chk description: http://www.stigviewer.com/check/RHEL-06-000029
mentions # passwd -l [SYSACCT]
as a fix how to disable the account.
So basically these two seems to be just two different ways how to achieve the same.
Welllllll that's interesting. How did C-RHEL-6-00029 get included in the RHEL6 STIG without Red Hat and NSA signoff? ::: glances at FSO :::
So I propose a swap: Delete the existing "Ensure that System Accounts Do Not Run a Shell Upon Login" rule and replace it with this new, DISA FSO proposed, C-RHEL-6-000029.
+1 from me for the swap (since "Ensure that System Accounts Do Not Run a Shell Upon Login" is known to be problematic for example for PostgreSQL service and it would require rewrite anyway, better to replace it with same system semantics rule that works).
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
Leland? Jeff?
.....Bueller? ;)
But really, what do you think of this approach Leland (+Jeff?)?