Here's one more patch to clean up 'make validate' just a teensy bit more. This
one required a lot of testing due to complicated regex.
- Maura Dailey
Signed-off-by: Maura Dailey <maura(a)eclipse.ncsc.mil>
---
.../accounts_no_shelllogin_for_systemaccounts.xml | 23 ++++++++++++++++++++
.../system/accounts/restrictions/root_logins.xml | 2 +-
2 files changed, 24 insertions(+), 1 deletions(-)
create mode 100644 RHEL6/input/checks/accounts_no_shelllogin_for_systemaccounts.xml
diff --git a/RHEL6/input/checks/accounts_no_shelllogin_for_systemaccounts.xml
b/RHEL6/input/checks/accounts_no_shelllogin_for_systemaccounts.xml
new file mode 100644
index 0000000..a5b9334
--- /dev/null
+++ b/RHEL6/input/checks/accounts_no_shelllogin_for_systemaccounts.xml
@@ -0,0 +1,23 @@
+<def-group>
+ <definition class="compliance"
id="accounts_no_shelllogin_for_systemaccounts" version="1">
+ <metadata>
+ <title>System Accounts Do Not Run a Shell</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <description>The root account is the only system account that should have a
login shell.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="tests for the presence of login shells (not
/sbin/nologin) for system accounts in /etc/passwd file"
test_ref="test_accounts_no_shelllogin_for_systemaccounts" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all"
check_existence="none_exist" comment="tests for the presence of login
shells (not /sbin/nologin) for system accounts in /etc/passwd file"
id="test_accounts_no_shelllogin_for_systemaccounts" version="1">
+ <ind:object
object_ref="object_accounts_no_shelllogin_for_systemaccounts" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object
id="object_accounts_no_shelllogin_for_systemaccounts" version="1">
+ <ind:path>/etc</ind:path>
+ <ind:filename>passwd</ind:filename>
+ <ind:pattern operation="pattern
match">^(?!.*root).*:x:[\d]*:0*([0-9]{1,2}|[1-4][0-9]{2}):[^:]*:[^:]*:(?!\/sbin\/nologin).*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/RHEL6/input/system/accounts/restrictions/root_logins.xml
b/RHEL6/input/system/accounts/restrictions/root_logins.xml
index f9b6aa2..1f2a840 100644
--- a/RHEL6/input/system/accounts/restrictions/root_logins.xml
+++ b/RHEL6/input/system/accounts/restrictions/root_logins.xml
@@ -158,7 +158,7 @@ section on the root account. Doing so might cause the system to
become inaccessible.
</warning>
<ident cce="26966-2" />
-<oval id="no_shelllogin_for_systemaccounts" />
+<oval id="accounts_no_shelllogin_for_systemaccounts" />
<ref nist="" disa="178" />
<tested by="DS" on="20121024"/>
</Rule>
--
1.7.1
Show replies by date