[prev in list] [next in list] [prev in thread] [next in thread] 

List:       scap-security-guide
Subject:    RE: [PATCH ] [RHEL/6] Ensure that system accounts do not run a shell upon login
From:       "Renshaw, Richard /c" <Richard_Renshaw () xtoenergy ! com>
Date:       2014-04-22 15:58:07
Message-ID: 2E6F4A29472BF6449F840816271B00C11AC71EA118 () FTWMEXCMBXP01 ! xtonet ! com
[Download RAW message or body]

[Attachment #2 (text/plain)]

The check in ssg-rhel6-oval.xml actually checks for GID < 500, not UID < 500:
testlowgid:x:50099:100::/home/testlowgid:/bin/bash

--- orig.ssg-rhel6-oval.xml            2014-04-22 10:14:05.181639519 -0500
+++ ssg-rhel6-oval.xml  2014-04-22 10:42:40.361579812 -0500
@@ -10315,7 +10315,7 @@
     </ind:textfilecontent54_object>
     <ind:textfilecontent54_object id="oval:ssg:obj:1799" version="1">
       <ind:filepath>/etc/passwd</ind:filepath>
-      <ind:pattern operation="pattern \
match">^(?!root).*:x:[\d]*:0*([0-9]{1,2}|[1-4][0-9]{2}):[^:]*:[^:]*:(?!\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt).*$</ind:pattern>
 +      <ind:pattern operation="pattern \
match">^(?!root).*:x:0*([0-9]{1,2}|[1-4][0-9]{2}):[\d]*:[^:]*:[^:]*:(?!\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt).*$</ind:pattern>
  <ind:instance datatype="int">1</ind:instance>
     </ind:textfilecontent54_object>
     <ind:textfilecontent54_object id="oval:ssg:obj:1800" version="1">

Patch verified on my test system, it no longer flags the test account.

Rick Renshaw


[Attachment #3 (text/html)]

<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type \
content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 \
(filtered medium)"><style><!-- /* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.hoenzb
	{mso-style-name:hoenzb;}
span.EmailStyle18
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div \
class=WordSection1><p class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The check \
in ssg-rhel6-oval.xml actually checks for GID &lt; 500, not UID &lt; \
500:<o:p></o:p></span></p><p class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>testlowgid:x:50099:100::/home/testlowgid:/bin/bash<o:p></o:p></span></p><p \
class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p \
class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>--- \
orig.ssg-rhel6-oval.xml            2014-04-22 10:14:05.181639519 \
-0500<o:p></o:p></span></p><p class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>+++ \
ssg-rhel6-oval.xml  2014-04-22 10:42:40.361579812 -0500<o:p></o:p></span></p><p \
class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>@@ -10315,7 \
+10315,7 @@<o:p></o:p></span></p><p class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>     \
&lt;/ind:textfilecontent54_object&gt;<o:p></o:p></span></p><p class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>     \
&lt;ind:textfilecontent54_object id=&quot;oval:ssg:obj:1799&quot; \
version=&quot;1&quot;&gt;<o:p></o:p></span></p><p class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>       \
&lt;ind:filepath&gt;/etc/passwd&lt;/ind:filepath&gt;<o:p></o:p></span></p><p \
class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-      \
&lt;ind:pattern operation=&quot;pattern \
match&quot;&gt;^(?!root).*:x:[\d]*:0*([0-9]{1,2}|[1-4][0-9]{2}):[^:]*:[^:]*:(?!\/sbin\ \
/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt).*$&lt;/ind:pattern&gt;<o:p></o:p></span></p><p \
class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>+      \
&lt;ind:pattern operation=&quot;pattern \
match&quot;&gt;^(?!root).*:x:0*([0-9]{1,2}|[1-4][0-9]{2}):[\d]*:[^:]*:[^:]*:(?!\/sbin\ \
/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt).*$&lt;/ind:pattern&gt;<o:p></o:p></span></p><p \
class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>       \
&lt;ind:instance datatype=&quot;int&quot;&gt;1&lt;/ind:instance&gt;<o:p></o:p></span></p><p \
class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>     \
&lt;/ind:textfilecontent54_object&gt;<o:p></o:p></span></p><p class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>     \
&lt;ind:textfilecontent54_object id=&quot;oval:ssg:obj:1800&quot; \
version=&quot;1&quot;&gt;<o:p></o:p></span></p><p class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p \
class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Patch \
verified on my test system, it no longer flags the test \
account.<o:p></o:p></span></p><p class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p \
class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Rick \
Renshaw<o:p></o:p></span></p><p class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> \
<o:p></o:p></span></p></div></body></html>


[Attachment #4 (unknown)]

_______________________________________________
scap-security-guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic