so, we have boxes (many) with 2 UID 0 accounts. most compliance checks that look for root ownership report back that the file is owned by the second UID 0 account. For instance 6.4 Verify /etc/shadow File Permissions : [FAILED]\n\nFile : /etc/shadow\nRemote value: owner: mymyroot group: root mode: 0400 attr: ------------- \nPolicy value: owner: root group: root mode: 0400 \n\n when in fact it's owned by UID 0. here's some other interesting nuances to that
[10:43 AM - [EMAIL PROTECTED] ~] getent passwd root root:x:0:0:root:/root:/bin/bash [10:43 AM - [EMAIL PROTECTED] ~] getent passwd myroot myroot:x:0:0:My Root:/myroot:/bin/csh [10:43 AM - [EMAIL PROTECTED] ~] getent passwd 0 root:x:0:0:root:/root:/bin/bash [10:43 AM - [EMAIL PROTECTED] ~] ls -al /etc/shadow -r-------- 1 root root 1097 Jun 2 03:04 /etc/shadow [10:45 AM - [EMAIL PROTECTED] ~] cat /etc/passwd | grep ":0:" root:x:0:0:root:/root:/bin/bash myroot:x:0:0:My Root:/myroot:/bin/csh So, the second UID 0 account is after root in the passwd file. getent returns the right value, listing the root account. Also, my own test using a sudo account shows that it's doing an ls -lnd on /etc/passwd, and that even reports back uid 0. So, i'm guessing that the compliance check is taking the last entry. This is causing a false positive -- Doug Nordwall Unix, Network, and Security Administrator You mean the vision is subject to low subscription rates?!!? - Scott Stone, on MMORPGs
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
