rhel 4 Linux 2.6.9-67.0.15.ELsmp #1 SMP Tue Apr 22 13:50:33 EDT 2008 i686 i686 i386 GNU/Linux
cat /etc/redhat-release Red Hat Enterprise Linux WS release 4 (Nahant Update 6) the compliance file I used was the default CIS RHEL4 from Tenable's website On Mon, Jun 2, 2008 at 12:31 PM, Paul Davis <[EMAIL PROTECTED]> wrote: > Doug, > > What *nix flavors are you seeing this on (uname -a)? Also, would you please > send me the pertinent .audit file portions, I'd like to test this. Thanks! > > Paul Davis > > Doug Nordwall wrote: > >> so, we have boxes (many) with 2 UID 0 accounts. most compliance checks >> that look for root ownership report back that the file is owned by the >> second UID 0 account. For instance >> >> 6.4 Verify /etc/shadow File Permissions : [FAILED]\n\nFile : >> /etc/shadow\nRemote value: owner: mymyroot group: root mode: 0400 attr: >> ------------- \nPolicy value: owner: root group: root mode: 0400 \n\n >> >> >> when in fact it's owned by UID 0. here's some other interesting nuances to >> that >> >> [10:43 AM - [EMAIL PROTECTED] ~] getent passwd root >> root:x:0:0:root:/root:/bin/bash >> >> [10:43 AM - [EMAIL PROTECTED] ~] getent passwd myroot >> myroot:x:0:0:My Root:/myroot:/bin/csh >> >> [10:43 AM - [EMAIL PROTECTED] ~] getent passwd 0 >> root:x:0:0:root:/root:/bin/bash >> >> [10:43 AM - [EMAIL PROTECTED] ~] ls -al /etc/shadow >> -r-------- 1 root root 1097 Jun 2 03:04 /etc/shadow >> >> [10:45 AM - [EMAIL PROTECTED] ~] cat /etc/passwd | grep ":0:" >> root:x:0:0:root:/root:/bin/bash >> myroot:x:0:0:My Root:/myroot:/bin/csh >> >> >> So, the second UID 0 account is after root in the passwd file. getent >> returns the right value, listing the root account. Also, my own test using a >> sudo account shows that it's doing an ls -lnd on /etc/passwd, and that even >> reports back uid 0. So, i'm guessing that the compliance check is taking the >> last entry. This is causing a false positive >> -- >> Doug Nordwall >> Unix, Network, and Security Administrator >> You mean the vision is subject to low subscription rates?!!? - Scott >> Stone, on MMORPGs >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Nessus mailing list >> [email protected] >> http://mail.nessus.org/mailman/listinfo/nessus >> > > -- > Best Regards, > > Paul Davis > Research Engineer > Tenable Network Security Inc > Phone: 410.872.0555 > www.tenablesecurity.com > > Is your network TENABLE? > -- Doug Nordwall Unix, Network, and Security Administrator You mean the vision is subject to low subscription rates?!!? - Scott Stone, on MMORPGs
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
