> If a password exists for a service account its declared a finding and > passwd -l <account name> should be done, but passwd -l only puts !! In > front of the hash to lock the account and does not remove the hash. I'm > assuming this is going to cause some false positives in scanning. So > maybe some extra wording saying that if a has exists and !! Comes before > it, then its not a finding?
A patch would force the issue / be most helpful. Thanks for the feedback! > I'm keeping track of everything as I develop the STIG content, so will > report back as I mow through everything. "Content" remains a confusingly overloaded word. If it's not too much to ask, I'd request that everyone use it only to describe SCAP-formatted content, such as the STIG itself or the other SCAP content on scap-security-guide. > P.S. From the RHEL5 Beta STIG to the RHEL5 Final no change log or > revision tracking was done, which makes updating content a > nightmare--especially if there are dups of like checks. Maybe we can ping > DISA to try and implement that? Yes -- we need to sync shortly. Ideally all changes would go through SSG, and then the git log will provide a complete and transparent record of all changes. I do not believe DISA's system includes version control (but I'm open to correction). _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
