On 12/9/13, 6:17 PM, Steinke, Leland J Sr CTR DISA FSO (US) wrote:
Hi Shawn,>Could the title explicitly say "operating system" accounts, since this >is the RHEL6 STIG? Let the application guys worry about their accounts >as they conform to the AppServer and App STIGs.Done. The proposed patch is in the attached file.
Had a chance to read this closer. What's the reason for inclusion? This would step beyond the baseline of even USGCB.
RHEL5 CCE-3987-5:CCE-3987-5 Login access to non-root system accounts should be enabled or disabled as appropriate disabled via /etc/passwd List all users, their UIDs, and their shells by running:
# awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd
For each identified system account SYSACCT , lock the account:
# usermod -L SYSACCT
and disable its shell:
# usermod -s /sbin/nologin SYSACCT
Maps to RHEL6 CCE-26966-2:
Some accounts are not associated with a human user of the system, and exist to perform some administrative function. Should an attacker be able to log into these accounts, they should not be granted access to a shell.The login shell for each local account is stored in the last field of each line in|/etc/passwd|. System accounts are those user accounts with a user ID less than 500. The user ID is stored in the third field. If any system account/SYSACCT/(other than root) has a login shell, disable it with the command:# usermod -s /sbin/nologin/SYSACCT/
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
