For SSGID Set Account Expiration Following Inactivity - (CCE-27283-1), with the usgcb-rhel6-server profile selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine. The STIG recommends a value of 35. The SSG content “Description” also states a value of 35 is recommended. However the SSG content subexpression check is “must be less than or equal to '30'” See the following report output: subexpression equals '35' Collected items did not meet the check requirement. To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in /etc/default/useradd, substituting NUM_DAYS appropriately: INACTIVE=NUM_DAYS A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the useradd man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users. Fix Text: Severity: low Weight: Reference: AC-2(2) AC-2(3) 16 17 795 Definitions: ID: oval:ssg:def:525 Result: false Title: Set Accounts to Expire Following Password Expiration Description: The accounts should be configured to expire automatically following password expiration. Class: compliance Tests:
false (All item-state comparisons must be true.) false (the value INACTIVE parameter should be set appropriately in /etc/default/useradd) Tests: Test ID: oval:ssg:tst:526 Result: false Title: the value INACTIVE parameter should be set appropriately in /etc/default/useradd Check Existence: One or more collected items must exist. Check: All collected items must match the given state(s). State Operator: All item-state comparisons must be true. Object ID: oval:ssg:obj:1591 Object Requirements: filepath must be equal to '/etc/default/useradd' pattern must match the pattern '^\s*INACTIVE\s*=\s*(\d+)\s*$' instance must be equal to '1' State ID: oval:ssg:ste:1592 State Requirements: subexpression must be less than or equal to '30' State ID: oval:ssg:ste:1593 State Requirements: subexpression must be greater than '-1' Collected Item Properties: filepath equals '/etc/default/useradd' path equals '/etc/default' filename equals 'useradd' pattern equals '^\s*INACTIVE\s*=\s*(\d+)\s*$' instance equals '1' text equals 'INACTIVE=35' subexpression equals '35' Additional Information: Collected items did not meet the check requirement. _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
