Classification: UNCLASSIFIED Caveats: NONE Oh, you've heard quite a bit from us :) (Adam and I are co-workers). Aside from the patches I said I'd write (e.g. for accounts_max_concurrent_login_sessions also checking /etc/security/limits.d/*), which I really will have time to do one of these days...
- The "world_writeable_files" check is flagging a ton of stuff in /proc - The "no_shelllogin_for_systemaccounts" check doesn't allow /bin/false as one of the options. This seems to be the default for most system accounts on our RHEL6 systems; I don't think that's something we're setting, but I could be wrong: bin:x:1:1:bin:/bin:/bin/false daemon:x:2:2:daemon:/sbin:/bin/false adm:x:3:4:adm:/var/adm:/bin/false lp:x:4:7:lp:/var/spool/lpd:/bin/false mail:x:8:12:mail:/var/spool/mail:/bin/false uucp:x:10:14:uucp:/var/spool/uucp:/bin/false nobody:x:99:99:Nobody:/:/bin/false dbus:x:81:81:System message bus:/:/bin/false usbmuxd:x:113:113:usbmuxd user:/:/bin/false It also seems to be flagging people with UIDs well over 1000, but GIDs of 100; do accounts like these fall into the category of "system accounts"? I'm not sure where the logic for this is located. Another oddity with this check is that --oval-results only ever gives me one entry, when it clearly would flag a bunch of stuff as failures. Note that the above are using the version of OpenSCAP shipped with RHEL6. That's mostly it; I do have one other thing (for which, amazingly, I have actually written a patch), but that's not exactly a false positive, so I'd rather start a new topic for it. -- Ray Shaw (Contractor, STG) Army Research Laboratory CIO, Unix Support > -----Original Message----- > From: [email protected] [mailto:scap- > [email protected]] On Behalf Of Shawn Wells > Sent: Tuesday, May 13, 2014 3:55 PM > To: [email protected] > Subject: Re: Problem with Setting faillock Account Lock Time > > > On 5/13/14, 3:32 PM, Spice, Adam M CTR USARMY ARL (US) wrote: > > Another member of my organization has spoken with me and let me know > > he resolved this independently; apparently, we had a configuration > > error in another file, which caused this issue. Please disregard my > > request and thank you for your help. > Glad SSG is useful to you guys! > > It sounds like you're going through STIGing; would be most interested > in false positive feedback. > > Shawn > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide Classification: UNCLASSIFIED Caveats: NONE
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
