Hello,
I have been working on automating some of the manual items within the RHEL7
STIG that are not covered by the DISA-provided SCAP benchmark nor are they
covered by OpenSCAP content. Specifically, I have been working on automating
the items that pertain to what the STIG describes as "local interactive users."
A significant portion of these items use specific commands referencing
/etc/passwd to check the home directory assignment for all local interactive
users.
For example, in the Check Text section of RHEL-07-020620 (All local interactive
users must have a home directory assigned and defined in the /etc/passwd file):
awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd
However, nearly all of the RHEL7 systems that I support are joined to an Active
Directory domain using realmd and SSSD. Therefore, the above check command does
not work out-of-the-box for AD-authenticated users since none of them have an
entry in /etc/passwd.
Therefore, I wanted to discuss what others have done for these STIG items and
to bring up the subject of what constitutes as a "local interactive user," or
at least what DISA is defining such user as. I presume local interactive users
would mean root and various service accounts, but I am unsure if this is what
DISA is targeting.
V/r,
Ryan Parker
Research Scientist I
GTRI | ISD - Secure Computing Department
w: 404-407-7320
e:
ryan.par...@gtri.gatech.edu<mailto:ryan.par...@gtri.gatech.edu><mailto:ryan.par...@gtri.gatech.edu>
_______________________________________________
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
