On Fri, Apr 30, 2021, at 12:44 PM, Parker, Ryan wrote:
>
>
> Hello,
>
>
>
> I have been working on automating some of the manual items within the
> RHEL7 STIG that are not covered by the DISA-provided SCAP benchmark nor
> are they covered by OpenSCAP content. Specifically, I have been working
> on automating the items that pertain to what the STIG describes as
> "local interactive users." A significant portion of these items use
> specific commands referencing /etc/passwd to check the home directory
> assignment for all local interactive users.
>
>
>
> For example, in the Check Text section of *RHEL-07-020620* (All local
> interactive users must have a home directory assigned and defined in
> the /etc/passwd file):
>
>
>
> awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd
>
> However, nearly all of the RHEL7 systems that I support are joined to
> an Active Directory domain using realmd and SSSD. Therefore, the above
> check command does not work out-of-the-box for AD-authenticated users
> since none of them have an entry in /etc/passwd.
>
>
> Therefore, I wanted to discuss what others have done for these STIG
> items and to bring up the subject of what constitutes as a "local
> interactive user," or at least what DISA is defining such user as. I
> presume local interactive users would mean root and various service
> accounts, but I am unsure if this is what DISA is targeting.
>
DISA also provides their own benchmark you can use. Don't talk whether they
cover this rule, but I've interpreted it to mean only users defined in
/etc/passwd, with AD users' home dirs being created on-demand.
V/r,
James Cassell
_______________________________________________
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
