Comments (5)
mpurg
commented on June 12, 2024
1
Hi @marcofortina , looks like this rule was changed in CIS v2.0.0 to not allow /bin/false:
5.4.2.7 Ensure system accounts do not have a valid login shell
That said, since we do not support CIS v2.0.0 yet, I think the best thing to do is to temporarily patch the OVAL for Ubuntu.
from content.
marcofortina
commented on June 12, 2024
Version 0.1.72 does not report this error:
Title Ensure that System Accounts Do Not Run a Shell Upon Login
Rule xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Result pass
master branch (commit 59013f6):
Title Ensure that System Accounts Do Not Run a Shell Upon Login
Rule xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Result fail
It seams the issue was introduced after 0.1.72 release.
from content.
marcofortina
commented on June 12, 2024
Last good commit c35978f:
Title Ensure that System Accounts Do Not Run a Shell Upon Login
Rule xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Result pass
From commit a936357:
Title Ensure that System Accounts Do Not Run a Shell Upon Login
Rule xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Result fail
from content.
marcofortina
commented on June 12, 2024
PR #11896 broke pass result on Ubuntu 22.04
I agree on the usage of /usr/sbin/nologin instead of /bin/false, but only after all packages change their own users in /etc/passwd and only after changes are reported on official CIS guide. Right now OSCAP should validate what is on official guide:
5.5.2 Ensure system accounts are secured (Automated) - Page: 714:
Audit:
Run the following commands and verify no results are returned:
awk -F: '$1!~/(root|sync|shutdown|halt|^\+)/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!~/((\/usr)?\/sbin\/nologin)/ && $7!~/(\/bin)?\/false/ {print}' /etc/passwd
awk -F: '($1!~/(root|^\+)/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"') {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!~/LK?/) {print $1}'
Here /bin/false is not reported as not secure.
My option is PR #11896 should be rollback and if needed for other kind of recommendations (eg STIG. PCI-DSS and so on) write a patch that is compliant with everyone and that does not create regressions with those indicated by CIS.
from content.
marcofortina
commented on June 12, 2024
Same issue also on SLES15
from content.
Related Issues (20)
- mount_option_boot_nosuid fails to remediate with Ansible HOT 6
- chronyd_or_ntpd_set_maxpoll is not remediated by Ansible HOT 2
- firewalld_sshd_port_enabled fails to remediate on aarch64 HOT 5
- accounts_umask_etc_bashrc is misaligned with RHEL 9 STIG HOT 4
- `audit_rules_networkconfig_modification_network_scripts` is broken in Automatus
- zipl_bootmap_is_up_to_date is failing after Ansible remediation HOT 2
- test scenarios for firewalld_sshd_port_enabled are failing on RHEL 8.6 HOT 4
- test scenario for service_bluetooth_disabled is not causing expected fail HOT 3
- Should files in /tmp be checked for permissions when using tmpfs?
- OpenSCAP Ubuntu 20.04 STIG Profile Issue with Banner Test HOT 2
- mount_option_nodev_nonroot_local_partitions reported as failing after scan of IB created image HOT 1
- Fedora Workstation 40 Remediations
- aide_use_fips_hashes fails after remediation HOT 1
- Failed on "Set SELinux boolean ssh_sysadm_login accordingly" HOT 2
- Automatus rule-based testing fails when no profile is specified HOT 2
- Multiple formats used in NIST 800-53 control ID references HOT 2
- Test scenarios fail for SCE-only rules if built without SCE HOT 1
- Playbook stops at TASK [Ensure NetworkManager is installed] HOT 2
- chronyd_or_ntpd_set_maxpoll fails after RHEL 7 STIG remediation HOT 2
- [Product Removal Request] RHEL7 HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from content.