Closed marcofortina closed 4 months ago
Version 0.1.72 does not report this error:
Title Ensure that System Accounts Do Not Run a Shell Upon Login
Rule xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Result pass
master branch (commit 59013f66872e02613ba822587d7c5d57ba92cd9e):
Title Ensure that System Accounts Do Not Run a Shell Upon Login
Rule xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Result fail
It seams the issue was introduced after 0.1.72 release.
Last good commit c35978fb981d6938c1a40230e6a419cc128ed633:
Title Ensure that System Accounts Do Not Run a Shell Upon Login
Rule xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Result pass
From commit a936357f1f2226ce25ba478ee82217584ecd980f:
Title Ensure that System Accounts Do Not Run a Shell Upon Login
Rule xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Result fail
PR #11896 broke pass result on Ubuntu 22.04
I agree on the usage of /usr/sbin/nologin
instead of /bin/false
, but only after all packages change their own users in /etc/passwd
and only after changes are reported on official CIS guide. Right now OSCAP should validate what is on official guide:
5.5.2 Ensure system accounts are secured (Automated) - Page: 714:
Audit:
Run the following commands and verify no results are returned:
awk -F: '$1!~/(root|sync|shutdown|halt|^\+)/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!~/((\/usr)?\/sbin\/nologin)/ && $7!~/(\/bin)?\/false/ {print}' /etc/passwd
awk -F: '($1!~/(root|^\+)/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"') {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!~/LK?/) {print $1}'
Here /bin/false
is not reported as not secure.
My option is PR #11896 should be rollback and if needed for other kind of recommendations (eg STIG. PCI-DSS and so on) write a patch that is compliant with everyone and that does not create regressions with those indicated by CIS.
Hi @marcofortina , looks like this rule was changed in CIS v2.0.0 to not allow /bin/false
:
5.4.2.7 Ensure system accounts do not have a valid login shell
That said, since we do not support CIS v2.0.0 yet, I think the best thing to do is to temporarily patch the OVAL for Ubuntu.
Same issue also on SLES15
Description of problem:
Check for rule
xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
always fail.SCAP Security Guide Version:
master branch
Operating System Version:
Ubuntu 22.04 LTS
Steps to Reproduce:
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level2_server --rule xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts ssg-ubuntu2204-ds.xml
Actual Results:
Expected Results:
Additional Information/Debugging Steps: