DISA: SSG does not check for shosts files

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats

https://complianceascode.readthedocs.io/en/latest/

Other

2.23k stars 698 forks source link

DISA: SSG does not check for shosts files #2069

Closed shawndwells closed 5 years ago

shawndwells commented 7 years ago

Red Hat Missing (RHEL-07-040550)

shawndwells commented 7 years ago

yes we do: https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/profiles/ospp-rhel7.xml#L274

@tbrunell the game of DISA clearly not even reviewing the content prior to giving hundreds of lines of feedback is getting old. Have about 50 lines, out of 250+, left so will finish... but this needs to be the last time we do something like this for them.

shawndwells commented 7 years ago

(1) DISA should update check text to look inside users homedirs, not entire system (2) RHT needs to update XCCDF to clearly state the rule checks shosts and rhosts

shawndwells commented 7 years ago

Also, service_rlogin_disabled ensures this service is disabled. Why bother checking for these files at all?

trevor-vaughan commented 7 years ago

What about automounted home directories. Need to skip anything digging in remote homedirs if using automount (or NFS/AFS/whatever).

redhatrises commented 5 years ago

Rule exists closing