Closed benformosa closed 4 years ago
Just one man's opinion, but imo the playbook should adhere directly to the benchmark and its the benchmark that would need to be updated.
I agree that this playbook should follow the benchmark, however I'm not sure if that means the wording of the rules or the provided scripts.
The preamble to section 6.2 points out that the rules in that section should also apply to domain users:
6.2 User and Group Settings This section provides guidance on securing aspects of the users and groups. Note: The recommendations in this section check local users and groups. Any users or groups from other sources such as LDAP will not be audited. In a domain environment similar checks should be performed against domain users and groups.
From the auditing perspective, the appliance we use executes the checks exactly as defined in the benchmark. I recall several things referencing /etc/passwd such as for file permissions, unowned directories, and so forth.
What I ended up doing for site specific requirements was add in my own playbook called at the end for one-off additions or fixes. That lets me run a %99 vanillla version of this playbook across all our boxes.
I'm not worried if this isn't merged, I'm happy maintaining my own fork or extra playbooks.
The List users accounts task relies on the content of
/etc/password
to list users.In my environment, systems are domain joined, and so users are not listed in
/etc/passwd
.It might be useful to additionally locate users by subdirectories in
/home
.This creates a fact
all_users
containing all users in/etc/passwd
and the name of each directory under/home
.