content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

no_shelllogin_for_systemaccounts is misaligned with DISA

Open jan-cerny opened this issue 1 year ago • 6 comments

Description of problem:

no_shelllogin_for_systemaccounts is misaligned with DISA

Details:

Needs broader investigation. At the first sight it seems that the SSG check is more complex and allows more different "shell" names whereas DISA allows only /sbin/nologin.

Outcome:

SSG result: pass DISA result: fail

The issue is present in these test variants:

  • oscap
  • ansible
  • anaconda

SCAP Security Guide Version:

Current upstream master as of 2024-03-12 as of HEAD cbbca44.

External Content's Version:

DISA STIG RHEL 9 V1R1

jan-cerny avatar Mar 13 '24 12:03 jan-cerny

Currently this is the relevant line in OVAL: <ind:pattern operation="pattern match">^(?!root).*:x:([\d]+):[\d]+:[^:]*:[^:]*:(?!\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt|\/bin\/false|\/usr\/bin\/false).*$</ind:pattern>

marcusburghardt avatar Apr 12 '24 13:04 marcusburghardt

This rule should be cleaned up, remove the /bin/false items as there are some implications of using that.

Mab879 avatar Apr 12 '24 14:04 Mab879

IIUC using /bin/false will also prevent the user from login but /sbin/nologin will also display a message to the user that tries to login. I would say that for system accounts we don't need the message to be displayed so /bin/false is a valid value for me.

I have found that we have this history:

  • adding it in https://github.com/ComplianceAsCode/content/pull/3767
  • removing it in https://github.com/ComplianceAsCode/content/pull/3770
  • adding it back https://github.com/ComplianceAsCode/content/pull/7103

jan-cerny avatar Apr 16 '24 15:04 jan-cerny

IIUC using /bin/false will also prevent the user from login but /sbin/nologin will also display a message to the user that tries to login. I would say that for system accounts we don't need the message to be displayed so /bin/false is a valid value for me.

I have found that we have this history:

Thanks for bringing this history. Now I am more convinced we should not accept /bin/false in this rule. Some security policies even explicitly restrict the options to /usr/sbin/nologin or /sbin/nologin.

marcusburghardt avatar Apr 17 '24 11:04 marcusburghardt

I am preparing the fix to restrict the list of shells in this OVAL. However, we should still talk to DISA so they can extend the check on their side to also accept the following special shells in this rule:

  • /bin/sync
  • /sbin/shutdown
  • /sbin/halt
  • /usr/sbin/nologin

Note that /usr/sbin/nologin is the same of /sbin/nologin in systems with usrmerge. I identified an exception where the systemd-oom user uses the /usr/sbin/nologin shell so it sounds fine to also accept /usr/sbin/nologin for now.

marcusburghardt avatar Apr 26 '24 09:04 marcusburghardt

Reopened because there are still some changes necessary on the DISA side.

marcusburghardt avatar Apr 26 '24 12:04 marcusburghardt