|
 |
50ad7f |
From 62bf1be5a2f2789196a9b81ca7cd246d148dfb5b Mon Sep 17 00:00:00 2001
|
|
|
50ad7f |
From: Watson Sato <wsato@redhat.com>
|
|
|
50ad7f |
Date: Wed, 3 Jun 2020 10:54:51 +0200
|
|
|
50ad7f |
Subject: [PATCH 1/3] no_shelllogin_for_systemaccounts: add tests
|
|
|
50ad7f |
|
|
|
50ad7f |
---
|
|
|
50ad7f |
.../no_shelllogin_for_systemaccounts/tests/default.pass.sh | 4 ++++
|
|
|
50ad7f |
.../tests/no_sys_uids.pass.sh | 7 +++++++
|
|
|
50ad7f |
.../tests/only_system_users.pass.sh | 6 ++++++
|
|
|
50ad7f |
.../tests/system_user_with_shell.fail.sh | 6 ++++++
|
|
|
50ad7f |
4 files changed, 23 insertions(+)
|
|
|
50ad7f |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
|
|
|
50ad7f |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
|
|
|
50ad7f |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
|
|
|
50ad7f |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
|
|
|
50ad7f |
|
|
|
50ad7f |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
|
|
|
50ad7f |
new file mode 100644
|
|
|
50ad7f |
index 0000000000..6d48ad78fd
|
|
|
50ad7f |
--- /dev/null
|
|
|
50ad7f |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
|
|
|
50ad7f |
@@ -0,0 +1,4 @@
|
|
|
50ad7f |
+# remediation = none
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+#!/bin/bash
|
|
|
50ad7f |
+true
|
|
|
50ad7f |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
|
|
|
50ad7f |
new file mode 100644
|
|
|
50ad7f |
index 0000000000..bc4f9cee8c
|
|
|
50ad7f |
--- /dev/null
|
|
|
50ad7f |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
|
|
|
50ad7f |
@@ -0,0 +1,7 @@
|
|
|
50ad7f |
+# remediation = none
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+#!/bin/bash
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+# Force unset of SYS_UID values
|
|
|
50ad7f |
+sed -i '/^SYS_UID_MIN/d' /etc/login.defs
|
|
|
50ad7f |
+sed -i '/^SYS_UID_MAX/d' /etc/login.defs
|
|
|
50ad7f |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
|
|
|
50ad7f |
new file mode 100644
|
|
|
50ad7f |
index 0000000000..0cdb820bbb
|
|
|
50ad7f |
--- /dev/null
|
|
|
50ad7f |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
|
|
|
50ad7f |
@@ -0,0 +1,6 @@
|
|
|
50ad7f |
+# remediation = none
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+#!/bin/bash
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+# remove any non-system user
|
|
|
50ad7f |
+sed -Ei '/^root|nologin$|halt$|sync$|shutdown$/!d' /etc/passwd
|
|
|
50ad7f |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
|
|
|
50ad7f |
new file mode 100644
|
|
|
50ad7f |
index 0000000000..7639a8809d
|
|
|
50ad7f |
--- /dev/null
|
|
|
50ad7f |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
|
|
|
50ad7f |
@@ -0,0 +1,6 @@
|
|
|
50ad7f |
+# remediation = none
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+#!/bin/bash
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+# change system user "mail" shell to bash
|
|
|
50ad7f |
+usermod --shell /bin/bash mail
|
|
|
50ad7f |
|
|
|
50ad7f |
From 403cf63228a838bb80e09d8a6750bc5ee8597ce4 Mon Sep 17 00:00:00 2001
|
|
|
50ad7f |
From: Watson Sato <wsato@redhat.com>
|
|
|
50ad7f |
Date: Wed, 3 Jun 2020 11:27:48 +0200
|
|
|
50ad7f |
Subject: [PATCH 2/3] no_shelllogin_for_systemaccounts: simplify check for
|
|
|
50ad7f |
range of UIDs
|
|
|
50ad7f |
|
|
|
50ad7f |
There is no need to make calculations on top of the UIDs, we can compare
|
|
|
50ad7f |
the collected UIDs with shell againt the states that define the valid range.
|
|
|
50ad7f |
|
|
|
50ad7f |
Avoiding the calculations has the added benefit of not using/referencing
|
|
|
50ad7f |
a variable that can be empty (when no user has shell, except root).
|
|
|
50ad7f |
---
|
|
|
50ad7f |
.../oval/shared.xml | 198 +++---------------
|
|
|
50ad7f |
1 file changed, 33 insertions(+), 165 deletions(-)
|
|
|
50ad7f |
|
|
|
50ad7f |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml
|
|
|
50ad7f |
index 7e68441867..d0e836515b 100644
|
|
|
50ad7f |
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml
|
|
|
50ad7f |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml
|
|
|
50ad7f |
@@ -79,13 +79,6 @@
|
|
|
50ad7f |
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
50ad7f |
</ind:textfilecontent54_object>
|
|
|
50ad7f |
|
|
|
50ad7f |
-
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- comment="UIDs retrieved from /etc/passwd" version="1">
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- object_ref="object_etc_passwd_entries" />
|
|
|
50ad7f |
- </local_variable>
|
|
|
50ad7f |
-
|
|
|
50ad7f |
|
|
|
50ad7f |
|
|
|
50ad7f |
perform the check that all /etc/passwd entries having shell defined have
|
|
|
50ad7f |
@@ -100,63 +93,23 @@
|
|
|
50ad7f |
</regex_capture>
|
|
|
50ad7f |
</local_variable>
|
|
|
50ad7f |
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- https://github.com/OpenSCAP/openscap/issues/428
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- Within the test below we will check if all /etc/passwd entries
|
|
|
50ad7f |
- having shell defined have UIDs outside of <0, UID_MIN - 1> range.
|
|
|
50ad7f |
- If at least one UID is within the range, test will fail.
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- Observation: Number "x" is outside of <a, b> range if the following
|
|
|
50ad7f |
- inequality is met (x - a) * (x - b) > 0
|
|
|
50ad7f |
- -->
|
|
|
50ad7f |
-
|
|
|
50ad7f |
-
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- comment="Construct (x - 0) * (x - (UID_MIN - 1)) expression"
|
|
|
50ad7f |
- version="1">
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- <arithmetic arithmetic_operation="multiply">
|
|
|
50ad7f |
-
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- <arithmetic arithmetic_operation="add">
|
|
|
50ad7f |
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- <arithmetic arithmetic_operation="multiply">
|
|
|
50ad7f |
- <literal_component datatype="int">-1</literal_component>
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- <arithmetic arithmetic_operation="add">
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- <variable_component var_ref="variable_uid_min_value" />
|
|
|
50ad7f |
- <literal_component datatype="int">-1</literal_component>
|
|
|
50ad7f |
- </arithmetic>
|
|
|
50ad7f |
- </arithmetic>
|
|
|
50ad7f |
- </arithmetic>
|
|
|
50ad7f |
- </arithmetic>
|
|
|
50ad7f |
- </local_variable>
|
|
|
50ad7f |
-
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- corresponding OVAL object -->
|
|
|
50ad7f |
- <ind:variable_object id="object_shell_defined_default_uid_range" version="1">
|
|
|
50ad7f |
- <ind:var_ref>variable_default_range_quad_expr</ind:var_ref>
|
|
|
50ad7f |
- </ind:variable_object>
|
|
|
50ad7f |
-
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- <ind:variable_state id="state_shell_defined_default_uid_range" version="1">
|
|
|
50ad7f |
- <ind:value datatype="int" operation="greater than">0</ind:value>
|
|
|
50ad7f |
- </ind:variable_state>
|
|
|
50ad7f |
-
|
|
|
50ad7f |
|
|
|
50ad7f |
|
|
|
50ad7f |
have UID outside of <0, UID_MIN -1> range -->
|
|
|
50ad7f |
-
|
|
|
50ad7f |
+
|
|
|
50ad7f |
check_existence="all_exist" comment="<0, UID_MIN - 1> system UIDs having shell set"
|
|
|
50ad7f |
version="1">
|
|
|
50ad7f |
- <ind:object object_ref="object_shell_defined_default_uid_range" />
|
|
|
50ad7f |
- <ind:state state_ref="state_shell_defined_default_uid_range" />
|
|
|
50ad7f |
- </ind:variable_test>
|
|
|
50ad7f |
+ <ind:object object_ref="object_etc_passwd_entries" />
|
|
|
50ad7f |
+ <ind:state state_ref="state_uid_less_than_zero" />
|
|
|
50ad7f |
+ <ind:state state_ref="state_uid_greater_than_or_equal_uid_min" />
|
|
|
50ad7f |
+ </ind:textfilecontent54_test>
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+ <ind:textfilecontent54_state id="state_uid_less_than_zero" version="1">
|
|
|
50ad7f |
+ <ind:subexpression datatype="int" operation="less than">0</ind:subexpression>
|
|
|
50ad7f |
+ </ind:textfilecontent54_state>
|
|
|
50ad7f |
+ <ind:textfilecontent54_state id="state_uid_greater_than_or_equal_uid_min" version="1">
|
|
|
50ad7f |
+ <ind:subexpression datatype="int" operation="greater than or equal" var_ref="variable_uid_min_value" />
|
|
|
50ad7f |
+ </ind:textfilecontent54_state>
|
|
|
50ad7f |
|
|
|
50ad7f |
|
|
|
50ad7f |
|
|
|
50ad7f |
@@ -200,121 +153,36 @@
|
|
|
50ad7f |
</regex_capture>
|
|
|
50ad7f |
</local_variable>
|
|
|
50ad7f |
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- https://github.com/OpenSCAP/openscap/issues/428
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- Within the test below we will check if all /etc/passwd entries
|
|
|
50ad7f |
- having shell defined have UIDs outside of <0, SYS_UID_MIN> range.
|
|
|
50ad7f |
- If at least one UID is within the range, test will fail.
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- Observation: Number "x" is outside of <a, b> range if the following
|
|
|
50ad7f |
- inequality is met (x - a) * (x - b) > 0
|
|
|
50ad7f |
- -->
|
|
|
50ad7f |
-
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- UIDs from the range <0, SYS_UID_MIN> -->
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- comment="Construct (x - 0) * (x - SYS_UID_MIN) expression"
|
|
|
50ad7f |
- version="1">
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- <arithmetic arithmetic_operation="multiply">
|
|
|
50ad7f |
-
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- <arithmetic arithmetic_operation="add">
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- <arithmetic arithmetic_operation="multiply">
|
|
|
50ad7f |
- <literal_component datatype="int">-1</literal_component>
|
|
|
50ad7f |
- <variable_component var_ref="variable_sys_uid_min_value" />
|
|
|
50ad7f |
- </arithmetic>
|
|
|
50ad7f |
- </arithmetic>
|
|
|
50ad7f |
- </arithmetic>
|
|
|
50ad7f |
- </local_variable>
|
|
|
50ad7f |
-
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- corresponding OVAL object -->
|
|
|
50ad7f |
- <ind:variable_object id="object_shell_defined_reserved_uid_range" version="1">
|
|
|
50ad7f |
- <ind:var_ref>variable_reserved_range_quad_expr</ind:var_ref>
|
|
|
50ad7f |
- </ind:variable_object>
|
|
|
50ad7f |
-
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- <ind:variable_state id="state_shell_defined_reserved_uid_range" version="1">
|
|
|
50ad7f |
- <ind:value datatype="int" operation="greater than">0</ind:value>
|
|
|
50ad7f |
- </ind:variable_state>
|
|
|
50ad7f |
-
|
|
|
50ad7f |
|
|
|
50ad7f |
|
|
|
50ad7f |
have UID outside of <0, SYS_UID_MIN> range -->
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- check_existence="all_exist" comment="<0, SYS_UID_MIN> system UIDs having shell set"
|
|
|
50ad7f |
- version="1">
|
|
|
50ad7f |
- <ind:object object_ref="object_shell_defined_reserved_uid_range" />
|
|
|
50ad7f |
- <ind:state state_ref="state_shell_defined_reserved_uid_range" />
|
|
|
50ad7f |
- </ind:variable_test>
|
|
|
50ad7f |
-
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- https://github.com/OpenSCAP/openscap/issues/428
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- Within the test below we will check if all /etc/passwd entries
|
|
|
50ad7f |
- having shell defined have UIDs outside of <SYS_UID_MIN, SYS_UID_MAX> range.
|
|
|
50ad7f |
- If at least one UID is within the range, test will fail.
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- Observation: Number "x" is outside of <a, b> range if the following
|
|
|
50ad7f |
- inequality is met (x - a) * (x - b) > 0
|
|
|
50ad7f |
- -->
|
|
|
50ad7f |
-
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- thus UIDs from the range <SYS_UID_MIN, SYS_UID_MAX> -->
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- comment="Construct (x - SYS_UID_MIN) * (x - SYS_UID_MAX) expression"
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+ check_existence="any_exist" comment="<0, SYS_UID_MIN> system UIDs having shell set"
|
|
|
50ad7f |
version="1">
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- <arithmetic arithmetic_operation="multiply">
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- <arithmetic arithmetic_operation="add">
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- <arithmetic arithmetic_operation="multiply">
|
|
|
50ad7f |
- <literal_component datatype="int">-1</literal_component>
|
|
|
50ad7f |
- <variable_component var_ref="variable_sys_uid_min_value" />
|
|
|
50ad7f |
- </arithmetic>
|
|
|
50ad7f |
- </arithmetic>
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- <arithmetic arithmetic_operation="add">
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- <arithmetic arithmetic_operation="multiply">
|
|
|
50ad7f |
- <literal_component datatype="int">-1</literal_component>
|
|
|
50ad7f |
- <variable_component var_ref="variable_sys_uid_max_value" />
|
|
|
50ad7f |
- </arithmetic>
|
|
|
50ad7f |
- </arithmetic>
|
|
|
50ad7f |
- </arithmetic>
|
|
|
50ad7f |
- </local_variable>
|
|
|
50ad7f |
-
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- corresponding OVAL object -->
|
|
|
50ad7f |
- <ind:variable_object id="object_shell_defined_dynalloc_uid_range" version="1">
|
|
|
50ad7f |
- <ind:var_ref>variable_dynalloc_range_quad_expr</ind:var_ref>
|
|
|
50ad7f |
- </ind:variable_object>
|
|
|
50ad7f |
+ <ind:object object_ref="object_etc_passwd_entries" />
|
|
|
50ad7f |
+ <ind:state state_ref="state_uid_less_than_zero" />
|
|
|
50ad7f |
+ <ind:state state_ref="state_uid_greater_than_or_equal_sys_uid_min" />
|
|
|
50ad7f |
+ </ind:textfilecontent54_test>
|
|
|
50ad7f |
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- <ind:variable_state id="state_shell_defined_dynalloc_uid_range" version="1">
|
|
|
50ad7f |
- <ind:value datatype="int" operation="greater than">0</ind:value>
|
|
|
50ad7f |
- </ind:variable_state>
|
|
|
50ad7f |
+ <ind:textfilecontent54_state id="state_uid_greater_than_or_equal_sys_uid_min" version="1">
|
|
|
50ad7f |
+ <ind:subexpression datatype="int" operation="greater than or equal" var_ref="variable_sys_uid_min_value" />
|
|
|
50ad7f |
+ </ind:textfilecontent54_state>
|
|
|
50ad7f |
|
|
|
50ad7f |
|
|
|
50ad7f |
|
|
|
50ad7f |
have UID outside of <SYS_UID_MIN, SYS_UID_MAX> range -->
|
|
|
50ad7f |
-
|
|
|
50ad7f |
- check_existence="all_exist" comment="<SYS_UID_MIN, SYS_UID_MAX> system UIDS having shell set"
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+ check_existence="any_exist" comment="<SYS_UID_MIN, SYS_UID_MAX> system UIDS having shell set"
|
|
|
50ad7f |
version="1">
|
|
|
50ad7f |
- <ind:object object_ref="object_shell_defined_dynalloc_uid_range" />
|
|
|
50ad7f |
- <ind:state state_ref="state_shell_defined_dynalloc_uid_range" />
|
|
|
50ad7f |
- </ind:variable_test>
|
|
|
50ad7f |
+ <ind:object object_ref="object_etc_passwd_entries" />
|
|
|
50ad7f |
+ <ind:state state_ref="state_uid_less_than_sys_uid_min" />
|
|
|
50ad7f |
+ <ind:state state_ref="state_uid_greater_than_or_equal_sys_uid_max" />
|
|
|
50ad7f |
+ </ind:textfilecontent54_test>
|
|
|
50ad7f |
|
|
|
50ad7f |
+ <ind:textfilecontent54_state id="state_uid_less_than_sys_uid_min" version="1">
|
|
|
50ad7f |
+ <ind:subexpression datatype="int" operation="less than" var_ref="variable_sys_uid_min_value" />
|
|
|
50ad7f |
+ </ind:textfilecontent54_state>
|
|
|
50ad7f |
+ <ind:textfilecontent54_state id="state_uid_greater_than_or_equal_sys_uid_max" version="1">
|
|
|
50ad7f |
+ <ind:subexpression datatype="int" operation="greater than or equal" var_ref="variable_sys_uid_max_value" />
|
|
|
50ad7f |
+ </ind:textfilecontent54_state>
|
|
|
50ad7f |
</def-group>
|
|
|
50ad7f |
|
|
|
50ad7f |
From 31654f72ee7cd30f937f84889c870fd330e7c366 Mon Sep 17 00:00:00 2001
|
|
|
50ad7f |
From: Watson Sato <wsato@redhat.com>
|
|
|
50ad7f |
Date: Thu, 4 Jun 2020 14:04:37 +0200
|
|
|
50ad7f |
Subject: [PATCH 3/3] no_shelllogin_for_systemaccounts: Fix text shebangs
|
|
|
50ad7f |
|
|
|
50ad7f |
---
|
|
|
50ad7f |
.../no_shelllogin_for_systemaccounts/tests/default.pass.sh | 2 +-
|
|
|
50ad7f |
.../no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh | 3 +--
|
|
|
50ad7f |
.../tests/only_system_users.pass.sh | 3 +--
|
|
|
50ad7f |
.../tests/system_user_with_shell.fail.sh | 3 +--
|
|
|
50ad7f |
4 files changed, 4 insertions(+), 7 deletions(-)
|
|
|
50ad7f |
|
|
|
50ad7f |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
|
|
|
50ad7f |
index 6d48ad78fd..833831f79d 100644
|
|
|
50ad7f |
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
|
|
|
50ad7f |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
|
|
|
50ad7f |
@@ -1,4 +1,4 @@
|
|
|
50ad7f |
+#!/bin/bash
|
|
|
50ad7f |
# remediation = none
|
|
|
50ad7f |
|
|
|
50ad7f |
-#!/bin/bash
|
|
|
50ad7f |
true
|
|
|
50ad7f |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
|
|
|
50ad7f |
index bc4f9cee8c..6769895eb2 100644
|
|
|
50ad7f |
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
|
|
|
50ad7f |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
|
|
|
50ad7f |
@@ -1,6 +1,5 @@
|
|
|
50ad7f |
-# remediation = none
|
|
|
50ad7f |
-
|
|
|
50ad7f |
#!/bin/bash
|
|
|
50ad7f |
+# remediation = none
|
|
|
50ad7f |
|
|
|
50ad7f |
# Force unset of SYS_UID values
|
|
|
50ad7f |
sed -i '/^SYS_UID_MIN/d' /etc/login.defs
|
|
|
50ad7f |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
|
|
|
50ad7f |
index 0cdb820bbb..06edf671ce 100644
|
|
|
50ad7f |
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
|
|
|
50ad7f |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
|
|
|
50ad7f |
@@ -1,6 +1,5 @@
|
|
|
50ad7f |
-# remediation = none
|
|
|
50ad7f |
-
|
|
|
50ad7f |
#!/bin/bash
|
|
|
50ad7f |
+# remediation = none
|
|
|
50ad7f |
|
|
|
50ad7f |
# remove any non-system user
|
|
|
50ad7f |
sed -Ei '/^root|nologin$|halt$|sync$|shutdown$/!d' /etc/passwd
|
|
|
50ad7f |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
|
|
|
50ad7f |
index 7639a8809d..10312593b8 100644
|
|
|
50ad7f |
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
|
|
|
50ad7f |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
|
|
|
50ad7f |
@@ -1,6 +1,5 @@
|
|
|
50ad7f |
-# remediation = none
|
|
|
50ad7f |
-
|
|
|
50ad7f |
#!/bin/bash
|
|
|
50ad7f |
+# remediation = none
|
|
|
50ad7f |
|
|
|
50ad7f |
# change system user "mail" shell to bash
|
|
|
50ad7f |
usermod --shell /bin/bash mail
|