From 3492b3e4d47f2bd852f2e19549352a7b23997318 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Tue, 9 May 2023 06:03:11 -0400 Subject: [PATCH 1/2] Document OL08-00-020320 as a known finding --- docs/findings/el8.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/findings/el8.md b/docs/findings/el8.md index fb580e06f..78ab805c7 100644 --- a/docs/findings/el8.md +++ b/docs/findings/el8.md @@ -20,6 +20,7 @@ .. _User Account Passwords Must Be Restricted To A 60-Day Maximum Lifetime: #user-account-passwords-must-be-restricted-to-a-60-day-maximum-lifetime .. _OS Must Be Configured In The Password-Auth File To Prohibit Password Reuse For A Minimum Of Five Generations: #os-must-prohibit-password-reuse-for-a-minimum-of-five-generations .. _The Installed Operating System Is Not Vendor Supported: #the-installed-operating-system-is-not-vendor-supported + .. _"Only Authorized Local User Accounts Exist on Operating System" is always flagged: #only-authorized-local-user-accounts-exist-on-operating-system"-is-always-flagged +----------------------------------------------------------------------------------------+---------------------+ @@ -65,6 +66,10 @@ | | | | | RHEL-08-010000 | +----------------------------------------------------------------------------------------+---------------------+ + | `"Only Authorized Local User Accounts Exist on Operating System" is always flagged`_ | V-248713 | + | | | + | | OL08-00-020320 | + +----------------------------------------------------------------------------------------+---------------------+ ``` @@ -252,3 +257,13 @@ This rule effects primarily "free" versions of the Red Hat Enterprise Linux oper And an `/etc/redhat-release` file with contents that aligns to one that's delivered with any of the preceding RPM. The various "free" versions of the Red Hat Enterprise Linux operating system will not have any of the above RPMs present. If using a vendor-supported Linux and this scan finding occurs, it's likely that either the `release-` RPM is missing or damaged, something has unexpectedly altered the target's `/etc/redhat-release` file or the scanner is looking for a wildcarded `release` file under the `/etc` directory and there's an unexpected filename found. + +# "Only Authorized Local User Accounts Exist on Operating System" is always flagged + +**Expected Finding:** + +Finding is specific to Oracle Linux 8 STIG profile. Per the STIG notes: + +> Automatic remediation of this control is not available due to the unique requirements of each system. + +While automation _could_ be authored that would leverage a site- or host-specific allowed-users list to disable or delete forbidden accounts, there exists an extremely-high likelihood that scanners used against such configuration-controlled operating environments would not contain the scanning logic necessary to validate compliance. As such and with or without user-controlling automation-content, STIG scanners would still flag systems that are technically compliant. From f7dabfabe159d005608d0e6aa89748e20d30dd8b Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Tue, 9 May 2023 06:29:44 -0400 Subject: [PATCH 2/2] Fix comment-text to reflect broader (mis)specification --- docs/findings/el8.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/findings/el8.md b/docs/findings/el8.md index 78ab805c7..7f81afb24 100644 --- a/docs/findings/el8.md +++ b/docs/findings/el8.md @@ -66,9 +66,9 @@ | | | | | RHEL-08-010000 | +----------------------------------------------------------------------------------------+---------------------+ - | `"Only Authorized Local User Accounts Exist on Operating System" is always flagged`_ | V-248713 | + | `"Only Authorized Local User Accounts Exist on Operating System" is always flagged`_ | V-230379 | | | | - | | OL08-00-020320 | + | | RHEL-08-020320 | +----------------------------------------------------------------------------------------+---------------------+ ``` @@ -262,8 +262,8 @@ If using a vendor-supported Linux and this scan finding occurs, it's likely that **Expected Finding:** -Finding is specific to Oracle Linux 8 STIG profile. Per the STIG notes: +Per the STIG notes: > Automatic remediation of this control is not available due to the unique requirements of each system. -While automation _could_ be authored that would leverage a site- or host-specific allowed-users list to disable or delete forbidden accounts, there exists an extremely-high likelihood that scanners used against such configuration-controlled operating environments would not contain the scanning logic necessary to validate compliance. As such and with or without user-controlling automation-content, STIG scanners would still flag systems that are technically compliant. +While-automation _could_ be authored that would leverage a site- or host-specific allowed-users list to disable or delete forbidden accounts, there exists an extremely-high likelihood that scanners used against such configuration-controlled operating environments would not contain the scanning logic necessary to validate compliance. As such – and with or without user-controlling automation-content – STIG scanners would still flag systems that are technically compliant.