CIS 5.5.2 Ensure system accounts are secured

[marcofortina]

Description of problem:

Check for rule xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts always fail.

SCAP Security Guide Version:

master branch

Operating System Version:

Ubuntu 22.04 LTS

Steps to Reproduce:

1. Execute oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level2_server --rule xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts ssg-ubuntu2204-ds.xml

Actual Results:

Title   Ensure that System Accounts Do Not Run a Shell Upon Login
Rule    xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Result  fail

Expected Results:

Title   Ensure that System Accounts Do Not Run a Shell Upon Login
Rule    xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Result  pass

Additional Information/Debugging Steps:

root@ubuntu:~# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
syslog:x:107:113::/home/syslog:/usr/sbin/nologin
uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
ubuntu:x:1000:1000:ubuntu:/home/ubuntu:/bin/bash
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
postfix:x:114:120::/var/spool/postfix:/usr/sbin/nologin
systemd-journal-remote:x:115:122:systemd Journal Remote,,,:/run/systemd:/usr/sbin/nologin

[marcofortina]

Version 0.1.72 does not report this error:

Title   Ensure that System Accounts Do Not Run a Shell Upon Login
Rule    xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Result  pass

master branch (commit 59013f6):

Title   Ensure that System Accounts Do Not Run a Shell Upon Login
Rule    xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Result  fail

It seams the issue was introduced after 0.1.72 release.

[marcofortina]

Last good commit c35978f:

Title   Ensure that System Accounts Do Not Run a Shell Upon Login
Rule    xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Result  pass

From commit a936357:

Title   Ensure that System Accounts Do Not Run a Shell Upon Login
Rule    xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Result  fail

[marcofortina]

PR #11896 broke pass result on Ubuntu 22.04

I agree on the usage of /usr/sbin/nologin instead of /bin/false, but only after all packages change their own users in /etc/passwd and only after changes are reported on official CIS guide. Right now OSCAP should validate what is on official guide:

5.5.2 Ensure system accounts are secured (Automated) - Page: 714:

Audit:

Run the following commands and verify no results are returned:

awk -F: '$1!~/(root|sync|shutdown|halt|^\+)/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!~/((\/usr)?\/sbin\/nologin)/ && $7!~/(\/bin)?\/false/ {print}' /etc/passwd

awk -F: '($1!~/(root|^\+)/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"') {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!~/LK?/) {print $1}'

Here /bin/false is not reported as not secure.

My option is PR #11896 should be rollback and if needed for other kind of recommendations (eg STIG. PCI-DSS and so on) write a patch that is compliant with everyone and that does not create regressions with those indicated by CIS.

[mpurg]

Hi @marcofortina , looks like this rule was changed in CIS v2.0.0 to not allow /bin/false:

5.4.2.7 Ensure system accounts do not have a valid login shell

That said, since we do not support CIS v2.0.0 yet, I think the best thing to do is to temporarily patch the OVAL for Ubuntu.

[marcofortina]

Same issue also on SLES15