OpenStack-Ansible

V-38496 check includes non-system accounts

Bug #1550442 reported by egon
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
High
Major Hayden

Bug Description

The security check in openstack-ansible-security for V-38496 uses an awk command from STIG that doesn't filter out non-system accounts (UID over 500 on RPM / over 1000 on Ubuntu). This means that any user/operator accounts that are created on the system also cause the check to fail.

Major Hayden (rackerhacker)
Changed in openstack-ansible:
assignee: nobody → Major Hayden (rackerhacker)
Revision history for this message
egon (egon-p) wrote :

I did a spot check on a RHEL system, and my user account uid was 1000. Maybe a single range works for both types of systems? Can we say that UIDs >= 1000 are non-system accounts, and everything below it should be locked?

Revision history for this message
Logan V (loganv) wrote :

bug looks valid to me.
https://github.com/openstack/openstack-ansible-security/blob/master/tasks/auth.yml#L68

# awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 ":" $2}' /etc/shadow
ubuntu:<etc etc>

Major Hayden (rackerhacker)
Changed in openstack-ansible:
status: New → Confirmed
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-security (master)

Fix proposed to branch: master
Review: https://review.openstack.org/290059

Changed in openstack-ansible:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-security (master)

Reviewed: https://review.openstack.org/290059
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=9058a3f084961a52408dd1576dd386db8ff4d0d0
Submitter: Jenkins
Branch: master

commit 9058a3f084961a52408dd1576dd386db8ff4d0d0
Author: Major Hayden <email address hidden>
Date: Thu Mar 24 10:09:49 2016 -0500

    Improved search for unlocked system accounts

    This patch adds a better check for system accounts that aren't
    unlocked. The new logic meets the requirement of V-38496 from the
    STIG better than the previous version. Only unlocked accounts with
    UID < 500 will trigger the failure/violation.

    Closes-Bug: 1550442

    Change-Id: I18ccbd8e1cd7c311521d0ffdfcf6f46dbc4e395d

Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-security (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/301210

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-security (stable/mitaka)

Reviewed: https://review.openstack.org/301210
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=062b19e5c5a515fac664b7802475b1a86bb100c9
Submitter: Jenkins
Branch: stable/mitaka

commit 062b19e5c5a515fac664b7802475b1a86bb100c9
Author: Major Hayden <email address hidden>
Date: Thu Mar 24 10:09:49 2016 -0500

    Improved search for unlocked system accounts

    This patch adds a better check for system accounts that aren't
    unlocked. The new logic meets the requirement of V-38496 from the
    STIG better than the previous version. Only unlocked accounts with
    UID < 500 will trigger the failure/violation.

    Closes-Bug: 1550442

    Change-Id: I18ccbd8e1cd7c311521d0ffdfcf6f46dbc4e395d
    (cherry picked from commit 9058a3f084961a52408dd1576dd386db8ff4d0d0)

tags: added: in-stable-mitaka
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/openstack-ansible-security 13.0.1

This issue was fixed in the openstack/openstack-ansible-security 13.0.1 release.

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote :

This issue was fixed in the openstack/openstack-ansible-security 13.0.1 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.