7 Replies Latest reply: Jun 1, 2012 2:50 PM by Joe Piotrowski RSS

    Compliance check, but exclude a user

    Jeff Claunch

      All,

       

      Trying to do a compliance check on AIX.  I want to look at the file /etc/security/user and check each user for the existance of loginretries.  If loginretries is 1-3 I'm good.  If not it's a finding.

       

      HOWEVER, I want to exclude root from the check because it is going to be ZERO in our environment.

       

      This check is part of the disa stig's under check GEN000460, here is the default check:

       

      "Configuration File Entry: /etc/security/user//*/loginretries". "Value1 as Integer (All OS)" between [1 and 3]

       

      How do I exclude root from being checked???

        • 1. Re: Compliance check, but exclude a user
          Bill Robinson

          you'd need to modify the EO script itself to ignore root, or you may be able to set an exception for this on the component.

          • 2. Compliance check, but exclude a user
            Jeff Claunch

            Bill, for this particular check for AIX at least with the content that I have installed there is no EO being run.  It's simply a compliance rule.

            • 3. Compliance check, but exclude a user
              Bill Robinson

              what version of blade?

              • 5. Re: Compliance check, but exclude a user
                sandman1 NameToUpdate

                Jeff did you ever resolve this? can you share how you did it?

                • 6. Compliance check, but exclude a user
                  Joe Piotrowski

                  I am not sure how you would do this but I can assist. When you install our Compliance Context the installer copies scripts to the .../NSH/share/sensors folder on each appserver. In this case, the script calls a file called disa-GEN000460 in that folder. The issue is specific for AIX. So here is the code for AIX:

                   

                  if [ $OS = AIX ]
                          then
                              if [ -f ${AIX_USERFILE} ]
                                  then
                              LoginRet=`grep -p "^default:" /etc/security/user | grep loginretries | awk '{print $3}'`
                                  Lsuser=`which lsuser`
                                      Count=`egrep -v '#|\*' /etc/security/user | grep -c loginretries`
                                      if [ $Count -ne 0 ]; then
                                      State=`$Lsuser -a loginretries ALL | tr ' ' ':'`
                                      fi

                                      # avoid syntax error if LoginRef is empty....
                                      if [ "${LoginRet:-NOVALUE}" != "NOVALUE" ]
                                      then
                                  if [ $LoginRet -ne 0 ]
                                          then
                                              Answer=1
                                                  echo "<finding>The system retries default is $LoginRet</finding>"
                                      fi
                                      fi

                                      # avoid syntax error if State/MaxTries is empty....
                                      if [ "${State:-NOVALUE}" != "NOVALUE" ]
                                      then
                                          for Lretries in ${State}
                                              do
                                                  MaxTries=`echo $Lretries | egrep '= [0-9]|=[0-9]' | cut -d: -f2 | cut -d= -f2`

                                      if [ "${MaxTries:-NOVALUE}" != "NOVALUE" ]
                                              then
                                                  if [ ${MaxTries} -gt 3 -o ${MaxTries} -eq 0 ]
                                                  then
                                                          Answer=1
                                                                  echo "`echo ${Lretries}| sed 's/:/ /'`" >> ${Tmp0}
                                                  fi
                                      fi
                                              done
                                      fi

                              if [ -f ${Tmp0} ]
                              then
                                  cat ${Tmp0} | while read Rec
                                              do
                                      echo "<finding>$Rec</finding>"
                                              done
                                      fi

                              if [ -f ${Tmp0} ]
                              then
                                  cat ${Tmp0} | while read Rec
                                              do
                                      echo "<finding>$Rec</finding>"
                                      maxdisp=`expr $maxdisp + 1`
                                      if [ $maxdisp -eq $MAXDISPLAY ]
                                                  then
                                                          echo "<finding>$INFO</finding>"
                                          break 2;
                                      fi
                                  done
                              else
                                      if [ $Answer -ne 1 ]; then
                                              Answer=2
                                          fi
                                  fi
                          fi
                  fi

                  • 7. Re: Compliance check, but exclude a user
                    Joe Piotrowski

                    Hopefully we can get some scripting guru's to help us out. 

                     

                    If they can show us how to modify the script to exclude root, we would then have to make that change to each disa-GEN000460 file on all appservers.