7 Replies Latest reply: Jun 1, 2012 2:50 PM by Joe Piotrowski RSS

Compliance check, but exclude a user

Jeff NameToUpdate

All,

 

Trying to do a compliance check on AIX.  I want to look at the file /etc/security/user and check each user for the existance of loginretries.  If loginretries is 1-3 I'm good.  If not it's a finding.

 

HOWEVER, I want to exclude root from the check because it is going to be ZERO in our environment.

 

This check is part of the disa stig's under check GEN000460, here is the default check:

 

"Configuration File Entry: /etc/security/user//*/loginretries". "Value1 as Integer (All OS)" between [1 and 3]

 

How do I exclude root from being checked???

  • 1. Re: Compliance check, but exclude a user
    Bill Robinson

    you'd need to modify the EO script itself to ignore root, or you may be able to set an exception for this on the component.

  • 2. Compliance check, but exclude a user
    Jeff NameToUpdate

    Bill, for this particular check for AIX at least with the content that I have installed there is no EO being run.  It's simply a compliance rule.

  • 3. Compliance check, but exclude a user
    Bill Robinson

    what version of blade?

  • 5. Re: Compliance check, but exclude a user
    sandman1 NameToUpdate

    Jeff did you ever resolve this? can you share how you did it?

  • 6. Compliance check, but exclude a user
    Joe Piotrowski

    I am not sure how you would do this but I can assist. When you install our Compliance Context the installer copies scripts to the .../NSH/share/sensors folder on each appserver. In this case, the script calls a file called disa-GEN000460 in that folder. The issue is specific for AIX. So here is the code for AIX:

     

    if [ $OS = AIX ]
            then
                if [ -f ${AIX_USERFILE} ]
                    then
                LoginRet=`grep -p "^default:" /etc/security/user | grep loginretries | awk '{print $3}'`
                    Lsuser=`which lsuser`
                        Count=`egrep -v '#|\*' /etc/security/user | grep -c loginretries`
                        if [ $Count -ne 0 ]; then
                        State=`$Lsuser -a loginretries ALL | tr ' ' ':'`
                        fi

                        # avoid syntax error if LoginRef is empty....
                        if [ "${LoginRet:-NOVALUE}" != "NOVALUE" ]
                        then
                    if [ $LoginRet -ne 0 ]
                            then
                                Answer=1
                                    echo "<finding>The system retries default is $LoginRet</finding>"
                        fi
                        fi

                        # avoid syntax error if State/MaxTries is empty....
                        if [ "${State:-NOVALUE}" != "NOVALUE" ]
                        then
                            for Lretries in ${State}
                                do
                                    MaxTries=`echo $Lretries | egrep '= [0-9]|=[0-9]' | cut -d: -f2 | cut -d= -f2`

                        if [ "${MaxTries:-NOVALUE}" != "NOVALUE" ]
                                then
                                    if [ ${MaxTries} -gt 3 -o ${MaxTries} -eq 0 ]
                                    then
                                            Answer=1
                                                    echo "`echo ${Lretries}| sed 's/:/ /'`" >> ${Tmp0}
                                    fi
                        fi
                                done
                        fi

                if [ -f ${Tmp0} ]
                then
                    cat ${Tmp0} | while read Rec
                                do
                        echo "<finding>$Rec</finding>"
                                done
                        fi

                if [ -f ${Tmp0} ]
                then
                    cat ${Tmp0} | while read Rec
                                do
                        echo "<finding>$Rec</finding>"
                        maxdisp=`expr $maxdisp + 1`
                        if [ $maxdisp -eq $MAXDISPLAY ]
                                    then
                                            echo "<finding>$INFO</finding>"
                            break 2;
                        fi
                    done
                else
                        if [ $Answer -ne 1 ]; then
                                Answer=2
                            fi
                    fi
            fi
    fi

  • 7. Re: Compliance check, but exclude a user
    Joe Piotrowski

    Hopefully we can get some scripting guru's to help us out. 

     

    If they can show us how to modify the script to exclude root, we would then have to make that change to each disa-GEN000460 file on all appservers.