Re: auid=0
On Monday, August 03, 2015 02:11:31 PM rshaw1(a)umbc.edu wrote:
Comparing the "official" STIG content with the
scap-security-guide
content, the former seems to have added corresponding rules for "-F
auid=0" that aren't present in scap-security guide. i.e. where
scap-security-guide will just have one rule:
-a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid>=500 -F
auid!=4294967295 -k delete
the official content will have the above plus:
-a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid=0 -k delete
Is the addition necessary?
Does the official STIG allow root logins? If so, I think that is a big mistake
and should be fixed. If it does not allow root logins, then the only way I can
think of having auid to be 0 is for root cron jobs.
It doesn't seem to be, as the rules caught root usage of, for
example, chmod
just fine without it (I had used su; not sure if there's a difference between
that and other ways of being root.) I would like to make sure I'm right
before asking one group or the other to delete or add it, respectively.
Perhaps they consider root cronjobs to be an attack vector?
-Steve