Restrict the list of accepted shells in no_shelllogin_for_systemaccounts #11896
Conversation
There were already long discussions in the past about the cons of using /bin/false. More recently the topic was also discussed in CIS community and unanimously agreed to use /sbin/nologin for a user shell when it is not desired the respective user to interact with shell. This is also in alignment with STIG recommendations. In addition, is the approach in all other related rules in the project. Therefore, this OVAL was updated to the minimal list of shells.
marcusburghardt
added
OVAL
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
|
Code Climate has analyzed commit a936357 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.4% (0.0% change). View more on Code Climate. |
|
/test images |
|
I'm waving the Automatus failures on SLE15 as they pass locally. |
Description:
There were already long discussions in the past about the cons of using
/bin/false.More recently the topic was also discussed in CIS Community and unanimously agreed to use
/sbin/nologinfor a user shell when it is not desired the respective user to interact with a shell.This is also in alignment with STIG recommendations.
In addition, the approach is in all other related rules in the project.
Therefore, this OVAL was updated to the minimal list of shells.
Rationale:
Review Hints:
automatus tests should be enough.