Another change pointed out by Tomas Heinrich originally to be
intended against USGCB content, but it's applicable against SSG
content too, thus this post.
When checking /etc/passwd it's still possible (though hopefully
not so likely these days) administrators would keep the hashed password
versions in /etc/passwd file directly (probably like a temporary
output / result of pwunconv utility run?) instead of storing them
in /etc/shadow file (like recommended by another rule).
Current / existing OVAL check implementation expects (allows) only one character
('x') to be present at the second column of /etc/passwd (where password
entries are intended to be stored).
But in case, /etc/passwd contains direct hashed password entries, the
current implementation succeeds for non-root users having UID 0 (IOW
succeeds for cases when there are more users with UID 0), even when
it should fail.
The proposed change modifies the particular regular expression to allow /
accept also cases where password is longer than just one character, thus
changes the original (regex) form from:
^(?!root:)[^:]*:[^:]:0
to:
^(?!root:)[^:]*:[^:]*:0
Besides this change it modifies the reading of the related comments (they
to be more appropriate).
Also uses this opportunity to use the shared/ OVAL check version for
this rule also for Fedora content (tested on Fedora).
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
