From e109e3f04740f6885f1389deb3b57005399dc140 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 12 Jul 2023 14:38:16 +0200 Subject: [PATCH 01/13] Check only local users home directories The rule `accounts_user_interactive_home_directory_exists` states in rationale that we need to ensure that home directories of interactive users exist. The text indicates that this requirement is relevant to local interactive users. However, the current implementation of the OVAL check uses the `unix:password_object` element, which also returns non-local (LDAP) users, because the implementation of OpenSCAP makes use of the `getpwent()` system call, which browses all users provides by the NSS. In this commit, we will change the implementation so that only local interactive users will be considered. We will achieve this by parsing the data directly from `/etc/passwd` using the OVAL `ind:textfilecontent54_object` instead of using the `unix:password_object`. Also, the rule description is clarified. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2203791 --- .../oval/shared.xml | 4 +- .../rule.yml | 2 +- shared/macros/10-oval.jinja | 48 ++++++++++++++++++- 3 files changed, 50 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml index 56b33964806..bb86d40e0f3 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml @@ -10,13 +10,13 @@ {{%- set interactive_users_object = "object_" ~ rule_id ~ "_objects" -%}} - {{{ create_interactive_users_list_object(interactive_users_object) }}} + {{{ create_local_interactive_users_home_dirs_list_object(interactive_users_object) }}} - diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml index e58fb7dd058..6811bb1c26b 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml @@ -5,7 +5,7 @@ prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15, title: 'All Interactive Users Home Directories Must Exist' description: |- - Create home directories to all interactive users that currently do not + Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in /etc/passwd: 
$ sudo mkdir /home/USER
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 36378600ce9..56fa39cae3c 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -1077,8 +1077,9 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{# - Extract from /etc/passwd a list composed of password objects related to non-system UIDs. + Extract from system password database a list composed of password objects related to non-system UIDs. This list is then filtered to exclude some special usernames and users with /sbin/nologin shell. + The list includes non-local (LDAP) users, because the implementation of "unix:password_object" in OpenSCAP makes use of getpwent(), which browses all users provided by the NSS. The macro receives a string as parameter, which is used as the password_object id in the rule. @@ -1109,6 +1110,51 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro %}} +{{# + Extract from /etc/passwd a list of home directories of local interactive users. + The list contains only items related to non-system UIDs and is filtered to exclude some special usernames and users with /sbin/nologin shell. + + Unlike macro create_interactive_users_list_object, this macro gives list that contains only local users, because it doesn't use the OVAL "unix:password_object" element, but it merely parses /etc/passwd using "ind:textfilecontent54_object". + + The macro receives a string as parameter, which is used as the textfilecontent54_object ID in the rule. + +:param object_id: Object ID to be created. +:type object_id: str + +#}} +{{%- macro create_local_interactive_users_home_dirs_list_object(object_id) -%}} + + + + /etc/passwd + + + 1 + + + + + + ^(?: + + :)(?:[^:]*:){4}([^:]+):[^:]*$ + + + + + + /etc/passwd + ^([^:]*):[^:]*:\d{4,}:(?:[^:]*:){3}(?!\/sbin\/nologin)[^:]*$ + 1 + state_{{{ rule_id }}}_users_ignored + + + {{%- set ignored_users_list="(nobody|nfsnobody)" %}} + + ^{{{ ignored_users_list }}}$ + + +{{%- endmacro %}} {{# Extract from /etc/passwd a list composed of password objects related to system UIDs. From 81399e080469e966c8a67e194f68a0ab4535f103 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 13 Jul 2023 16:01:31 +0200 Subject: [PATCH 02/13] Fix a wrong data type --- shared/macros/10-oval.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 56fa39cae3c..15feee0f825 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -1133,7 +1133,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo - + ^(?: From 3f6cdbc3ab4a3cb08cd85cf4a71812fbd4b8d498 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 13 Jul 2023 17:47:16 +0200 Subject: [PATCH 03/13] Refactor OVAL code Extract the internal part of the create_local_interactive_users_home_dirs_list_object macro to a new low-level macro so that it could be used later in new similar high-level macros. --- shared/macros/10-oval.jinja | 77 ++++++++++++++++++++++++++++++++----- 1 file changed, 68 insertions(+), 9 deletions(-) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 15feee0f825..9ae2b93681d 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -1111,7 +1111,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro %}} {{# - Extract from /etc/passwd a list of home directories of local interactive users. + Extract from /etc/passwd a list of specified fields of local interactive users. The list contains only items related to non-system UIDs and is filtered to exclude some special usernames and users with /sbin/nologin shell. Unlike macro create_interactive_users_list_object, this macro gives list that contains only local users, because it doesn't use the OVAL "unix:password_object" element, but it merely parses /etc/passwd using "ind:textfilecontent54_object". @@ -1120,42 +1120,101 @@ Generates the :code:`` tag for OVAL check using correct product platfo :param object_id: Object ID to be created. :type object_id: str +:param second_literal_component_regex: regex in the second literal_component of the concat element of the local variable that forms the regex describing an username row +:type second_literal_component_regex: str #}} -{{%- macro create_local_interactive_users_home_dirs_list_object(object_id) -%}} +{{%- macro create_local_interactive_users_object(object_id, second_literal_component_regex) -%}} + /etc/passwd - + 1 - + ^(?: - - :)(?:[^:]*:){4}([^:]+):[^:]*$ + + {{{ second_literal_component_regex }}} - + /etc/passwd ^([^:]*):[^:]*:\d{4,}:(?:[^:]*:){3}(?!\/sbin\/nologin)[^:]*$ 1 - state_{{{ rule_id }}}_users_ignored + state_{{{ object_id }}}_users_ignored {{%- set ignored_users_list="(nobody|nfsnobody)" %}} - + ^{{{ ignored_users_list }}}$ {{%- endmacro %}} +{{# + Extract from /etc/passwd a list of home directories of local interactive users. + The list contains only items related to non-system UIDs and is filtered to exclude some special usernames and users with /sbin/nologin shell. + + Unlike macro create_interactive_users_list_object, this macro gives list that contains only local users, because it doesn't use the OVAL "unix:password_object" element, but it merely parses /etc/passwd using "ind:textfilecontent54_object". + + The macro receives a string as parameter, which is used as the textfilecontent54_object ID in the rule. + +:param object_id: Object ID to be created. +:type object_id: str + +#}} +{{%- macro create_local_interactive_users_home_dirs_list_object(object_id) -%}} +{{{ create_local_interactive_users_object( + object_id=object_id, + second_literal_component_regex="):(?:[^:]*:){4}([^:]+):[^:]*$") }}} +{{%- endmacro %}} + + +{{# + Extract from /etc/passwd a list of User IDs of local interactive users. + The list contains only items related to non-system UIDs and is filtered to exclude some special usernames and users with /sbin/nologin shell. + + Unlike macro create_interactive_users_list_object, this macro gives list that contains only local users, because it doesn't use the OVAL "unix:password_object" element, but it merely parses /etc/passwd using "ind:textfilecontent54_object". + + The macro receives a string as parameter, which is used as the textfilecontent54_object ID in the rule. + +:param object_id: Object ID to be created. +:type object_id: str + +#}} +{{%- macro create_local_interactive_users_uids_list_object(object_id) -%}} +{{{ create_local_interactive_users_object( + object_id=object_id, + second_literal_component_regex=":)(?:[^:]*:)([^:]+):(?:[^:]*:){3}[^:]*$") }}} +{{%- endmacro %}} + + +{{# + Extract from /etc/passwd a list of Group IDs of local interactive users. + The list contains only items related to non-system UIDs and is filtered to exclude some special usernames and users with /sbin/nologin shell. + + Unlike macro create_interactive_users_list_object, this macro gives list that contains only local users, because it doesn't use the OVAL "unix:password_object" element, but it merely parses /etc/passwd using "ind:textfilecontent54_object". + + The macro receives a string as parameter, which is used as the textfilecontent54_object ID in the rule. + +:param object_id: Object ID to be created. +:type object_id: str + +#}} +{{%- macro create_local_interactive_users_gids_list_object(object_id) -%}} +{{{ create_local_interactive_users_object( + object_id=object_id, + second_literal_component_regex=":)(?:[^:]*:){2}([^:]+):(?:[^:]*:){2}[^:]*$") }}} +{{%- endmacro %}} + {{# Extract from /etc/passwd a list composed of password objects related to system UIDs. This list is then filtered to exclude some special usernames. From 6032b2997465bf75ce72f7471f9a4c7929188f7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 14 Jul 2023 08:50:10 +0200 Subject: [PATCH 04/13] Change OVAL in accounts_users_home_files_groupownership Change the check so that only local interactive users will be considered by the OVAL check. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2203791 --- .../oval/shared.xml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml index 1633d79bd18..8de8b3263eb 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml @@ -7,19 +7,21 @@ - {{%- set interactive_users_object = "object_" ~ rule_id ~ "_objects" -%}} - {{{ create_interactive_users_list_object(interactive_users_object) }}} + {{%- set interactive_users_home_dirs_object = "object_" ~ rule_id ~ "_home_dirs" -%}} + {{{ create_local_interactive_users_home_dirs_list_object(interactive_users_home_dirs_object) }}} + {{%- set interactive_users_gids_object = "object_" ~ rule_id ~ "_gids" -%}} + {{{ create_local_interactive_users_gids_list_object(interactive_users_gids_object) }}} - + - + From b5d916f1b6e3a1d0b7ba188d843d7e320551e3fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 14 Jul 2023 09:00:10 +0200 Subject: [PATCH 05/13] Change OVAL in accounts_user_dot_group_ownership Change the check so that only local interactive users will be considered by the OVAL check. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2203791 --- .../oval/shared.xml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/oval/shared.xml index d65a411617c..18deed7df09 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/oval/shared.xml @@ -7,19 +7,21 @@ - {{%- set interactive_users_object = "object_" ~ rule_id ~ "_objects" -%}} - {{{ create_interactive_users_list_object(interactive_users_object) }}} + {{%- set interactive_users_home_dirs_object = "object_" ~ rule_id ~ "_home_dirs" -%}} + {{{ create_local_interactive_users_home_dirs_list_object(interactive_users_home_dirs_object) }}} + {{%- set interactive_users_gids_object = "object_" ~ rule_id ~ "_gids" -%}} + {{{ create_local_interactive_users_gids_list_object(interactive_users_gids_object) }}} - + - + From 470cbf8427debaa4b2035c889edc0a910bd0f37c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 14 Jul 2023 09:16:55 +0200 Subject: [PATCH 06/13] Change OVAL in accounts_users_home_files_permissions Change the check so that only local interactive users will be considered by the OVAL check. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2203791 --- .../accounts_users_home_files_permissions/oval/shared.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml index e126b8bf053..94bf720a340 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml @@ -9,13 +9,13 @@ - {{%- set interactive_users_object = "object_" ~ rule_id ~ "_objects" -%}} - {{{ create_interactive_users_list_object(interactive_users_object) }}} + {{%- set interactive_users_home_dirs_object = "object_" ~ rule_id ~ "_home_dirs" -%}} + {{{ create_local_interactive_users_home_dirs_list_object(interactive_users_home_dirs_object) }}} - + From 5d536cdfafe245fd2251ef6c90a732af389fbfa1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 14 Jul 2023 09:29:19 +0200 Subject: [PATCH 07/13] Change OVAL in accounts_umask_interactive_users Change the check so that only local interactive users will be considered by the OVAL check. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2203791 --- .../accounts_umask_interactive_users/oval/shared.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml index 2331e6ccbec..55df15ebecc 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml @@ -8,11 +8,11 @@ {{%- set interactive_users_object = "object_" ~ rule_id ~ "_objects" -%}} - {{{ create_interactive_users_list_object(interactive_users_object) }}} + {{{ create_local_interactive_users_home_dirs_list_object(interactive_users_object) }}} - From 0448117a2d21d4cceb51808e382f118c06208f64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 14 Jul 2023 09:41:05 +0200 Subject: [PATCH 08/13] Change OVAL in accounts_user_dot_user_ownership Change the check so that only local interactive users will be considered by the OVAL check. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2203791 --- .../oval/shared.xml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/oval/shared.xml index b1bcee27ea8..6cd8b2bfc0a 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/oval/shared.xml @@ -7,19 +7,21 @@ - {{%- set interactive_users_object = "object_" ~ rule_id ~ "_objects" -%}} - {{{ create_interactive_users_list_object(interactive_users_object) }}} + {{%- set interactive_users_home_dirs_object = "object_" ~ rule_id ~ "_home_dirs" -%}} + {{{ create_local_interactive_users_home_dirs_list_object(interactive_users_home_dirs_object) }}} + {{%- set interactive_users_uids_object = "object_" ~ rule_id ~ "_uids" -%}} + {{{ create_local_interactive_users_uids_list_object(interactive_users_uids_object) }}} - + - + From 1dcf0089902acccedc63fe819a431c16e17dfbdd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 14 Jul 2023 09:49:58 +0200 Subject: [PATCH 09/13] Change OVAL in file_permissions_home_directories Change the check so that only local interactive users will be considered by the OVAL check. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2203791 --- .../file_permissions_home_directories/oval/shared.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/oval/shared.xml index 439dce19d2b..7b79bef5e76 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/oval/shared.xml @@ -8,12 +8,12 @@ {{%- set interactive_users_object = "object_" ~ rule_id ~ "_objects" -%}} - {{{ create_interactive_users_list_object(interactive_users_object) }}} + {{{ create_local_interactive_users_home_dirs_list_object(interactive_users_object) }}} - + From 8e51103b4ce4590ac8cd79bb7592035171caf9fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 14 Jul 2023 10:02:19 +0200 Subject: [PATCH 10/13] Change OVAL in file_groupownership_home_directories Change the check so that only local interactive users will be considered by the OVAL check. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2203791 --- .../oval/shared.xml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml index 9da1164d5f9..7948b92dab0 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml @@ -7,18 +7,20 @@ - {{%- set interactive_users_object = "object_" ~ rule_id ~ "_objects" -%}} - {{{ create_interactive_users_list_object(interactive_users_object) }}} + {{%- set interactive_users_home_dirs_object = "object_" ~ rule_id ~ "_home_dirs" -%}} + {{{ create_local_interactive_users_home_dirs_list_object(interactive_users_home_dirs_object) }}} + {{%- set interactive_users_gids_object = "object_" ~ rule_id ~ "_gids" -%}} + {{{ create_local_interactive_users_gids_list_object(interactive_users_gids_object) }}} - + - + From 07e0b4d63c664f54f219ac42a3e73ff7c14ddcef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 14 Jul 2023 10:14:47 +0200 Subject: [PATCH 11/13] Change OVAL in file_ownership_home_directories Change the check so that only local interactive users will be considered by the OVAL check. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2203791 --- .../file_ownership_home_directories/oval/shared.xml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml index 366c0a88563..67d18e0fe36 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml @@ -13,8 +13,10 @@ - {{%- set interactive_users_object = "object_" ~ rule_id ~ "_objects" -%}} - {{{ create_interactive_users_list_object(interactive_users_object) }}} + {{%- set interactive_users_home_dirs_object = "object_" ~ rule_id ~ "_home_dirs" -%}} + {{{ create_local_interactive_users_home_dirs_list_object(interactive_users_home_dirs_object) }}} + {{%- set interactive_users_uids_object = "object_" ~ rule_id ~ "_uids" -%}} + {{{ create_local_interactive_users_uids_list_object(interactive_users_uids_object) }}} - + - + From e0bd59531387ec1f1296fa2359ed74ed9573b5b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 14 Jul 2023 10:39:00 +0200 Subject: [PATCH 13/13] Add an explanatory comment --- shared/macros/10-oval.jinja | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 9ae2b93681d..53b0c143f79 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -1147,6 +1147,12 @@ Generates the :code:`` tag for OVAL check using correct product platfo /etc/passwd + ^([^:]*):[^:]*:\d{4,}:(?:[^:]*:){3}(?!\/sbin\/nologin)[^:]*$ 1 state_{{{ object_id }}}_users_ignored