Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The no_shelllogin_for_systemaccounts rule has incorrect regex, when looking for uid min/max, the entire /etc/login.defs file is outputted. #12264

Open
MissingThumb opened this issue Aug 2, 2024 · 0 comments
Open

The no_shelllogin_for_systemaccounts rule has incorrect regex, when looking for uid min/max, the entire /etc/login.defs file is outputted. #12264

MissingThumb opened this issue Aug 2, 2024 · 0 comments

Comments

@MissingThumb
Copy link

Description of problem:

no_shelllogin_for_systemaccounts, has oval definitions for finding SYS_UID_MIN and SYS_UID_MAX and a couple others, but in the actual generated report, the entirety of /etc/login.defs file is outputted to the reports content box.

SCAP Security Guide Version:

I always just pull the most recent update of the repo to work with, but It should be something across versions as I have seen no mention of it

Operating System Version:

In this case, my test scan was run on fedora, but any OS would have the same regex issue. fedora 40.

Steps to Reproduce:

  1. Create a test policy with only the no_shelllogin_for_systemaccounts rule added.
  2. run the scan on a system.
  3. In the Output, it may say that it passed, but if you look at the details to the passing, you'll notice that where it wants to check the UID_MIN/MAX, it outputs a large amount of text.
  4. It also says it fails to check the UID, but the rule itself can still go forward and pass based off the shells of users.

Actual Results:

In this case we have the table outputted to the report.html that has the following information. In the end, where Content should go, it outputs the entire login.defs file up until the variable you add, as shown below

Result of item-state comparison Path Content
not evaluated /etc/login.defs # # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # # Delay in seconds before being allowed another attempt after a login failure # Note: When PAM is used, some modules may enforce a minimum delay (e.g. # pam_unix(8) enforces a 2s delay) # #FAIL_DELAY 3 # Currently FAILLOG_ENAB is not supported # # Enable display of unknown usernames when login(1) failures are recorded. # #LOG_UNKFAIL_ENAB no # Currently LOG_OK_LOGINS is not supported # Currently LASTLOG_ENAB is not supported # # Limit the highest user ID number for which the lastlog entries should # be updated. # # No LASTLOG_UID_MAX means that there is no user ID limit for writing # lastlog entries. # #LASTLOG_UID_MAX # Currently MAIL_CHECK_ENAB is not supported # Currently OBSCURE_CHECKS_ENAB is not supported # Currently PORTTIME_CHECKS_ENAB is not supported # Currently QUOTAS_ENAB is not supported # Currently SYSLOG_SU_ENAB is not supported # # Enable "syslog" logging of newgrp(1) and sg(1) activity. # #SYSLOG_SG_ENAB yes # Currently CONSOLE is not supported # Currently SULOG_FILE is not supported # Currently MOTD_FILE is not supported # Currently ISSUE_FILE is not supported # Currently TTYTYPE_FILE is not supported # Currently FTMP_FILE is not supported # Currently NOLOGINS_FILE is not supported # Currently SU_NAME is not supported # REQUIRED # Directory where mailboxes reside, or name of file, relative to the # home directory. If you do define both, MAIL_DIR takes precedence. # MAIL_DIR /var/spool/mail #MAIL_FILE .mail # # If defined, file which inhibits all the usual chatter during the login # sequence. If a full pathname, then hushed mode will be enabled if the # user's name or shell are found in the file. If not a full pathname, then # hushed mode will be enabled if the file exists in the user's home directory. # #HUSHLOGIN_FILE .hushlogin #HUSHLOGIN_FILE /etc/hushlogins # Currently ENV_TZ is not supported # Currently ENV_HZ is not supported # # The default PATH settings, for superuser and normal users. # # (they are minimal, add the rest in the shell startup files) #ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin #ENV_PATH PATH=/bin:/usr/bin # # Terminal permissions # # TTYGROUP Login tty will be assigned this group ownership. # TTYPERM Login tty will be set to this permission. # # If you have a write(1) program which is "setgid" to a special group # which owns the terminals, define TTYGROUP as the number of such group # and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and # set TTYPERM to either 622 or 600. # #TTYGROUP tty #TTYPERM 0600 # Currently ERASECHAR, KILLCHAR and ULIMIT are not supported # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new # home directories if HOME_MODE is not set. # 022 is the default value, but 027, or even 077, could be considered # for increased privacy. There is no One True Answer here: each sysadmin # must make up their mind. UMASK 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. # If HOME_MODE is not set, the value of UMASK is used to create the mode. HOME_MODE 0700 # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 8 PASS_WARN_AGE 7 # Currently SU_WHEEL_ONLY is not supported # Currently CRACKLIB_DICTPATH is not supported # # Min/max values for automatic uid selection in useradd(8) # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201

Expected Results:

It should mention it looks in the /etc/login.defs file, and return either the UID or that the UID has been matched.

Additional Information/Debugging Steps:

This is the correct regex, currently from a bash script I used for testing. I have not commited to a repo this large before so I'm a bit hesitant, but these lines should be correct and when run and used for a scan the output looks good, so it should just be a change to those specific lines and thats it.

#cd /home/mnt/Input/content/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval

#sed -i "48i\ <ind:pattern operation="pattern match">.(?:^|\\n)\\sUID_MIN[\\s]+(\\d+)\\s*(?:$|\\n)"</ind:pattern>" shared.xml
#sed -i "49d" shared.xml

#sed -i "58i\ <ind:pattern operation="pattern match">.(?:^|\\n)\\sSYS_UID_MIN[\\s]+(\\d+)\\s*(?:$|\\n)"</ind:pattern>" shared.xml
#sed -i "59d" shared.xml

#sed -i "67i\ <ind:pattern operation="pattern match">.(?:^|\\n)\\sSYS_UID_MAX[\\s]+(\\d+)\\s*(?:$|\\n)"</ind:pattern>" shared.xml
#sed -i "68d" shared.xml

Also, I have not submitted an issue to git before, so if theres any issues with the information I gave or the code itself, feel free to let me know.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MissingThumb