-
Notifications
You must be signed in to change notification settings - Fork 706
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check only local users home directories #10825
Conversation
QUESTION: This rule used to use macro |
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists'.
--- xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists
+++ xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists
@@ -3,7 +3,7 @@
All Interactive Users Home Directories Must Exist
[description]:
-Create home directories to all interactive users that currently do not
+Create home directories to all local interactive users that currently do not
have a home directory assigned. Use the following commands to create the user
home directory assigned in /etc/passwd:
$ sudo mkdir /home/USER |
Hello @jan-cerny and thank you. I have a concern. Previously, we checked for the user Id as well so that it is not below 1000. I think that this check is missing from the implementation. Could you add it back? |
@jan-cerny I have quickly analyzed rules which use the create_interactive_users_list_object macro.
|
@vojtapolasek It's still there, but it's implemented in a hackish way. The regular expression |
@jan-cerny That sounds reasonable for now. Maybe it is worth creating upstream RFE to enhance it in future. |
I have performed a similar change in other rules. To do that, the OVAL macro has been refactored even more which leads to the situation that there are now 3 new macros for working with local interactive users: 1. macro retrieving home directories paths, 2. macro retrieving UIDs, 3. macro retrieving GIDs. |
I have reported the problem as RFE in #10845 |
The rule `accounts_user_interactive_home_directory_exists` states in rationale that we need to ensure that home directories of interactive users exist. The text indicates that this requirement is relevant to local interactive users. However, the current implementation of the OVAL check uses the `unix:password_object` element, which also returns non-local (LDAP) users, because the implementation of OpenSCAP makes use of the `getpwent()` system call, which browses all users provides by the NSS. In this commit, we will change the implementation so that only local interactive users will be considered. We will achieve this by parsing the data directly from `/etc/passwd` using the OVAL `ind:textfilecontent54_object` instead of using the `unix:password_object`. Also, the rule description is clarified. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2203791
Extract the internal part of the create_local_interactive_users_home_dirs_list_object macro to a new low-level macro so that it could be used later in new similar high-level macros.
Change the check so that only local interactive users will be considered by the OVAL check. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2203791
Change the check so that only local interactive users will be considered by the OVAL check. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2203791
Change the check so that only local interactive users will be considered by the OVAL check. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2203791
Change the check so that only local interactive users will be considered by the OVAL check. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2203791
Change the check so that only local interactive users will be considered by the OVAL check. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2203791
Change the check so that only local interactive users will be considered by the OVAL check. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2203791
Change the check so that only local interactive users will be considered by the OVAL check. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2203791
Change the check so that only local interactive users will be considered by the OVAL check. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2203791
Change the check so that only local interactive users will be considered by the OVAL check. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2203791
I have rebased this PR on the top of the latest upstream master branch. |
Code Climate has analyzed commit e0bd595 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.4% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great, thank you for this @jan-cerny .
The rule
accounts_user_interactive_home_directory_exists
states in rationale that we need to ensure that home directories of interactive users exist. The text indicates that this requirement is relevant to local interactive users.However, the current implementation of the OVAL check uses the
unix:password_object
element, which also returns non-local (LDAP) users, because the implementation of OpenSCAP makes use of thegetpwent()
system call, which browses all users provides by the NSS.In this commit, we will change the implementation so that only local interactive users will be considered. We will achieve this by parsing the data directly from
/etc/passwd
using the OVALind:textfilecontent54_object
instead of using theunix:password_object
.Also, the rule description is clarified.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2203791
Then, a similar change has been done also in these rules: