From e5abfcbaaa348fa03ea85b63301fbf69b70736d8 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 3 Oct 2024 14:14:44 -0500 Subject: [PATCH 1/5] Update restrict_permissions_home_directories macros Make sure that script doesn't run on users that don't have proper home folder defined. This commit makes the script skip home folders defined as "/". --- shared/macros/10-ansible.jinja | 1 + shared/macros/10-bash.jinja | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 075066c13ad..daaa56df608 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -1372,6 +1372,7 @@ Part of the grub2_bootloader_argument_absent template. when: - item.value[1]|int >= {{{ uid_min }}} - item.value[1]|int != {{{ nobody_uid }}} + - item.value[4] != "/" - name: Ensure interactive local users have proper permissions on their respective home directories ansible.builtin.file: diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 36eab6193d7..b738dabdeff 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1427,7 +1427,7 @@ fi #}} {{%- macro bash_restrict_permissions_home_directories(recursive=false) -%}} -for home_dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != {{{ nobody_uid }}}) print $6 }' /etc/passwd); do +for home_dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != {{{ nobody_uid }}} && "/" $6 != "/") print $6 }' /etc/passwd); do # Only update the permissions when necessary. This will avoid changing the inode timestamp when # the permission is already defined as expected, therefore not impacting in possible integrity # check systems that also check inodes timestamps. From 3a5cf817ff9abaefccd4bcf9a892d6543189f787 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 3 Oct 2024 14:15:35 -0500 Subject: [PATCH 2/5] Update accounts_users_home_files_groupownership Remedations Make sure that script doesn't run on users that don't have proper home folder defined. This commit makes the script skip home folders defined as "/". --- .../accounts_users_home_files_groupownership/ansible/shared.yml | 1 + .../accounts_users_home_files_groupownership/bash/shared.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/ansible/shared.yml index b5f2a15b6f6..8d8bb75e954 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/ansible/shared.yml @@ -24,6 +24,7 @@ when: - item.value[1]|int >= {{{ uid_min }}} - item.value[1]|int != {{{ nobody_uid }}} + - item.value[4] != "/" - name: Ensure interactive local users are the owners of their respective home directories ansible.builtin.file: diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/bash/shared.sh index 4f69feb7cf1..8c65f743176 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/bash/shared.sh @@ -4,7 +4,7 @@ # complexity = low # disruption = low -for user in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != {{{ nobody_uid }}}) print $1 }' /etc/passwd); do +for user in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != {{{ nobody_uid }}} && $6 != "/") print $1 }' /etc/passwd); do home_dir=$(getent passwd $user | cut -d: -f6) group=$(getent passwd $user | cut -d: -f4) # Only update the group-ownership when necessary. This will avoid changing the inode timestamp From 571245cce11d502ced38b205375fc7810f3a1592 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 3 Oct 2024 14:15:47 -0500 Subject: [PATCH 3/5] Update accounts_users_home_files_ownership Remedations Make sure that script doesn't run on users that don't have proper home folder defined. This commit makes the script skip home folders defined as "/". --- .../accounts_users_home_files_ownership/ansible/shared.yml | 1 + .../accounts_users_home_files_ownership/bash/shared.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/ansible/shared.yml index 9f9c493dd97..b8306ff90b8 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/ansible/shared.yml @@ -24,6 +24,7 @@ when: - item.value[1]|int >= {{{ uid_min }}} - item.value[1]|int != {{{ nobody_uid }}} + - item.value[4] != "/" - name: Ensure interactive local users are the owners of their respective home directories ansible.builtin.file: diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/bash/shared.sh index 4b2502139e7..1c46cc50c69 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/bash/shared.sh @@ -4,7 +4,7 @@ # complexity = low # disruption = low -for user in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != {{{ nobody_uid }}}) print $1 }' /etc/passwd); do +for user in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != {{{ nobody_uid }}} && $6 != "/") print $1 }' /etc/passwd); do home_dir=$(getent passwd $user | cut -d: -f6) # Only update the ownership when necessary. This will avoid changing the inode timestamp # when the owner is already defined as expected, therefore not impacting in possible integrity From 390ccccb8f330d448a10197fe52dfd320e3156f2 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 7 Oct 2024 11:09:02 -0500 Subject: [PATCH 4/5] Fix bug in bash_restrict_permissions_home_directories --- shared/macros/10-bash.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index b738dabdeff..00e0925f2aa 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1427,7 +1427,7 @@ fi #}} {{%- macro bash_restrict_permissions_home_directories(recursive=false) -%}} -for home_dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != {{{ nobody_uid }}} && "/" $6 != "/") print $6 }' /etc/passwd); do +for home_dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != {{{ nobody_uid }}} && $6 != "/") print $6 }' /etc/passwd); do # Only update the permissions when necessary. This will avoid changing the inode timestamp when # the permission is already defined as expected, therefore not impacting in possible integrity # check systems that also check inodes timestamps. From a7f140d814d99f3a4e7d9a8b1e71582245ed60d1 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 10 Oct 2024 13:10:23 -0500 Subject: [PATCH 5/5] Add tests to accounts_users_home_files_*ownership To show the rule will fail and will stay failing as remedating this situation doesn't make sense as change the permissions on / isn't a great idea. --- .../tests/root_fs_home.fail.sh | 6 ++++++ .../tests/root_fs_home.fail.sh | 6 ++++++ 2 files changed, 12 insertions(+) create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/root_fs_home.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/root_fs_home.fail.sh diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/root_fs_home.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/root_fs_home.fail.sh new file mode 100644 index 00000000000..c895815369b --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/root_fs_home.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# remediation = none + +USER="cac_user" + +useradd -d"/" -M $USER diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/root_fs_home.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/root_fs_home.fail.sh new file mode 100644 index 00000000000..c895815369b --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/root_fs_home.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# remediation = none + +USER="cac_user" + +useradd -d"/" -M $USER