Back to bug 2203791
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Red Hat Bugzilla | 2023-05-15 09:20:05 UTC | Pool ID | sst_security_compliance_rhel_9 | |
| Red Hat One Jira (issues.redhat.com) | 2023-05-15 09:21:13 UTC | Link ID | Red Hat Issue Tracker RHELPLAN-157207 | |
| Marko Myllynen | 2023-05-15 09:26:46 UTC | CC | myllynen | |
| Vojtech Polasek | 2023-05-18 08:03:10 UTC | Keywords | Triaged | |
| Julia Schindler | 2023-06-13 08:43:16 UTC | CC | juschind | |
| Jan Černý | 2023-07-11 09:09:55 UTC | Status | NEW | ASSIGNED |
| CC | jcerny | |||
| Assignee | wsato | jcerny | ||
| Jan Černý | 2023-07-14 14:55:06 UTC | Doc Type | If docs needed, set a value | Bug Fix |
| Doc Text | .Rules checking home directories apply only to local users Multiple compliance profiles provided by the `scap-security-guide` package contain rules checking the correct configuration of user home directories. Specifically, we are talking about these rules: - accounts_user_interactive_home_directory_exists - accounts_users_home_files_groupownership - accounts_user_dot_group_ownership - accounts_users_home_files_permissions - accounts_umask_interactive_users - accounts_user_dot_user_ownership - file_permissions_home_directories - file_groupownership_home_directories - file_ownership_home_directories - accounts_users_home_files_ownership Previously, these rules checked not only configuration of local users but they also evaluated configuration of remote users provided by network sources such as NSS. This behavior was caused by using the `getpwent()` system call in the OpenSCAP scanner. This behavior wasn't desired, behavior the remediation scripts weren't able to change the configuration of the remote users. Therefore, the internal implementation of the aforementioned rules has been changed to depend only on data present in the "/etc/passwd" file. That means no other sources of user metadata are read by the rules. As a result, the rules now consider only local users configuration. |
|||
| Jan Černý | 2023-07-17 15:49:38 UTC | Status | ASSIGNED | POST |
| Jiri Jaburek | 2023-07-28 13:18:03 UTC | Flags | needinfo?(jcerny) | |
| CC | jjaburek | |||
| Jan Černý | 2023-07-28 13:21:38 UTC | Flags | needinfo?(jcerny) | |
| RHEL Program Management Team | 2023-08-02 12:21:12 UTC | Blocks | 2228462 | |
| RHEL Program Management Team | 2023-08-02 12:21:21 UTC | Blocks | 2228463 | |
| RHEL Program Management Team | 2023-08-02 12:21:28 UTC | Keywords | ZStream | |
| Flos Qi Guo | 2023-08-04 04:26:54 UTC | CC | qguo | |
| Milan Lysonek | 2023-08-10 11:44:06 UTC | Fixed In Version | scap-security-guide-0.1.69-1.el9 | |
| Status | POST | MODIFIED | ||
| errata-xmlrpc | 2023-08-11 15:01:13 UTC | Status | MODIFIED | ON_QA |
| Milan Lysonek | 2023-08-16 08:26:08 UTC | Status | ON_QA | VERIFIED |
| Doc Text | .Rules checking home directories apply only to local users Multiple compliance profiles provided by the `scap-security-guide` package contain rules checking the correct configuration of user home directories. Specifically, we are talking about these rules: - accounts_user_interactive_home_directory_exists - accounts_users_home_files_groupownership - accounts_user_dot_group_ownership - accounts_users_home_files_permissions - accounts_umask_interactive_users - accounts_user_dot_user_ownership - file_permissions_home_directories - file_groupownership_home_directories - file_ownership_home_directories - accounts_users_home_files_ownership Previously, these rules checked not only configuration of local users but they also evaluated configuration of remote users provided by network sources such as NSS. This behavior was caused by using the `getpwent()` system call in the OpenSCAP scanner. This behavior wasn't desired, behavior the remediation scripts weren't able to change the configuration of the remote users. Therefore, the internal implementation of the aforementioned rules has been changed to depend only on data present in the "/etc/passwd" file. That means no other sources of user metadata are read by the rules. As a result, the rules now consider only local users configuration. | .Rules checking home directories apply only to local users Multiple compliance profiles provided by the `scap-security-guide` package contain rules checking the correct configuration of user home directories. Specifically, we are talking about these rules: - accounts_user_interactive_home_directory_exists - accounts_users_home_files_groupownership - accounts_user_dot_group_ownership - accounts_users_home_files_permissions - accounts_umask_interactive_users - accounts_user_dot_user_ownership - file_permissions_home_directories - file_groupownership_home_directories - file_ownership_home_directories - accounts_users_home_files_ownership Previously, these rules checked not only configuration of local users but they also evaluated configuration of remote users provided by network sources such as NSS. This behavior was caused by using the `getpwent()` system call in the OpenSCAP scanner. This behavior wasn't desired, behavior the remediation scripts weren't able to change the configuration of the remote users. Therefore, the internal implementation of the mentioned rules has been changed to depend only on data present in the "/etc/passwd" file. That means no other sources of user metadata are read by the rules. As a result, the rules now consider only local users configuration. | ||
| QA Contact | qe-baseos-security | mlysonek |
Back to bug 2203791