Bug 2157877

Summary: Definition of interactive an non interactive users
Product: Red Hat Enterprise Linux 8 Reporter: Paulo Andrade <pandrade>
Component: scap-security-guideAssignee: Marcus Burghardt <maburgha>
Status: CLOSED ERRATA QA Contact: Milan Lysonek <mlysonek>
Severity: unspecified Docs Contact: Jan Fiala <jafiala>
Priority: unspecified    
Version: 8.6CC: ggasparb, jcerny, jjaburek, maburgha, matyc, mhaicman, mjahoda, mlysonek, vpolasek, wsato
Target Milestone: rcKeywords: AutoVerified, Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.69-1.el8 Doc Type: Enhancement
Doc Text:
.Better definition of interactive users The rules in the `scap-security-guide` package were improved to provide more consistent interactive user configuration. Previously, some rules used different approaches for identifying interactive and non-interactive users. With this update, we have unified the definitions of interactive users. User accounts with UID greater than or equal to 1000 are now considered interactive, with the exception of the `nobody` and `nfsnobody` accounts and with the exception of accounts that use `/sbin/nologin` as the login shell. This change affects the following rules: * `accounts_umask_interactive_users` * `accounts_user_dot_user_ownership` * `accounts_user_dot_group_ownership` * `accounts_user_dot_no_world_writable_programs` * `accounts_user_interactive_home_directory_defined` * `accounts_user_interactive_home_directory_exists` * `accounts_users_home_files_groupownership` * `accounts_users_home_files_ownership` * `accounts_users_home_files_permissions` * `file_groupownership_home_directories` * `file_ownership_home_directories` * `file_permissions_home_directories` * `file_permissions_home_dirs` * `no_forward_files`
 Story Points: ---
Clone Of:
: 2228433 2228434 (view as bug list) Environment:
Last Closed: 2023-11-14 15:36:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2228433, 2228434    

Description Paulo Andrade 2023-01-03 11:38:45 UTC 
From my understanding, xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined
understands an interactive user as one with "uid >= 1000 and uid != 65534".

Can you please clarify it? (possibly almost providing the response
to the query, this is also probably related to pam_succeed_if and/or
possibly pam_loginuid).

Also, the reason of this query is that an user would want it to
also check for users with something /sbin/nologin as login shell
(or anything not in /etc/shells) as a non interactive user. But
I see this is not a good idea.
Comment 5 Marcus Burghardt 2023-02-28 13:32:06 UTC 
Patch is already merged in Upstream: https://github.com/ComplianceAsCode/content/pull/10215
Comment 28 errata-xmlrpc 2023-11-14 15:36:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7056