Bug 2157877

Summary: Definition of interactive an non interactive users
Product: Red Hat Enterprise Linux 8 Reporter: Paulo Andrade <pandrade>
Component: scap-security-guideAssignee: Marcus Burghardt <maburgha>
Status: MODIFIED --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.6CC: ggasparb, jcerny, jjaburek, maburgha, matyc, mhaicman, mlysonek, vpolasek, wsato
Target Milestone: rcKeywords: AutoVerified, Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.69-1.el8 Doc Type: Enhancement
Doc Text:
.Better definition of interactive users The rules in the `scap-security-guide` package now provide a consistent experience regarding interactive users configuration. Previously, various rules used different approaches for identifying interactive and non-interactive users. Starting from this release, we have unified the definitions of interactive users. Users accounts with the UID greater than or equal 1000 are now considered interactive, with the exception of `nobody` and `nfsnobody` user accounts and with the exception of user accounts that use `/sbin/nologin` as the login shell. This change affects the following rules: - accounts_umask_interactive_users - accounts_user_dot_user_ownership - accounts_user_dot_group_ownership - accounts_user_dot_no_world_writable_programs - accounts_user_interactive_home_directory_defined - accounts_user_interactive_home_directory_exists - accounts_users_home_files_groupownership - accounts_users_home_files_ownership - accounts_users_home_files_permissions - file_groupownership_home_directories - file_ownership_home_directories - file_permissions_home_directories - file_permissions_home_dirs - no_forward_files
 Story Points: ---
Clone Of:
: 2228433 2228434 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2228433, 2228434    

Description Paulo Andrade 2023-01-03 11:38:45 UTC 
From my understanding, xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined
understands an interactive user as one with "uid >= 1000 and uid != 65534".

Can you please clarify it? (possibly almost providing the response
to the query, this is also probably related to pam_succeed_if and/or
possibly pam_loginuid).

Also, the reason of this query is that an user would want it to
also check for users with something /sbin/nologin as login shell
(or anything not in /etc/shells) as a non interactive user. But
I see this is not a good idea.
Comment 5 Marcus Burghardt 2023-02-28 13:32:06 UTC 
Patch is already merged in Upstream: https://github.com/ComplianceAsCode/content/pull/10215