Rule "All Interactive Users Home Directories Must Exist" (`xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists`) applies to non-local users as well
.Rules checking home directories apply only to local users
Multiple compliance profiles provided by the `scap-security-guide` package contain rules checking the correct configuration of user home directories.
Specifically, we are talking about these rules:
- accounts_user_interactive_home_directory_exists
- accounts_users_home_files_groupownership
- accounts_user_dot_group_ownership
- accounts_users_home_files_permissions
- accounts_umask_interactive_users
- accounts_user_dot_user_ownership
- file_permissions_home_directories
- file_groupownership_home_directories
- file_ownership_home_directories
- accounts_users_home_files_ownership
Previously, these rules checked not only configuration of local users but they also evaluated configuration of remote users provided by network sources such as NSS. This behavior was caused by using the `getpwent()` system call in the OpenSCAP scanner. This behavior wasn't desired, behavior the remediation scripts weren't able to change the configuration of the remote users.
Therefore, the internal implementation of the mentioned rules has been changed to depend only on data present in the "/etc/passwd" file. That means no other sources of user metadata are read by the rules. As a result, the rules now consider only local users configuration.
Description of problem:
Rule content_rule_accounts_user_interactive_home_directory_exists states in the Rationale the following, which tends to indicate only LOCAL users have to meet the requirement of having a home dir exist on the system:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
14 If a local interactive user has a home directory defined that does not exist,
15 the user may be given access to the / directory as the current working directory
16 upon logon. This could create a Denial of Service because the user would not be
17 able to access their logon configuration files, and it may give them visibility
18 to system files they normally would not be able to access.
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
The description however is vague:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
8 Create home directories to all interactive users that currently do not
9 have a home directory assigned. Use the following commands to create the user
10 home directory assigned in <tt>/etc/passwd</tt>:
11 <pre>$ sudo mkdir /home/<i>USER</i></pre>
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Assuming only local users have to meet the requirement, which seems the intend to me, then the implementation is not correct:
the implementation relies on "unix:password_object" which makes use of getpwent(), which browses all users provides by the NSS "passwd" map.
Rule implementation excerpts:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
12 <!-- #### prepare a password object for the two tests in this rule #### -->
13 <unix:password_object id="object_accounts_user_interactive_home_directory_exists_objects"
14 version="1">
15 <unix:username datatype="string" operation="not equal">nobody</unix:username>
16 <filter action="include">state_accounts_user_interactive_home_directory_exists_uids</filter>
17 </unix:password_object>
:
23 <!-- #### create a local variable composed by the list of home dirs from /etc/passwd #### -->
24 <local_variable id="var_accounts_user_interactive_home_directory_exists_dirs_list"
25 datatype="string" version="1"
26 comment="Variable including all home dirs from interactive users">
27 <object_component item_field="home_dir"
28 object_ref="object_accounts_user_interactive_home_directory_exists_objects"/>
29 </local_variable>
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Source code (openscap project):
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
209 static int read_password(SEXP_t *un_ent, probe_ctx *ctx, oval_schema_version_t over)
210 {
:
231 } else {
232 while ((pw = getpwent())) {
233 _process_struct_passwd(pw, _PATH_LASTLOG, un_ent, ctx, over);
234 }
235 endpwent();
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Version-Release number of selected component (if applicable):
scap-security-guide-0.1.66-1.el9_1.noarch
openscap-scanner-1.3.7-1.el9.x86_64
How reproducible:
Always
Steps to Reproduce:
1. On a system enable sssd (I used the Red Hat configuration from my laptop)
/etc/sssd/sssd.conf:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[domain/redhat.com]
...
access_provider = simple
simple_allow_users = rmetrich
...
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
2. Make sure "enumerate = true" in /etc/sss/sssd.conf
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[domain/redhat.com]
id_provider = ldap
ldap_search_base = dc=redhat,dc=com
enumerate = true
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
3. Confirm "rmetrich" user can be resolved
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# getent passwd rmetrich
--> some entry
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
4. Execute the scan
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_customized --tailoring-file ssg-rhel9-ds-tailoring.xml --rule xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Actual results:
Title All Interactive Users Home Directories Must Exist
Rule xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists
Ident CCE-83639-5
Result fail
because "/home/rmetrich" doesn't exist
Expected results:
Result pass
Description of problem: Rule content_rule_accounts_user_interactive_home_directory_exists states in the Rationale the following, which tends to indicate only LOCAL users have to meet the requirement of having a home dir exist on the system: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 14 If a local interactive user has a home directory defined that does not exist, 15 the user may be given access to the / directory as the current working directory 16 upon logon. This could create a Denial of Service because the user would not be 17 able to access their logon configuration files, and it may give them visibility 18 to system files they normally would not be able to access. -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- The description however is vague: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 8 Create home directories to all interactive users that currently do not 9 have a home directory assigned. Use the following commands to create the user 10 home directory assigned in <tt>/etc/passwd</tt>: 11 <pre>$ sudo mkdir /home/<i>USER</i></pre> -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Assuming only local users have to meet the requirement, which seems the intend to me, then the implementation is not correct: the implementation relies on "unix:password_object" which makes use of getpwent(), which browses all users provides by the NSS "passwd" map. Rule implementation excerpts: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 12 <!-- #### prepare a password object for the two tests in this rule #### --> 13 <unix:password_object id="object_accounts_user_interactive_home_directory_exists_objects" 14 version="1"> 15 <unix:username datatype="string" operation="not equal">nobody</unix:username> 16 <filter action="include">state_accounts_user_interactive_home_directory_exists_uids</filter> 17 </unix:password_object> : 23 <!-- #### create a local variable composed by the list of home dirs from /etc/passwd #### --> 24 <local_variable id="var_accounts_user_interactive_home_directory_exists_dirs_list" 25 datatype="string" version="1" 26 comment="Variable including all home dirs from interactive users"> 27 <object_component item_field="home_dir" 28 object_ref="object_accounts_user_interactive_home_directory_exists_objects"/> 29 </local_variable> -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Source code (openscap project): -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 209 static int read_password(SEXP_t *un_ent, probe_ctx *ctx, oval_schema_version_t over) 210 { : 231 } else { 232 while ((pw = getpwent())) { 233 _process_struct_passwd(pw, _PATH_LASTLOG, un_ent, ctx, over); 234 } 235 endpwent(); -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Version-Release number of selected component (if applicable): scap-security-guide-0.1.66-1.el9_1.noarch openscap-scanner-1.3.7-1.el9.x86_64 How reproducible: Always Steps to Reproduce: 1. On a system enable sssd (I used the Red Hat configuration from my laptop) /etc/sssd/sssd.conf: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- [domain/redhat.com] ... access_provider = simple simple_allow_users = rmetrich ... -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 2. Make sure "enumerate = true" in /etc/sss/sssd.conf -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- [domain/redhat.com] id_provider = ldap ldap_search_base = dc=redhat,dc=com enumerate = true -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 3. Confirm "rmetrich" user can be resolved -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- # getent passwd rmetrich --> some entry -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 4. Execute the scan -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_customized --tailoring-file ssg-rhel9-ds-tailoring.xml --rule xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Actual results: Title All Interactive Users Home Directories Must Exist Rule xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists Ident CCE-83639-5 Result fail because "/home/rmetrich" doesn't exist Expected results: Result pass