Bug 2228463
| Summary: | Rule "All Interactive Users Home Directories Must Exist" (`xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists`) applies to non-local users as well [rhel-9.0.0.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | RHEL Program Management Team <pgm-rhel-tools> |
| Component: | scap-security-guide | Assignee: | Jan Černý <jcerny> |
| Status: | CLOSED ERRATA | QA Contact: | Matus Marhefka <mmarhefk> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.2 | CC: | ggasparb, jcerny, jjaburek, juschind, mhaicman, mlysonek, myllynen, openscap-maint, vpolasek |
| Target Milestone: | rc | Keywords: | Triaged, ZStream |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | scap-security-guide-0.1.69-1.el9_0 | Doc Type: | Bug Fix |
| Doc Text: |
.Rules checking home directories apply only to local users
Multiple compliance profiles provided by the `scap-security-guide` package contain rules checking the correct configuration of user home directories.
Specifically, we are talking about these rules:
- accounts_user_interactive_home_directory_exists
- accounts_users_home_files_groupownership
- accounts_user_dot_group_ownership
- accounts_users_home_files_permissions
- accounts_umask_interactive_users
- accounts_user_dot_user_ownership
- file_permissions_home_directories
- file_groupownership_home_directories
- file_ownership_home_directories
- accounts_users_home_files_ownership
Previously, these rules checked not only configuration of local users but they also evaluated configuration of remote users provided by network sources such as NSS. This behavior was caused by using the `getpwent()` system call in the OpenSCAP scanner. This behavior wasn't desired, behavior the remediation scripts weren't able to change the configuration of the remote users.
Therefore, the internal implementation of the aforementioned rules has been changed to depend only on data present in the "/etc/passwd" file. That means no other sources of user metadata are read by the rules. As a result, the rules now consider only local users configuration.
|
Story Points: | --- |
| Clone Of: | 2203791 | Environment: | |
| Last Closed: | 2023-08-29 09:20:56 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2203791 | ||
| Bug Blocks: | |||
|
Comment 13
errata-xmlrpc
2023-08-29 09:20:56 UTC
|