Hide Forgot
Description of problem: When checking no_shelllogin_for_systemaccounts, there is big regexp to check whether (system) user with UID < 500 does not have login shells. This interval is hardcoded, but on the system, system accounts are defined in /etc/login.defs. Version-Release number of selected component (if applicable): scap-security-guide-0.1.25-3.el7 How reproducible: reliable Steps to Reproduce: 1. install scap-security-guide 2. grep '<ind:pattern operation="pattern match">^(?!root)' /usr/share/xml/scap/ssg/content/ssg-rhel7-oval.xml Actual results: <ind:pattern operation="pattern match">^(?!root).*:x:0*([0-9]{1,2}|[1-4][0-9]{2}):[\d]*:[^:]*:[^:]*:(?!\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt).*$</ind:pattern> Regexp has hardcoded numbers for UID, and these does not correspond with /etc/login.defs: # System accounts SYS_UID_MIN 201 SYS_UID_MAX 999 Expected results: Probably different solution to regexp?
Proposed upstream patch: * https://github.com/OpenSCAP/scap-security-guide/pull/1285
During the upstream discussion it concluded we might want slight modification of the expectations when compared with this rule. See: https://github.com/OpenSCAP/scap-security-guide/pull/1285#issuecomment-226234112 and https://github.com/OpenSCAP/scap-security-guide/pull/1285#issuecomment-226237363 for details. What the proposal actually means the new / rewritten implementation would internally consist of two rules: * no_shell_login_for_reserved_system_accounts (checking range <0, SYS_UID_MIN>) and * no_shell_login_for_dynamic_system_accounts (checking range <SYS_UID_MIN, SYS_UID_MAX>) which in the result would mean we would be effectively scanning all UIDs from range <0, SYS_UID_MAX> regardless of SYS_UID_MIN setting. @Marek, are you OK with this proposal? (asking since it differs slightly from what it was requested above / in the original bug report) Thank you, Jan.
Other than objection I stated in the upstream discussion, I am OK with the proposal. Thanks! Marek
Replied to that point. Please reply to it too yet (it's not possible to create correct regex for arbitrary integer range without knowing the specific min and max numbers [the range borders] ahead). If we want scan 0 - (UID_MIN - 1) range, we need to get rid of the current implementation altogether. Thanks, Jan
Updated upstream patch: https://github.com/OpenSCAP/scap-security-guide/pull/1298 which is expected to work as follows: * If neither SYS_UID_MIN nor SYS_UID_MAX are defined (default RHEL-6 case), the check will test if all /etc/passwd entries having shell defined are outside of <0, UID_MIN - 1> range. If at least one UID is within that range, the test will fail, * If both SYS_UID_MIN and SYS_UID_MAX variables are defined (RHEL-7 and above), the check will test if all /etc/passwd entries having shell defined are outside both of the following ranges: * <0, SYS_UID_MIN> for the case of reserved system user accounts, * <SYS_UID_MIN, SYS_UID_MAX> for the case of dynamically allocated system user accounts If at least one UID having shell defined is found to be within at least one of the two ranges above, the test will fail.
Checked scenarios: [UID with /bin/bash is 996] SYS_UID_MIN 201 SYS_UID_MAX 999 correct fail SYS_UID_MIN 201 SYS_UID_MAX 996 correct fail SYS_UID_MIN 201 SYS_UID_MAX 995 correct pass SYS_UID_MIN 995 SYS_UID_MAX 999 correct fail SYS_UID_MIN 996 SYS_UID_MAX 999 correct fail with SYS_UID_* not set UID_MIN 997 correct fail UID_MIN 996 correct pass Fixed in version scap-security-guide-0.1.30-1.el7. Thanks!
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2483.html