Bug 1302061 - system accounts are hardcoded in scap content
system accounts are hardcoded in scap content
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Jan Lieskovsky
Marek Haicman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-26 11:44 EST by Marek Haicman
Modified: 2016-11-04 03:33 EDT (History)
2 users (show)

See Also:
Fixed In Version: scap-security-guide-0.1.30-1.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-04 03:33:20 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marek Haicman 2016-01-26 11:44:02 EST
Description of problem:
When checking no_shelllogin_for_systemaccounts, there is big regexp to check whether (system) user with UID < 500 does not have login shells. This interval is hardcoded, but on the system, system accounts are defined in /etc/login.defs.

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.25-3.el7

How reproducible:
reliable

Steps to Reproduce:
1. install scap-security-guide
2. grep '<ind:pattern operation="pattern match">^(?!root)' /usr/share/xml/scap/ssg/content/ssg-rhel7-oval.xml


Actual results:
<ind:pattern operation="pattern match">^(?!root).*:x:0*([0-9]{1,2}|[1-4][0-9]{2}):[\d]*:[^:]*:[^:]*:(?!\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt).*$</ind:pattern>

Regexp has hardcoded numbers for UID, and these does not correspond with /etc/login.defs:

# System accounts
SYS_UID_MIN               201
SYS_UID_MAX               999


Expected results:
Probably different solution to regexp?
Comment 3 Jan Lieskovsky 2016-06-15 06:09:34 EDT
Proposed upstream patch:
* https://github.com/OpenSCAP/scap-security-guide/pull/1285
Comment 4 Jan Lieskovsky 2016-06-15 13:21:41 EDT
During the upstream discussion it concluded we might want slight modification of the expectations when compared with this rule. See:

https://github.com/OpenSCAP/scap-security-guide/pull/1285#issuecomment-226234112

and

https://github.com/OpenSCAP/scap-security-guide/pull/1285#issuecomment-226237363

for details.

What the proposal actually means the new / rewritten implementation would internally consist of two rules:
* no_shell_login_for_reserved_system_accounts (checking range <0, SYS_UID_MIN>) and
* no_shell_login_for_dynamic_system_accounts (checking range <SYS_UID_MIN, SYS_UID_MAX>)

which in the result would mean we would be effectively scanning all UIDs from range <0, SYS_UID_MAX> regardless of SYS_UID_MIN setting.

@Marek, are you OK with this proposal? (asking since it differs slightly from what it was requested above / in the original bug report)

Thank you, Jan.
Comment 5 Marek Haicman 2016-06-16 07:16:34 EDT
Other than objection I stated in the upstream discussion, I am OK with the proposal. Thanks!

Marek
Comment 6 Jan Lieskovsky 2016-06-16 07:24:39 EDT
Replied to that point. Please reply to it too yet (it's not possible to create correct regex for arbitrary integer range without knowing the specific min and max numbers [the range borders] ahead).

If we want scan 0 - (UID_MIN - 1) range, we need to get rid of the current implementation altogether.

Thanks, Jan
Comment 7 Jan Lieskovsky 2016-06-21 08:08:05 EDT
Updated upstream patch:
  https://github.com/OpenSCAP/scap-security-guide/pull/1298

which is expected to work as follows:
* If neither SYS_UID_MIN nor SYS_UID_MAX are defined (default RHEL-6 case), the check will test if all /etc/passwd entries having shell defined are outside of <0, UID_MIN - 1> range. If at least one UID is within that range, the test will fail,

* If both SYS_UID_MIN and SYS_UID_MAX variables are defined (RHEL-7 and above), the check will test if all /etc/passwd entries having shell defined are outside both of the following ranges:
  * <0, SYS_UID_MIN> for the case of reserved system user accounts,
  * <SYS_UID_MIN, SYS_UID_MAX> for the case of dynamically allocated system user accounts

  If at least one UID having shell defined is found to be within at least one of the two ranges above, the test will fail.
Comment 9 Marek Haicman 2016-06-30 07:43:06 EDT
Checked scenarios:

[UID with /bin/bash is 996] 
SYS_UID_MIN 201
SYS_UID_MAX 999
correct fail

SYS_UID_MIN 201
SYS_UID_MAX 996
correct fail

SYS_UID_MIN 201
SYS_UID_MAX 995
correct pass

SYS_UID_MIN 995
SYS_UID_MAX 999
correct fail

SYS_UID_MIN 996
SYS_UID_MAX 999
correct fail

with SYS_UID_* not set
UID_MIN 997
correct fail

UID_MIN 996
correct pass


Fixed in version scap-security-guide-0.1.30-1.el7. Thanks!
Comment 11 errata-xmlrpc 2016-11-04 03:33:20 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2483.html

Note You need to log in before you can comment on or make changes to this bug.