Bug 2157877 - Definition of interactive an non interactive users
Summary: Definition of interactive an non interactive users
Keywords:
Status: MODIFIED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: scap-security-guide
Version: 8.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Marcus Burghardt
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 2228433 2228434
TreeView+ depends on / blocked
 
Reported: 2023-01-03 11:38 UTC by Paulo Andrade
Modified: 2023-08-14 14:02 UTC (History)
9 users (show)

Fixed In Version: scap-security-guide-0.1.69-1.el8
Doc Type: Enhancement
Doc Text:
.Better definition of interactive users The rules in the `scap-security-guide` package now provide a consistent experience regarding interactive users configuration. Previously, various rules used different approaches for identifying interactive and non-interactive users. Starting from this release, we have unified the definitions of interactive users. Users accounts with the UID greater than or equal 1000 are now considered interactive, with the exception of `nobody` and `nfsnobody` user accounts and with the exception of user accounts that use `/sbin/nologin` as the login shell. This change affects the following rules: - accounts_umask_interactive_users - accounts_user_dot_user_ownership - accounts_user_dot_group_ownership - accounts_user_dot_no_world_writable_programs - accounts_user_interactive_home_directory_defined - accounts_user_interactive_home_directory_exists - accounts_users_home_files_groupownership - accounts_users_home_files_ownership - accounts_users_home_files_permissions - file_groupownership_home_directories - file_ownership_home_directories - file_permissions_home_directories - file_permissions_home_dirs - no_forward_files
Clone Of:
: 2228433 2228434 (view as bug list)
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-143535 0 None None None 2023-01-03 11:40:53 UTC

Description Paulo Andrade 2023-01-03 11:38:45 UTC
From my understanding, xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined
understands an interactive user as one with "uid >= 1000 and uid != 65534".

Can you please clarify it? (possibly almost providing the response
to the query, this is also probably related to pam_succeed_if and/or
possibly pam_loginuid).

Also, the reason of this query is that an user would want it to
also check for users with something /sbin/nologin as login shell
(or anything not in /etc/shells) as a non interactive user. But
I see this is not a good idea.

Comment 5 Marcus Burghardt 2023-02-28 13:32:06 UTC
Patch is already merged in Upstream: https://github.com/ComplianceAsCode/content/pull/10215


Note You need to log in before you can comment on or make changes to this bug.