2157877 – Definition of interactive an non interactive users

Bug 2157877 - Definition of interactive an non interactive users

Summary: Definition of interactive an non interactive users

Keywords:
Status:	MODIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	8.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Marcus Burghardt
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2228433 2228434
TreeView+	depends on / blocked

Reported:	2023-01-03 11:38 UTC by Paulo Andrade
Modified:	2023-08-14 14:02 UTC (History)
CC List:	9 users (show)
Fixed In Version:	scap-security-guide-0.1.69-1.el8
Doc Type:	Enhancement
Doc Text:	.Better definition of interactive users The rules in the `scap-security-guide` package now provide a consistent experience regarding interactive users configuration. Previously, various rules used different approaches for identifying interactive and non-interactive users. Starting from this release, we have unified the definitions of interactive users. Users accounts with the UID greater than or equal 1000 are now considered interactive, with the exception of `nobody` and `nfsnobody` user accounts and with the exception of user accounts that use `/sbin/nologin` as the login shell. This change affects the following rules: - accounts_umask_interactive_users - accounts_user_dot_user_ownership - accounts_user_dot_group_ownership - accounts_user_dot_no_world_writable_programs - accounts_user_interactive_home_directory_defined - accounts_user_interactive_home_directory_exists - accounts_users_home_files_groupownership - accounts_users_home_files_ownership - accounts_users_home_files_permissions - file_groupownership_home_directories - file_ownership_home_directories - file_permissions_home_directories - file_permissions_home_dirs - no_forward_files
Clone Of:
Clones:	2228433 2228434 (view as bug list)
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-143535	0	None	None	None	2023-01-03 11:40:53 UTC

Description Paulo Andrade 2023-01-03 11:38:45 UTC

From my understanding, xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined
understands an interactive user as one with "uid >= 1000 and uid != 65534".

Can you please clarify it? (possibly almost providing the response
to the query, this is also probably related to pam_succeed_if and/or
possibly pam_loginuid).

Also, the reason of this query is that an user would want it to
also check for users with something /sbin/nologin as login shell
(or anything not in /etc/shells) as a non interactive user. But
I see this is not a good idea.

Comment 5 Marcus Burghardt 2023-02-28 13:32:06 UTC

Patch is already merged in Upstream: https://github.com/ComplianceAsCode/content/pull/10215

Note You need to log in before you can comment on or make changes to this bug.