Bug 2203791 - Rule "All Interactive Users Home Directories Must Exist" (`xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists`) applies to non-local users as well
Summary: Rule "All Interactive Users Home Directories Must Exist" (`xccdf_org.ssgproje...
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: scap-security-guide
Version: 9.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Jan Černý
QA Contact: Milan Lysonek
URL:
Whiteboard:
Depends On:
Blocks: 2228462 2228463
TreeView+ depends on / blocked
 
Reported: 2023-05-15 09:20 UTC by Renaud Métrich
Modified: 2023-08-16 08:26 UTC (History)
10 users (show)

Fixed In Version: scap-security-guide-0.1.69-1.el9
Doc Type: Bug Fix
Doc Text:
.Rules checking home directories apply only to local users Multiple compliance profiles provided by the `scap-security-guide` package contain rules checking the correct configuration of user home directories. Specifically, we are talking about these rules: - accounts_user_interactive_home_directory_exists - accounts_users_home_files_groupownership - accounts_user_dot_group_ownership - accounts_users_home_files_permissions - accounts_umask_interactive_users - accounts_user_dot_user_ownership - file_permissions_home_directories - file_groupownership_home_directories - file_ownership_home_directories - accounts_users_home_files_ownership Previously, these rules checked not only configuration of local users but they also evaluated configuration of remote users provided by network sources such as NSS. This behavior was caused by using the `getpwent()` system call in the OpenSCAP scanner. This behavior wasn't desired, behavior the remediation scripts weren't able to change the configuration of the remote users. Therefore, the internal implementation of the mentioned rules has been changed to depend only on data present in the "/etc/passwd" file. That means no other sources of user metadata are read by the rules. As a result, the rules now consider only local users configuration.
Clone Of:
: 2228462 2228463 (view as bug list)
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-157207 0 None None None 2023-05-15 09:21:12 UTC

Description Renaud Métrich 2023-05-15 09:20:05 UTC 
Description of problem:

Rule content_rule_accounts_user_interactive_home_directory_exists states in the Rationale the following, which tends to indicate only LOCAL users have to meet the requirement of having a home dir exist on the system:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
 14     If a local interactive user has a home directory defined that does not exist,
 15     the user may be given access to the / directory as the current working directory
 16     upon logon. This could create a Denial of Service because the user would not be
 17     able to access their logon configuration files, and it may give them visibility
 18     to system files they normally would not be able to access.
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The description however is vague:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  8     Create home directories to all interactive users that currently do not
  9     have a home directory assigned. Use the following commands to create the user
 10     home directory assigned in <tt>/etc/passwd</tt>:
 11     <pre>$ sudo mkdir /home/<i>USER</i></pre>
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Assuming only local users have to meet the requirement, which seems the intend to me, then the implementation is not correct:
the implementation relies on "unix:password_object" which makes use of getpwent(), which browses all users provides by the NSS "passwd" map.

Rule implementation excerpts:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
 12   <!-- #### prepare a password object for the two tests in this rule #### -->
 13   <unix:password_object id="object_accounts_user_interactive_home_directory_exists_objects"
 14                         version="1">
 15     <unix:username datatype="string" operation="not equal">nobody</unix:username>
 16     <filter action="include">state_accounts_user_interactive_home_directory_exists_uids</filter>
 17   </unix:password_object>
 :
 23   <!-- #### create a local variable composed by the list of home dirs from /etc/passwd #### -->
 24   <local_variable id="var_accounts_user_interactive_home_directory_exists_dirs_list"
 25                   datatype="string" version="1"
 26                   comment="Variable including all home dirs from interactive users">
 27     <object_component item_field="home_dir"
 28                       object_ref="object_accounts_user_interactive_home_directory_exists_objects"/>
 29   </local_variable>
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Source code (openscap project):
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
209 static int read_password(SEXP_t *un_ent, probe_ctx *ctx, oval_schema_version_t over)
210 {
 :
231         } else {
232                 while ((pw = getpwent())) {
233                         _process_struct_passwd(pw, _PATH_LASTLOG, un_ent, ctx, over);
234                 }
235                 endpwent();
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Version-Release number of selected component (if applicable):

scap-security-guide-0.1.66-1.el9_1.noarch
openscap-scanner-1.3.7-1.el9.x86_64

How reproducible:

Always

Steps to Reproduce:
1. On a system enable sssd (I used the Red Hat configuration from my laptop)

/etc/sssd/sssd.conf:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[domain/redhat.com]
...
access_provider = simple
simple_allow_users = rmetrich
...
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

2. Make sure "enumerate = true" in /etc/sss/sssd.conf

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[domain/redhat.com]
id_provider = ldap
ldap_search_base = dc=redhat,dc=com
enumerate = true
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

3. Confirm "rmetrich" user can be resolved

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# getent passwd rmetrich
--> some entry
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

4. Execute the scan

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_customized --tailoring-file ssg-rhel9-ds-tailoring.xml --rule xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Actual results:

Title   All Interactive Users Home Directories Must Exist
Rule    xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists
Ident   CCE-83639-5
Result  fail

because "/home/rmetrich" doesn't exist

Expected results:

Result  pass
Comment 2 Jan Černý 2023-07-12 12:54:58 UTC 
A PR has been submitted to upstream for a review: https://github.com/ComplianceAsCode/content/pull/10825
Comment 3 Jan Černý 2023-07-17 15:49:38 UTC 
fix https://github.com/ComplianceAsCode/content/pull/10825 has been merged to upstream
Note You need to log in before you can comment on or make changes to this bug.