Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2203791

Summary: Rule "All Interactive Users Home Directories Must Exist" (`xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists`) applies to non-local users as well
Product: Red Hat Enterprise Linux 9 Reporter: Renaud Métrich <rmetrich>
Component: scap-security-guideAssignee: Jan Černý <jcerny>
Status: CLOSED ERRATA QA Contact: Milan Lysonek <mlysonek>
Severity: medium Docs Contact: Jan Fiala <jafiala>
Priority: medium    
Version: 9.2CC: ggasparb, jafiala, jcerny, jjaburek, juschind, mhaicman, mlysonek, myllynen, openscap-maint, qguo, vpolasek
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.69-1.el9 Doc Type: Bug Fix
Doc Text:
.Rules checking home directories apply only to local users Multiple compliance profiles provided by the `scap-security-guide` package contain the following rules that check the correct configuration of user home directories: * `accounts_umask_interactive_users` * `accounts_user_dot_group_ownership` * `accounts_user_dot_user_ownership` * `accounts_user_interactive_home_directory_exists` * `accounts_users_home_files_groupownership` * `accounts_users_home_files_ownership` * `accounts_users_home_files_permissions` * `file_groupownership_home_directories` * `file_ownership_home_directories` * `file_permissions_home_directories` These rules correctly check the configuration of local users. Previously, the scanner also incorrectly checked the configuration of remote users provided by network sources such as NSS even though the remediation scripts could not change remote users’ configuration. This was because the OpenSCAP scanner previously used the `getpwent()` system call. This update changes the internal implementation of these rules to depend only on the data from the `/etc/passwd` file. As a result, the rules now apply only to the local users’ configuration.
 Story Points: ---
Clone Of:
: 2228462 2228463 (view as bug list) Environment:
Last Closed: 2023-11-07 08:37:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2228462, 2228463    

Description Renaud Métrich 2023-05-15 09:20:05 UTC 
Description of problem:

Rule content_rule_accounts_user_interactive_home_directory_exists states in the Rationale the following, which tends to indicate only LOCAL users have to meet the requirement of having a home dir exist on the system:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
 14     If a local interactive user has a home directory defined that does not exist,
 15     the user may be given access to the / directory as the current working directory
 16     upon logon. This could create a Denial of Service because the user would not be
 17     able to access their logon configuration files, and it may give them visibility
 18     to system files they normally would not be able to access.
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The description however is vague:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  8     Create home directories to all interactive users that currently do not
  9     have a home directory assigned. Use the following commands to create the user
 10     home directory assigned in <tt>/etc/passwd</tt>:
 11     <pre>$ sudo mkdir /home/<i>USER</i></pre>
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Assuming only local users have to meet the requirement, which seems the intend to me, then the implementation is not correct:
the implementation relies on "unix:password_object" which makes use of getpwent(), which browses all users provides by the NSS "passwd" map.

Rule implementation excerpts:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
 12   <!-- #### prepare a password object for the two tests in this rule #### -->
 13   <unix:password_object id="object_accounts_user_interactive_home_directory_exists_objects"
 14                         version="1">
 15     <unix:username datatype="string" operation="not equal">nobody</unix:username>
 16     <filter action="include">state_accounts_user_interactive_home_directory_exists_uids</filter>
 17   </unix:password_object>
 :
 23   <!-- #### create a local variable composed by the list of home dirs from /etc/passwd #### -->
 24   <local_variable id="var_accounts_user_interactive_home_directory_exists_dirs_list"
 25                   datatype="string" version="1"
 26                   comment="Variable including all home dirs from interactive users">
 27     <object_component item_field="home_dir"
 28                       object_ref="object_accounts_user_interactive_home_directory_exists_objects"/>
 29   </local_variable>
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Source code (openscap project):
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
209 static int read_password(SEXP_t *un_ent, probe_ctx *ctx, oval_schema_version_t over)
210 {
 :
231         } else {
232                 while ((pw = getpwent())) {
233                         _process_struct_passwd(pw, _PATH_LASTLOG, un_ent, ctx, over);
234                 }
235                 endpwent();
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Version-Release number of selected component (if applicable):

scap-security-guide-0.1.66-1.el9_1.noarch
openscap-scanner-1.3.7-1.el9.x86_64

How reproducible:

Always

Steps to Reproduce:
1. On a system enable sssd (I used the Red Hat configuration from my laptop)

/etc/sssd/sssd.conf:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[domain/redhat.com]
...
access_provider = simple
simple_allow_users = rmetrich
...
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

2. Make sure "enumerate = true" in /etc/sss/sssd.conf

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[domain/redhat.com]
id_provider = ldap
ldap_search_base = dc=redhat,dc=com
enumerate = true
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

3. Confirm "rmetrich" user can be resolved

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# getent passwd rmetrich
--> some entry
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

4. Execute the scan

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_customized --tailoring-file ssg-rhel9-ds-tailoring.xml --rule xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Actual results:

Title   All Interactive Users Home Directories Must Exist
Rule    xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists
Ident   CCE-83639-5
Result  fail

because "/home/rmetrich" doesn't exist

Expected results:

Result  pass
Comment 2 Jan Černý 2023-07-12 12:54:58 UTC 
A PR has been submitted to upstream for a review: https://github.com/ComplianceAsCode/content/pull/10825
Comment 3 Jan Černý 2023-07-17 15:49:38 UTC 
fix https://github.com/ComplianceAsCode/content/pull/10825 has been merged to upstream
Comment 21 errata-xmlrpc 2023-11-07 08:37:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6552