commit dc273bb872cc53f2d52af4396f4d3bba0acc178f

Author: Gabriel Becker <ggasparb@redhat.com>

Date:   Thu Feb 24 17:30:42 2022 +0100

    Manual edited patch scap-security-guide-0.1.59-BZ1884687C-PR_7824.patch.

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/ansible/shared.yml

new file mode 100644

index 0000000..ff41e19

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/ansible/shared.yml

@@ -0,0 +1,32 @@

+# platform = multi_platform_all

+# reboot = false

+# strategy = restrict

+# complexity = low

+# disruption = low

+

+- name: Get all local users from /etc/passwd

+  ansible.builtin.getent:

+    database: passwd

+    split: ':'

+

+- name: Create local_users variable from the getent output

+  ansible.builtin.set_fact:

+    local_users: '{{ ansible_facts.getent_passwd|dict2items }}'

+

+- name: Test for existence home directories to avoid creating them, but only fixing ownership

+  ansible.builtin.stat:

+    path: '{{ item.value[4] }}'

+  register: path_exists

+  loop: '{{ local_users }}'

+  when:

+    - item.value[2]|int >= {{{ gid_min }}}

+    - item.value[2]|int != 65534

+

+- name: Ensure interactive local users are the owners of their respective home directories

+  ansible.builtin.file:

+    path: '{{ item.0.value[4] }}'

+    group: '{{ item.0.value[2] }}'

+    recurse: yes

+  loop: '{{ local_users|zip(path_exists.results)|list }}'

+  when:

+    - item.1.stat is defined and item.1.stat.exists

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/bash/shared.sh

new file mode 100644

index 0000000..e392d2f

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/bash/shared.sh

@@ -0,0 +1,14 @@

+# platform = multi_platform_all

+# reboot = false

+# strategy = restrict

+# complexity = low

+# disruption = low

+

+for user in $(awk -F':' '{ if ($4 >= {{{ gid_min }}} && $4 != 65534) print $1 }' /etc/passwd); do

+    home_dir=$(getent passwd $user | cut -d: -f6)

+    group=$(getent passwd $user | cut -d: -f4)

+    # Only update the group-ownership when necessary. This will avoid changing the inode timestamp

+    # when the group is already defined as expected, therefore not impacting in possible integrity

+    # check systems that also check inodes timestamps.

+    find $home_dir -not -group $group -exec chgrp -f $group {} \;

+done

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml

new file mode 100644

index 0000000..1fd016a

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml

@@ -0,0 +1,52 @@

+<def-group>

+  <definition class="compliance" id="{{{ rule_id }}}" version="1">

+    {{{ oval_metadata("All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User") }}}

+    <criteria>

+      

+                 comment="All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User"/>

+    </criteria>

+  </definition>

+

+  <unix:password_object id="object_accounts_users_home_files_groupownership_objects" version="1">

+    <unix:username datatype="string" operation="not equal">nobody</unix:username>

+    <filter action="include">state_accounts_users_home_files_groupownership_interactive_gids</filter>

+  </unix:password_object>

+

+  <unix:password_state id="state_accounts_users_home_files_groupownership_interactive_gids" version="1">

+    <unix:user_id datatype="int" operation="greater than or equal">{{{ gid_min }}}</unix:user_id>

+  </unix:password_state>

+

+  

+                  comment="Variable including all home dirs from interactive users">

+    

+                      object_ref="object_accounts_users_home_files_groupownership_objects"/>

+  </local_variable>

+

+  

+                  comment="List of interactive users gids">

+    

+                      object_ref="object_accounts_users_home_files_groupownership_objects"/>

+  </local_variable>

+

+  

+  <unix:file_object id="object_accounts_users_home_files_groupownership_dirs" version="1">

+    

+                    recurse_file_system="local"/>

+    <unix:path var_ref="var_accounts_users_home_files_groupownership_dirs" var_check="at least one"/>

+    <unix:filename operation="pattern match">.*</unix:filename>

+  </unix:file_object>

+

+  

+  <unix:file_state id="state_accounts_users_home_files_groupownership_gids" version="1">

+    

+                  var_ref="var_accounts_users_home_files_groupownership_gids"/>

+  </unix:file_state>

+

+  

+  

+                  check_existence="any_exist" version="1"

+                  comment="All home directories files are group-owned by a local interactive user">

+    <unix:object object_ref="object_accounts_users_home_files_groupownership_dirs"/>

+    <unix:state state_ref="state_accounts_users_home_files_groupownership_gids"/>

+  </unix:file_test>

+</def-group>

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml

index 1c0f93a..31a0f1d 100644

--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml

@@ -10,6 +10,9 @@ description: |-

     local interactive users files and directories, use the following command:

     
$ sudo chgrp USER_GROUP /home/USER/FILE_DIR

+    This rule ensures every file or directory under the home directory related

+    to an interactive user is group-owned by an interactive user.

+

 rationale: |-

     If a local interactive users files are group-owned by a group of which the

     user is not a member, unintended users may be able to access them.

@@ -33,3 +36,9 @@ ocil: |-

     group-owned by a group the user is a member of, run the

     following command:

     
$ sudo ls -lLR /home/USER

+

+warnings:

+    - general: |-

+       Due to OVAL limitation, this rule can report a false negative in a

+       specific situation where two interactive users swap the group-ownership

+       of folders or files in their respective home directories.

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/expected_groupowner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/expected_groupowner.pass.sh

new file mode 100644

index 0000000..8538430

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/expected_groupowner.pass.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+

+USER="cac_user"

+useradd -m $USER

+echo "$USER" > /home/$USER/$USER.txt

+chgrp -f $USER /home/$USER/$USER.txt

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_all_absent.pass.sh

new file mode 100644

index 0000000..af24025

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_all_absent.pass.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+

+USER="cac_user"

+useradd -M $USER

+# This make sure home dirs related to test environment users are also removed.

+rm -Rf /home/*

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_one_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_one_absent.pass.sh

new file mode 100644

index 0000000..5bce517

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_one_absent.pass.sh

@@ -0,0 +1,7 @@

+#!/bin/bash

+

+USER1="cac_user1"

+USER2="cac_user2"

+

+useradd -m $USER1

+useradd -M $USER2

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/interactive_users_absent.pass.sh

new file mode 100644

index 0000000..ed34f09

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/interactive_users_absent.pass.sh

@@ -0,0 +1,4 @@

+#!/bin/bash

+

+# remove all interactive users (ID >= 1000) from /etc/passwd

+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_system_gid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_system_gid.fail.sh

new file mode 100644

index 0000000..f105723

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_system_gid.fail.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+

+USER="cac_user"

+useradd -m $USER

+echo "$USER" > /home/$USER/$USER.txt

+chgrp 2 /home/$USER/$USER.txt

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_unknown_gid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_unknown_gid.fail.sh

new file mode 100644

index 0000000..00fa481

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_unknown_gid.fail.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+

+USER="cac_user"

+useradd -m $USER

+echo "$USER" > /home/$USER/$USER.txt

+chgrp 10005 /home/$USER/$USER.txt

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/warning_home_dirs_swapped_groupowner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/warning_home_dirs_swapped_groupowner.pass.sh

new file mode 100644

index 0000000..052aa7c

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/warning_home_dirs_swapped_groupowner.pass.sh

@@ -0,0 +1,14 @@

+#!/bin/bash

+

+USER1="cac_user1"

+USER2="cac_user2"

+

+useradd -m $USER1

+useradd -m $USER2

+echo "$USER1" > /home/$USER1/$USER1.txt

+echo "$USER2" > /home/$USER2/$USER2.txt

+# Swap the ownership of files in two home directories

+# WARNING: This test scenario will report a false negative, as explained in the

+# warning section of this rule.

+chgrp -f $USER2 /home/$USER1/$USER1.txt

+chgrp -f $USER1 /home/$USER2/$USER2.txt

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/ansible/shared.yml

new file mode 100644

index 0000000..40a0579

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/ansible/shared.yml

@@ -0,0 +1,32 @@

+# platform = multi_platform_all

+# reboot = false

+# strategy = restrict

+# complexity = low

+# disruption = low

+

+- name: Get all local users from /etc/passwd

+  ansible.builtin.getent:

+    database: passwd

+    split: ':'

+

+- name: Create local_users variable from the getent output

+  ansible.builtin.set_fact:

+    local_users: '{{ ansible_facts.getent_passwd|dict2items }}'

+

+- name: Test for existence home directories to avoid creating them, but only fixing ownership

+  ansible.builtin.stat:

+    path: '{{ item.value[4] }}'

+  register: path_exists

+  loop: '{{ local_users }}'

+  when:

+    - item.value[1]|int >= {{{ uid_min }}}

+    - item.value[1]|int != 65534

+

+- name: Ensure interactive local users are the owners of their respective home directories

+  ansible.builtin.file:

+    path: '{{ item.0.value[4] }}'

+    owner: '{{ item.0.value[1] }}'

+    recurse: yes

+  loop: '{{ local_users|zip(path_exists.results)|list }}'

+  when:

+    - item.1.stat is defined and item.1.stat.exists

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/bash/shared.sh

new file mode 100644

index 0000000..236c800

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/bash/shared.sh

@@ -0,0 +1,13 @@

+# platform = multi_platform_all

+# reboot = false

+# strategy = restrict

+# complexity = low

+# disruption = low

+

+for user in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $1 }' /etc/passwd); do

+    home_dir=$(getent passwd $user | cut -d: -f6)

+    # Only update the ownership when necessary. This will avoid changing the inode timestamp

+    # when the owner is already defined as expected, therefore not impacting in possible integrity

+    # check systems that also check inodes timestamps.

+    find $home_dir -not -user $user -exec chown -f $user {} \;

+done

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml

new file mode 100644

index 0000000..1850cfb

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml

@@ -0,0 +1,52 @@

+<def-group>

+  <definition class="compliance" id="{{{ rule_id }}}" version="1">

+    {{{ oval_metadata("All User Files and Directories In The Home Directory Must Have a Valid Owner") }}}

+    <criteria>

+      

+                 comment="All User Files and Directories In The Home Directory Must Have a Valid Owner"/>

+    </criteria>

+  </definition>

+

+  <unix:password_object id="object_accounts_users_home_files_ownership_objects" version="1">

+    <unix:username datatype="string" operation="not equal">nobody</unix:username>

+    <filter action="include">state_accounts_users_home_files_ownership_interactive_uids</filter>

+  </unix:password_object>

+

+  <unix:password_state id="state_accounts_users_home_files_ownership_interactive_uids" version="1">

+    <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>

+  </unix:password_state>

+

+  

+                  comment="Variable including all home dirs from interactive users">

+    

+                      object_ref="object_accounts_users_home_files_ownership_objects"/>

+  </local_variable>

+

+  

+                  comment="List of interactive users uids">

+    

+                      object_ref="object_accounts_users_home_files_ownership_objects"/>

+  </local_variable>

+

+  

+  <unix:file_object id="object_accounts_users_home_files_ownership_dirs" version="1">

+    

+                    recurse_file_system="local"/>

+    <unix:path var_ref="var_accounts_users_home_files_ownership_dirs" var_check="at least one"/>

+    <unix:filename operation="pattern match">.*</unix:filename>

+  </unix:file_object>

+

+  

+  <unix:file_state id="state_accounts_users_home_files_ownership_uids" version="1">

+    

+                  var_ref="var_accounts_users_home_files_ownership_uids"/>

+  </unix:file_state>

+

+  

+  

+                  check_existence="any_exist" version="1"

+                  comment="All home directories files are owned by a local interactive user">

+    <unix:object object_ref="object_accounts_users_home_files_ownership_dirs"/>

+    <unix:state state_ref="state_accounts_users_home_files_ownership_uids"/>

+  </unix:file_test>

+</def-group>

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml

index 13f6bfe..5bfb388 100644

--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml

@@ -10,6 +10,9 @@ description: |-

     directories, use the following command:

     
$ sudo chown -R USER /home/USER

+    This rule ensures every file or directory under the home directory related

+    to an interactive user is owned by an interactive user.

+

 rationale: |-

     If local interactive users do not own the files in their directories,

     unauthorized users may be able to access them. Additionally, if files are not

@@ -34,3 +37,9 @@ ocil: |-

     To verify all files and directories in interactive users home directory

     are owned by the user, run the following command:

     
$ sudo ls -lLR /home/USER

+

+warnings:

+    - general: |-

+       Due to OVAL limitation, this rule can report a false negative in a

+       specific situation where two interactive users swap the ownership of

+       folders or files in their respective home directories.

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/expected_owner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/expected_owner.pass.sh

new file mode 100644

index 0000000..da68cb4

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/expected_owner.pass.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+

+USER="cac_user"

+useradd -m $USER

+echo "$USER" > /home/$USER/$USER.txt

+chown $USER /home/$USER/$USER.txt

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_all_absent.pass.sh

new file mode 100644

index 0000000..af24025

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_all_absent.pass.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+

+USER="cac_user"

+useradd -M $USER

+# This make sure home dirs related to test environment users are also removed.

+rm -Rf /home/*

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_one_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_one_absent.pass.sh

new file mode 100644

index 0000000..5bce517

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_one_absent.pass.sh

@@ -0,0 +1,7 @@

+#!/bin/bash

+

+USER1="cac_user1"

+USER2="cac_user2"

+

+useradd -m $USER1

+useradd -M $USER2

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/interactive_users_absent.pass.sh

new file mode 100644

index 0000000..ed34f09

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/interactive_users_absent.pass.sh

@@ -0,0 +1,4 @@

+#!/bin/bash

+

+# remove all interactive users (ID >= 1000) from /etc/passwd

+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_system_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_system_id.fail.sh

new file mode 100644

index 0000000..59c46a9

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_system_id.fail.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+

+USER="cac_user"

+useradd -m $USER

+echo "$USER" > /home/$USER/$USER.txt

+chown 2 /home/$USER/$USER.txt

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_unknown_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_unknown_id.fail.sh

new file mode 100644

index 0000000..e0f5514

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_unknown_id.fail.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+

+USER="cac_user"

+useradd -m $USER

+echo "$USER" > /home/$USER/$USER.txt

+chown 10005 /home/$USER/$USER.txt

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/warning_home_dirs_swapped_owner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/warning_home_dirs_swapped_owner.pass.sh

new file mode 100644

index 0000000..1174ec6

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/warning_home_dirs_swapped_owner.pass.sh

@@ -0,0 +1,14 @@

+#!/bin/bash

+

+USER1="cac_user1"

+USER2="cac_user2"

+

+useradd -m $USER1

+useradd -m $USER2

+echo "$USER1" > /home/$USER1/$USER1.txt

+echo "$USER2" > /home/$USER2/$USER2.txt

+# Swap the ownership of files in two home directories

+# WARNING: This test scenario will report a false negative, as explained in the

+# warning section of this rule.

+chown -f $USER2 /home/$USER1/$USER1.txt

+chown -f $USER1 /home/$USER2/$USER2.txt

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/ansible/shared.yml

new file mode 100644

index 0000000..9473710

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/ansible/shared.yml

@@ -0,0 +1,33 @@

+# platform = multi_platform_all

+# reboot = false

+# strategy = restrict

+# complexity = low

+# disruption = low

+

+- name: Get all local users from /etc/passwd

+  ansible.builtin.getent:

+    database: passwd

+    split: ':'

+

+- name: Create local_users variable from the getent output

+  ansible.builtin.set_fact:

+    local_users: '{{ ansible_facts.getent_passwd|dict2items }}'

+

+- name: Test for existence home directories to avoid creating them, but only fixing group ownership

+  ansible.builtin.stat:

+    path: '{{ item.value[4] }}'

+  register: path_exists

+  loop: '{{ local_users }}'

+  when:

+    - item.value[2]|int >= {{{ uid_min }}}

+    - item.value[2]|int != 65534

+

+- name: Ensure interactive local users are the group-owners of their respective home directories

+  ansible.builtin.file:

+    path: '{{ item.0.value[4] }}'

+    mode: 'g-w,o=-'

+    follow: no

+    recurse: yes

+  loop: '{{ local_users|zip(path_exists.results)|list }}'

+  when:

+    - item.1.stat is defined and item.1.stat.exists

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/bash/shared.sh

new file mode 100644

index 0000000..186d55d

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/bash/shared.sh

@@ -0,0 +1,12 @@

+# platform = multi_platform_all

+# reboot = false

+# strategy = restrict

+# complexity = low

+# disruption = low

+

+for home_dir in $(awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) print $6 }' /etc/passwd); do

+    # Only update the permissions when necessary. This will avoid changing the inode timestamp when

+    # the permission is already defined as expected, therefore not impacting in possible integrity

+    # check systems that also check inodes timestamps.

+    find $home_dir -perm /027 -exec chmod g-w,o=- {} \;

+done

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml

new file mode 100644

index 0000000..d3db46d

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml

@@ -0,0 +1,52 @@

+<def-group>

+  <definition class="compliance" id="{{{ rule_id }}}" version="1">

+    {{{ oval_metadata("All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive") }}}

+    <criteria>

+      

+                 comment="All files under interactive user's Home Directories must have proper permissions"/>

+    </criteria>

+  </definition>

+

+  

+       "file_ownership_home_directories" rule. -->

+  <unix:password_object id="object_accounts_users_home_files_permissions_objects" version="1">

+    <unix:username datatype="string" operation="not equal">nobody</unix:username>

+    <filter action="include">state_accounts_users_home_files_permissions_interactive_uids</filter>

+  </unix:password_object>

+

+  <unix:password_state id="state_accounts_users_home_files_permissions_interactive_uids" version="1">

+    <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>

+  </unix:password_state>

+

+  

+  

+                  comment="Variable including all home dirs from interactive users">

+    <object_component item_field="home_dir" object_ref="object_accounts_users_home_files_permissions_objects"/>

+  </local_variable>

+

+  

+  <unix:file_object id="object_accounts_users_home_files_permissions_dirs" version="1">

+    

+                    recurse_file_system="local"/>

+    <unix:path var_ref="var_accounts_users_home_files_permissions_dirs" var_check="at least one"/>

+    <unix:filename operation="pattern match">.*</unix:filename>

+  </unix:file_object>

+

+  

+  <unix:file_state id="state_accounts_users_home_files_permissions_dirs" version="1" operator='AND'>

+    <unix:suid datatype="boolean">false</unix:suid>

+    <unix:sgid datatype="boolean">false</unix:sgid>

+    <unix:sticky datatype="boolean">false</unix:sticky>

+    <unix:gwrite datatype="boolean">false</unix:gwrite>

+    <unix:oread datatype="boolean">false</unix:oread>

+    <unix:owrite datatype="boolean">false</unix:owrite>

+    <unix:oexec datatype="boolean">false</unix:oexec>

+  </unix:file_state>

+

+  

+  

+                  version="1" comment="All home directories have proper permissions">

+    <unix:object object_ref="object_accounts_users_home_files_permissions_dirs"/>

+    <unix:state state_ref="state_accounts_users_home_files_permissions_dirs"/>

+  </unix:file_test>

+</def-group>

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/acceptable_permission.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/acceptable_permission.pass.sh

new file mode 100644

index 0000000..3561847

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/acceptable_permission.pass.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+

+USER="cac_user"

+useradd -m $USER

+echo "$USER" > /home/$USER/$USER.txt

+chmod -Rf 750 /home/$USER/.*

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/expected_permissions.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/expected_permissions.pass.sh

new file mode 100644

index 0000000..8ed7fa2

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/expected_permissions.pass.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+

+USER="cac_user"

+useradd -m $USER

+echo "$USER" > /home/$USER/$USER.txt

+chmod -Rf 700 /home/$USER/.*

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/home_dirs_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/home_dirs_absent.pass.sh

new file mode 100644

index 0000000..af24025

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/home_dirs_absent.pass.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+

+USER="cac_user"

+useradd -M $USER

+# This make sure home dirs related to test environment users are also removed.

+rm -Rf /home/*

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/interactive_users_absent.pass.sh

new file mode 100644

index 0000000..ed34f09

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/interactive_users_absent.pass.sh

@@ -0,0 +1,4 @@

+#!/bin/bash

+

+# remove all interactive users (ID >= 1000) from /etc/passwd

+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission.fail.sh

new file mode 100644

index 0000000..b561671

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission.fail.sh

@@ -0,0 +1,7 @@

+#!/bin/bash

+

+USER="cac_user"

+useradd -m $USER

+echo "$USER" > /home/$USER/$USER.txt

+chmod -Rf 700 /home/$USER/.*

+chmod -f o+r /home/$USER/$USER.txt

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission_hidden_files.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission_hidden_files.fail.sh

new file mode 100644

index 0000000..d7811bc

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission_hidden_files.fail.sh

@@ -0,0 +1,7 @@

+#!/bin/bash

+

+USER="cac_user"

+useradd -m $USER

+echo "$USER" > /home/$USER/.init_file

+chmod -Rf 700 /home/$USER/.*

+chmod -f o+r /home/$USER/.init_file

diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_uid.fail.sh

similarity index 100%

rename from linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_id.fail.sh

rename to linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_uid.fail.sh

diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_uid.fail.sh

similarity index 100%

rename from linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_id.fail.sh

rename to linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_uid.fail.sh