rpms / scap-security-guide

Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.59-BZ1884687D-PR_7837.patch

c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   ff1465361ce508f93601c5dcefe092ef09bc26bb
  2.   SOURCES
  3.   scap-security-guide-0.1.59-BZ1884687D-PR_7837.patch
Blob History Raw
ff1465 
From 55ec5c49441f6b99914eef15c6cc559910311934 Mon Sep 17 00:00:00 2001
ff1465 
From: Marcus Burghardt <maburgha@redhat.com>
ff1465 
Date: Fri, 5 Nov 2021 14:02:09 +0100
ff1465 
Subject: [PATCH 1/4] OVAL, tests and remediation for rule:
ff1465
ff1465 
accounts_user_dot_user_ownership
ff1465 
---
ff1465 
 .../ansible/shared.yml                        | 10 ++++
ff1465 
 .../bash/shared.sh                            |  7 +++
ff1465 
 .../oval/shared.xml                           | 52 +++++++++++++++++++
ff1465 
 .../accounts_user_dot_user_ownership/rule.yml |  9 ++++
ff1465 
 .../tests/expected_owner.pass.sh              |  6 +++
ff1465 
 .../tests/home_dirs_all_absent.pass.sh        |  6 +++
ff1465 
 .../home_dirs_one_absent_owner_ok.pass.sh     | 10 ++++
ff1465 
 .../tests/interactive_users_absent.pass.sh    |  4 ++
ff1465 
 .../tests/no_dot_file_ignored.pass.sh         |  6 +++
ff1465 
 .../tests/unexpected_owner_system_uid.fail.sh |  6 +++
ff1465 
 .../unexpected_owner_unknown_uid.fail.sh      |  6 +++
ff1465 
 .../tests/warning_swapped_owners.pass.sh      | 15 ++++++
ff1465 
 12 files changed, 137 insertions(+)
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/ansible/shared.yml
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/bash/shared.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/oval/shared.xml
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/expected_owner.pass.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_all_absent.pass.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_one_absent_owner_ok.pass.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/interactive_users_absent.pass.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/no_dot_file_ignored.pass.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_system_uid.fail.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_unknown_uid.fail.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/warning_swapped_owners.pass.sh
ff1465
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/ansible/shared.yml
ff1465 
new file mode 100644
ff1465 
index 00000000000..3801e0cfdec
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/ansible/shared.yml
ff1465 
@@ -0,0 +1,10 @@
ff1465 
+# platform = multi_platform_all
ff1465 
+# reboot = false
ff1465 
+# strategy = restrict
ff1465 
+# complexity = low
ff1465 
+# disruption = low
ff1465 
+
ff1465 
+- name: Ensure interactive local users are the owners of their respective initialization files
ff1465 
+  ansible.builtin.command:
ff1465 
+    cmd: |
ff1465 
+      awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) system("chown -f " $3" "$6"/.[^\.]?*") }' /etc/passwd
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/bash/shared.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..f362a2656aa
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/bash/shared.sh
ff1465 
@@ -0,0 +1,7 @@
ff1465 
+# platform = multi_platform_all
ff1465 
+# reboot = false
ff1465 
+# strategy = restrict
ff1465 
+# complexity = low
ff1465 
+# disruption = low
ff1465 
+
ff1465 
+awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) system("chown -f " $3" "$6"/.[^\.]?*") }' /etc/passwd
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/oval/shared.xml
ff1465 
new file mode 100644
ff1465 
index 00000000000..fb12ce73b23
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/oval/shared.xml
ff1465 
@@ -0,0 +1,52 @@
ff1465 
+<def-group>
ff1465 
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
ff1465 
+    {{{ oval_metadata("User Initialization Files Must Be Owned By the Primary User") }}}
ff1465 
+    <criteria>
ff1465 
+
ff1465 
+                 comment="User Initialization Files Must Be Owned By the Primary User"/>
ff1465 
+    </criteria>
ff1465 
+  </definition>
ff1465 
+
ff1465 
+  <unix:password_object id="object_accounts_user_dot_user_ownership_objects" version="1">
ff1465 
+    <unix:username datatype="string" operation="not equal">nobody</unix:username>
ff1465 
+    <filter action="include">state_accounts_user_dot_user_ownership_interactive_uids</filter>
ff1465 
+  </unix:password_object>
ff1465 
+
ff1465 
+  <unix:password_state id="state_accounts_user_dot_user_ownership_interactive_uids" version="1">
ff1465 
+    <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
ff1465 
+  </unix:password_state>
ff1465 
+
ff1465 
+
ff1465 
+                  comment="Variable including all home dirs from interactive users">
ff1465 
+
ff1465 
+                      object_ref="object_accounts_user_dot_user_ownership_objects"/>
ff1465 
+  </local_variable>
ff1465 
+
ff1465 
+
ff1465 
+                  comment="List of interactive users uids">
ff1465 
+
ff1465 
+                      object_ref="object_accounts_user_dot_user_ownership_objects"/>
ff1465 
+  </local_variable>
ff1465 
+
ff1465 
+
ff1465 
+  <unix:file_object id="object_accounts_user_dot_user_ownership_init_files" version="1">
ff1465 
+
ff1465 
+                    recurse_file_system="local"/>
ff1465 
+    <unix:path var_ref="var_accounts_user_dot_user_ownership_dirs" var_check="at least one"/>
ff1465 
+    <unix:filename operation="pattern match">^\..*</unix:filename>
ff1465 
+  </unix:file_object>
ff1465 
+
ff1465 
+
ff1465 
+  <unix:file_state id="state_accounts_user_dot_user_ownership_uids" version="1">
ff1465 
+
ff1465 
+                  var_ref="var_accounts_user_dot_user_ownership_uids"/>
ff1465 
+  </unix:file_state>
ff1465 
+
ff1465 
+
ff1465 
+
ff1465 
+                  check_existence="any_exist" version="1"
ff1465 
+                  comment="All user initialization files are owned by a local interactive user">
ff1465 
+    <unix:object object_ref="object_accounts_user_dot_user_ownership_init_files"/>
ff1465 
+    <unix:state state_ref="state_accounts_user_dot_user_ownership_uids"/>
ff1465 
+  </unix:file_test>
ff1465 
+</def-group>
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml
ff1465 
index 37efb159c08..ec75aa01f12 100644
ff1465 
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml
ff1465 
@@ -9,6 +9,9 @@ description: |-
ff1465 
     the primary owner with the following command:
ff1465 
     
$ sudo chown USER /home/USER/.*
ff1465
ff1465 
+    This rule ensures every initialization file related to an interactive user
ff1465 
+    is owned by an interactive user.
ff1465 
+
ff1465 
 rationale: |-
ff1465 
     Local initialization files are used to configure the user's shell environment
ff1465 
     upon logon. Malicious modification of these files could compromise accounts upon
ff1465 
@@ -33,3 +36,9 @@ ocil: |-
ff1465 
     primary user, run the following command:
ff1465 
     
$ sudo ls -al /home/USER/.*
ff1465 
     The user initialization files should be owned by USER.
ff1465 
+
ff1465 
+warnings:
ff1465 
+    - general: |-
ff1465 
+       Due to OVAL limitation, this rule can report a false negative in a
ff1465 
+       specific situation where two interactive users swap the ownership of
ff1465 
+       their respective initialization files.
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/expected_owner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/expected_owner.pass.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..3d30238225e
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/expected_owner.pass.sh
ff1465 
@@ -0,0 +1,6 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+USER="cac_user"
ff1465 
+useradd -m $USER
ff1465 
+touch /home/$USER/.bashrc
ff1465 
+chown $USER /home/$USER/.bashrc
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_all_absent.pass.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..af240252de3
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_all_absent.pass.sh
ff1465 
@@ -0,0 +1,6 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+USER="cac_user"
ff1465 
+useradd -M $USER
ff1465 
+# This make sure home dirs related to test environment users are also removed.
ff1465 
+rm -Rf /home/*
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_one_absent_owner_ok.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_one_absent_owner_ok.pass.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..840477d2c83
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_one_absent_owner_ok.pass.sh
ff1465 
@@ -0,0 +1,10 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+USER1="cac_user1"
ff1465 
+USER2="cac_user2"
ff1465 
+
ff1465 
+useradd -m $USER1
ff1465 
+useradd -M $USER2
ff1465 
+
ff1465 
+touch /home/$USER1/.bashrc
ff1465 
+chown $USER1 /home/$USER1/.bashrc
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/interactive_users_absent.pass.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..ed34f0940a7
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/interactive_users_absent.pass.sh
ff1465 
@@ -0,0 +1,4 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+# remove all interactive users (ID >= 1000) from /etc/passwd
ff1465 
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/no_dot_file_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/no_dot_file_ignored.pass.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..9292a46b3b2
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/no_dot_file_ignored.pass.sh
ff1465 
@@ -0,0 +1,6 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+USER="cac_user"
ff1465 
+useradd -m $USER
ff1465 
+touch /home/$USER/nodotfile
ff1465 
+chown 2 /home/$USER/nodotfile
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_system_uid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_system_uid.fail.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..0373eb6a5f6
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_system_uid.fail.sh
ff1465 
@@ -0,0 +1,6 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+USER="cac_user"
ff1465 
+useradd -m $USER
ff1465 
+touch /home/$USER/.bashrc
ff1465 
+chown 2 /home/$USER/.bashrc
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_unknown_uid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_unknown_uid.fail.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..da7f50ce905
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_unknown_uid.fail.sh
ff1465 
@@ -0,0 +1,6 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+USER="cac_user"
ff1465 
+useradd -m $USER
ff1465 
+touch /home/$USER/.bashrc
ff1465 
+chown 10005 /home/$USER/.bashrc
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/warning_swapped_owners.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/warning_swapped_owners.pass.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..b4a95ae2242
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/warning_swapped_owners.pass.sh
ff1465 
@@ -0,0 +1,15 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+USER1="cac_user1"
ff1465 
+USER2="cac_user2"
ff1465 
+
ff1465 
+useradd -m $USER1
ff1465 
+useradd -m $USER2
ff1465 
+touch /home/$USER1/.bashrc
ff1465 
+touch /home/$USER2/.bashrc
ff1465 
+
ff1465 
+# Swap the ownership of files in two home directories
ff1465 
+# WARNING: This test scenario will report a false negative, as explained in the
ff1465 
+# warning section of this rule.
ff1465 
+chown -f $USER2 /home/$USER1/.bashrc
ff1465 
+chown -f $USER1 /home/$USER2/.bashrc
ff1465
ff1465 
From cc6318c8afc898190a090058fbdfbdfc741d4d85 Mon Sep 17 00:00:00 2001
ff1465 
From: Marcus Burghardt <maburgha@redhat.com>
ff1465 
Date: Fri, 5 Nov 2021 14:05:19 +0100
ff1465 
Subject: [PATCH 2/4] OVAL, tests and remediation for rule:
ff1465
ff1465 
accounts_user_dot_group_ownership
ff1465 
---
ff1465 
 .../ansible/shared.yml                        | 10 ++++
ff1465 
 .../bash/shared.sh                            |  7 +++
ff1465 
 .../oval/shared.xml                           | 52 +++++++++++++++++++
ff1465 
 .../rule.yml                                  |  9 ++++
ff1465 
 .../tests/expected_groupowner.pass.sh         |  6 +++
ff1465 
 .../tests/home_dirs_all_absent.pass.sh        |  6 +++
ff1465 
 .../home_dirs_one_absent_group_ok.pass.sh     | 10 ++++
ff1465 
 .../tests/interactive_users_absent.pass.sh    |  4 ++
ff1465 
 .../tests/no_dot_file_ignored.pass.sh         |  6 +++
ff1465 
 .../unexpected_groupowner_system_gid.fail.sh  |  6 +++
ff1465 
 .../unexpected_groupowner_unknown_gid.fail.sh |  6 +++
ff1465 
 .../tests/warning_swapped_groupowners.pass.sh | 15 ++++++
ff1465 
 12 files changed, 137 insertions(+)
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/ansible/shared.yml
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/bash/shared.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/oval/shared.xml
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/expected_groupowner.pass.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_all_absent.pass.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_one_absent_group_ok.pass.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/interactive_users_absent.pass.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/no_dot_file_ignored.pass.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_system_gid.fail.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_unknown_gid.fail.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/warning_swapped_groupowners.pass.sh
ff1465
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/ansible/shared.yml
ff1465 
new file mode 100644
ff1465 
index 00000000000..1a9fa192359
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/ansible/shared.yml
ff1465 
@@ -0,0 +1,10 @@
ff1465 
+# platform = multi_platform_all
ff1465 
+# reboot = false
ff1465 
+# strategy = restrict
ff1465 
+# complexity = low
ff1465 
+# disruption = low
ff1465 
+
ff1465 
+- name: Ensure interactive local users are the group-owners of their respective initialization files
ff1465 
+  ansible.builtin.command:
ff1465 
+    cmd: |
ff1465 
+      awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) system("chgrp -f " $3" "$6"/.[^\.]?*") }' /etc/passwd
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/bash/shared.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..2b0fe395e29
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/bash/shared.sh
ff1465 
@@ -0,0 +1,7 @@
ff1465 
+# platform = multi_platform_all
ff1465 
+# reboot = false
ff1465 
+# strategy = restrict
ff1465 
+# complexity = low
ff1465 
+# disruption = low
ff1465 
+
ff1465 
+awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) system("chgrp -f " $3" "$6"/.[^\.]?*") }' /etc/passwd
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/oval/shared.xml
ff1465 
new file mode 100644
ff1465 
index 00000000000..7ee39a3e794
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/oval/shared.xml
ff1465 
@@ -0,0 +1,52 @@
ff1465 
+<def-group>
ff1465 
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
ff1465 
+    {{{ oval_metadata("User Initialization Files Must Be Group-Owned By The Primary User") }}}
ff1465 
+    <criteria>
ff1465 
+
ff1465 
+                 comment="User Initialization Files Must Be Group-Owned By The Primary User"/>
ff1465 
+    </criteria>
ff1465 
+  </definition>
ff1465 
+
ff1465 
+  <unix:password_object id="object_accounts_user_dot_group_ownership_objects" version="1">
ff1465 
+    <unix:username datatype="string" operation="not equal">nobody</unix:username>
ff1465 
+    <filter action="include">state_accounts_user_dot_group_ownership_interactive_gids</filter>
ff1465 
+  </unix:password_object>
ff1465 
+
ff1465 
+  <unix:password_state id="state_accounts_user_dot_group_ownership_interactive_gids" version="1">
ff1465 
+    <unix:group_id datatype="int" operation="greater than or equal">{{{ gid_min }}}</unix:group_id>
ff1465 
+  </unix:password_state>
ff1465 
+
ff1465 
+
ff1465 
+                  comment="Variable including all home dirs from interactive users">
ff1465 
+
ff1465 
+                      object_ref="object_accounts_user_dot_group_ownership_objects"/>
ff1465 
+  </local_variable>
ff1465 
+
ff1465 
+
ff1465 
+                  comment="List of interactive users gids">
ff1465 
+
ff1465 
+                      object_ref="object_accounts_user_dot_group_ownership_objects"/>
ff1465 
+  </local_variable>
ff1465 
+
ff1465 
+
ff1465 
+  <unix:file_object id="object_accounts_user_dot_group_ownership_init_files" version="1">
ff1465 
+
ff1465 
+                    recurse_file_system="local"/>
ff1465 
+    <unix:path var_ref="var_accounts_user_dot_group_ownership_dirs" var_check="at least one"/>
ff1465 
+    <unix:filename operation="pattern match">^\..*</unix:filename>
ff1465 
+  </unix:file_object>
ff1465 
+
ff1465 
+
ff1465 
+  <unix:file_state id="state_accounts_user_dot_group_ownership_gids" version="1">
ff1465 
+
ff1465 
+                  var_ref="var_accounts_user_dot_group_ownership_gids"/>
ff1465 
+  </unix:file_state>
ff1465 
+
ff1465 
+
ff1465 
+
ff1465 
+              check_existence="any_exist" version="1"
ff1465 
+              comment="All user initialization files are group-owned by a local interactive user">
ff1465 
+    <unix:object object_ref="object_accounts_user_dot_group_ownership_init_files"/>
ff1465 
+    <unix:state state_ref="state_accounts_user_dot_group_ownership_gids"/>
ff1465 
+  </unix:file_test>
ff1465 
+</def-group>
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml
ff1465 
index a9cf96afc8c..d7d75a6600f 100644
ff1465 
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml
ff1465 
@@ -10,6 +10,9 @@ description: |-
ff1465 
     interactive user home directory, use the following command:
ff1465 
     
$ sudo chgrp USER_GROUP /home/USER/.INIT_FILE
ff1465
ff1465 
+    This rule ensures every initialization file related to an interactive user
ff1465 
+    is group-owned by an interactive user.
ff1465 
+
ff1465 
 rationale: |-
ff1465 
     Local initialization files for interactive users are used to configure the
ff1465 
     user's shell environment upon logon. Malicious modification of these files could
ff1465 
@@ -35,3 +38,9 @@ ocil: |-
ff1465 
     users in <tt>/etc/passwd</tt> and verify all initialization files under the
ff1465 
     respective users home directory. Check the group owner of all local interactive users
ff1465 
     initialization files.
ff1465 
+
ff1465 
+warnings:
ff1465 
+    - general: |-
ff1465 
+       Due to OVAL limitation, this rule can report a false negative in a
ff1465 
+       specific situation where two interactive users swap the group-ownership
ff1465 
+       of their respective initialization files.
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/expected_groupowner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/expected_groupowner.pass.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..0b89e741fbf
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/expected_groupowner.pass.sh
ff1465 
@@ -0,0 +1,6 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+USER="cac_user"
ff1465 
+useradd -m $USER
ff1465 
+touch /home/$USER/.bashrc
ff1465 
+chgrp $USER /home/$USER/.bashrc
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_all_absent.pass.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..af240252de3
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_all_absent.pass.sh
ff1465 
@@ -0,0 +1,6 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+USER="cac_user"
ff1465 
+useradd -M $USER
ff1465 
+# This make sure home dirs related to test environment users are also removed.
ff1465 
+rm -Rf /home/*
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_one_absent_group_ok.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_one_absent_group_ok.pass.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..90e1787dccc
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_one_absent_group_ok.pass.sh
ff1465 
@@ -0,0 +1,10 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+USER1="cac_user1"
ff1465 
+USER2="cac_user2"
ff1465 
+
ff1465 
+useradd -m $USER1
ff1465 
+useradd -M $USER2
ff1465 
+
ff1465 
+touch /home/$USER1/.bashrc
ff1465 
+chgrp $USER1 /home/$USER1/.bashrc
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/interactive_users_absent.pass.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..ed34f0940a7
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/interactive_users_absent.pass.sh
ff1465 
@@ -0,0 +1,4 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+# remove all interactive users (ID >= 1000) from /etc/passwd
ff1465 
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/no_dot_file_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/no_dot_file_ignored.pass.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..5b9e17c5384
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/no_dot_file_ignored.pass.sh
ff1465 
@@ -0,0 +1,6 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+USER="cac_user"
ff1465 
+useradd -m $USER
ff1465 
+touch /home/$USER/nodotfile
ff1465 
+chgrp 2 /home/$USER/nodotfile
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_system_gid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_system_gid.fail.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..b21e7229ed2
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_system_gid.fail.sh
ff1465 
@@ -0,0 +1,6 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+USER="cac_user"
ff1465 
+useradd -m $USER
ff1465 
+touch /home/$USER/.bashrc
ff1465 
+chgrp 2 /home/$USER/.bashrc
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_unknown_gid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_unknown_gid.fail.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..7c1bcac44d6
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_unknown_gid.fail.sh
ff1465 
@@ -0,0 +1,6 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+USER="cac_user"
ff1465 
+useradd -m $USER
ff1465 
+touch /home/$USER/.bashrc
ff1465 
+chgrp 10005 /home/$USER/.bashrc
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/warning_swapped_groupowners.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/warning_swapped_groupowners.pass.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..d58a9dd63bf
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/warning_swapped_groupowners.pass.sh
ff1465 
@@ -0,0 +1,15 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+USER1="cac_user1"
ff1465 
+USER2="cac_user2"
ff1465 
+
ff1465 
+useradd -m $USER1
ff1465 
+useradd -m $USER2
ff1465 
+touch /home/$USER1/.bashrc
ff1465 
+touch /home/$USER2/.bashrc
ff1465 
+
ff1465 
+# Swap the ownership of files in two home directories
ff1465 
+# WARNING: This test scenario will report a false negative, as explained in the
ff1465 
+# warning section of this rule.
ff1465 
+chgrp -f $USER2 /home/$USER1/.bashrc
ff1465 
+chgrp -f $USER1 /home/$USER2/.bashrc
ff1465
ff1465 
From 2e28bd10bfec8466362e74b7c5d95481e95d0ae9 Mon Sep 17 00:00:00 2001
ff1465 
From: Marcus Burghardt <maburgha@redhat.com>
ff1465 
Date: Fri, 5 Nov 2021 14:06:56 +0100
ff1465 
Subject: [PATCH 3/4] OVAL, tests and remediation for rule:
ff1465
ff1465 
accounts_user_dot_no_world_writable_programs
ff1465 
---
ff1465 
 .../ansible/shared.yml                        | 10 ++++
ff1465 
 .../bash/shared.sh                            |  7 +++
ff1465 
 .../oval/shared.xml                           | 52 +++++++++++++++++++
ff1465 
 .../tests/expected_permissions.pass.sh        |  6 +++
ff1465 
 .../tests/home_dirs_absent.pass.sh            |  6 +++
ff1465 
 .../tests/interactive_users_absent.pass.sh    |  4 ++
ff1465 
 .../tests/lenient_permission.fail.sh          |  6 +++
ff1465 
 .../tests/more_restrictive_permission.pass.sh |  6 +++
ff1465 
 .../tests/no_dot_file_ignored.pass.sh         |  6 +++
ff1465 
 9 files changed, 103 insertions(+)
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/ansible/shared.yml
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/bash/shared.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/oval/shared.xml
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/expected_permissions.pass.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/home_dirs_absent.pass.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/interactive_users_absent.pass.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/lenient_permission.fail.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/more_restrictive_permission.pass.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/no_dot_file_ignored.pass.sh
ff1465
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/ansible/shared.yml
ff1465 
new file mode 100644
ff1465 
index 00000000000..210d12a53fe
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/ansible/shared.yml
ff1465 
@@ -0,0 +1,10 @@
ff1465 
+# platform = multi_platform_all
ff1465 
+# reboot = false
ff1465 
+# strategy = restrict
ff1465 
+# complexity = low
ff1465 
+# disruption = low
ff1465 
+
ff1465 
+- name: Ensure interactive local users are the group-owners of their respective initialization files
ff1465 
+  ansible.builtin.command:
ff1465 
+    cmd: |
ff1465 
+      awk -F':' '{ if ($3 >= {{{ gid_min }}} && $3 != 65534) system("chmod -f g-w,o-w "$6"/.[^\.]?*") }' /etc/passwd
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/bash/shared.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..24ff95c6cd7
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/bash/shared.sh
ff1465 
@@ -0,0 +1,7 @@
ff1465 
+# platform = multi_platform_all
ff1465 
+# reboot = false
ff1465 
+# strategy = restrict
ff1465 
+# complexity = low
ff1465 
+# disruption = low
ff1465 
+
ff1465 
+awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) system("chmod -f g-w,o-w "$6"/.[^\.]?*") }' /etc/passwd
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/oval/shared.xml
ff1465 
new file mode 100644
ff1465 
index 00000000000..ca8ecb2b447
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/oval/shared.xml
ff1465 
@@ -0,0 +1,52 @@
ff1465 
+<def-group>
ff1465 
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
ff1465 
+    {{{ oval_metadata("User Initialization Files Must Not Run World-Writable Programs") }}}
ff1465 
+    <criteria>
ff1465 
+
ff1465 
+                 comment="User Initialization Files Must Not Run World-Writable Programs"/>
ff1465 
+    </criteria>
ff1465 
+  </definition>
ff1465 
+
ff1465 
+
ff1465 
+                        version="1">
ff1465 
+    <unix:username datatype="string" operation="not equal">nobody</unix:username>
ff1465 
+    <filter action="include">state_accounts_user_dot_no_world_writable_programs_interactive_uids</filter>
ff1465 
+  </unix:password_object>
ff1465 
+
ff1465 
+
ff1465 
+                       version="1">
ff1465 
+    <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
ff1465 
+  </unix:password_state>
ff1465 
+
ff1465 
+
ff1465 
+                  datatype="string" version="1"
ff1465 
+                  comment="Variable including all home dirs from interactive users">
ff1465 
+
ff1465 
+                      object_ref="object_accounts_user_dot_no_world_writable_programs_objects"/>
ff1465 
+  </local_variable>
ff1465 
+
ff1465 
+
ff1465 
+
ff1465 
+                    version="1">
ff1465 
+
ff1465 
+                    recurse_file_system="local"/>
ff1465 
+
ff1465 
+               var_check="at least one"/>
ff1465 
+    <unix:filename operation="pattern match">^\..*</unix:filename>
ff1465 
+  </unix:file_object>
ff1465 
+
ff1465 
+
ff1465 
+
ff1465 
+                   operator='AND'>
ff1465 
+    <unix:gwrite datatype="boolean">false</unix:gwrite>
ff1465 
+    <unix:owrite datatype="boolean">false</unix:owrite>
ff1465 
+  </unix:file_state>
ff1465 
+
ff1465 
+
ff1465 
+
ff1465 
+                  check_existence="any_exist" version="1"
ff1465 
+                  comment="All home directories have proper permissions">
ff1465 
+    <unix:object object_ref="object_accounts_user_dot_no_world_writable_programs_init_files"/>
ff1465 
+    <unix:state state_ref="state_accounts_user_dot_no_world_writable_programs"/>
ff1465 
+  </unix:file_test>
ff1465 
+</def-group>
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/expected_permissions.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/expected_permissions.pass.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..7a2b35eba77
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/expected_permissions.pass.sh
ff1465 
@@ -0,0 +1,6 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+USER="cac_user"
ff1465 
+useradd -m $USER
ff1465 
+echo "$USER" > /home/$USER/$USER.txt
ff1465 
+chmod -f 755 /home/$USER/.*
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/home_dirs_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/home_dirs_absent.pass.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..af240252de3
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/home_dirs_absent.pass.sh
ff1465 
@@ -0,0 +1,6 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+USER="cac_user"
ff1465 
+useradd -M $USER
ff1465 
+# This make sure home dirs related to test environment users are also removed.
ff1465 
+rm -Rf /home/*
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/interactive_users_absent.pass.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..ed34f0940a7
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/interactive_users_absent.pass.sh
ff1465 
@@ -0,0 +1,4 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+# remove all interactive users (ID >= 1000) from /etc/passwd
ff1465 
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/lenient_permission.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/lenient_permission.fail.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..5fcf95f5f96
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/lenient_permission.fail.sh
ff1465 
@@ -0,0 +1,6 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+USER="cac_user"
ff1465 
+useradd -m $USER
ff1465 
+touch /home/$USER/.bashrc
ff1465 
+chmod -f o+w /home/$USER/.bashrc
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/more_restrictive_permission.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/more_restrictive_permission.pass.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..655c6d32e47
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/more_restrictive_permission.pass.sh
ff1465 
@@ -0,0 +1,6 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+USER="cac_user"
ff1465 
+useradd -m $USER
ff1465 
+echo "$USER" > /home/$USER/$USER.txt
ff1465 
+chmod -f 700 /home/$USER/.*
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/no_dot_file_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/no_dot_file_ignored.pass.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..66439b768ca
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/no_dot_file_ignored.pass.sh
ff1465 
@@ -0,0 +1,6 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+USER="cac_user"
ff1465 
+useradd -m $USER
ff1465 
+echo "$USER" > /home/$USER/$USER.txt
ff1465 
+chmod -f o+w /home/$USER/$USER.txt
ff1465
ff1465 
From f7f5735115ad3fa98fac8644aa844ed54d4d5dd7 Mon Sep 17 00:00:00 2001
ff1465 
From: Marcus Burghardt <maburgha@redhat.com>
ff1465 
Date: Fri, 5 Nov 2021 14:07:55 +0100
ff1465 
Subject: [PATCH 4/4] OVAL, tests and remediation for rule:
ff1465
ff1465 
accounts_umask_interactive_users
ff1465 
---
ff1465 
 .../ansible/shared.yml                        | 12 ++++++
ff1465 
 .../bash/shared.sh                            |  9 +++++
ff1465 
 .../oval/shared.xml                           | 40 +++++++++++++++++++
ff1465 
 .../tests/home_dirs_all_absent.pass.sh        |  6 +++
ff1465 
 .../tests/home_dirs_one_absent.pass.sh        | 10 +++++
ff1465 
 .../tests/interactive_users_absent.pass.sh    |  4 ++
ff1465 
 .../tests/no_dot_file_ignored.pass.sh         |  5 +++
ff1465 
 .../tests/umask_defined.fail.sh               |  5 +++
ff1465 
 8 files changed, 91 insertions(+)
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_all_absent.pass.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_one_absent.pass.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/interactive_users_absent.pass.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/no_dot_file_ignored.pass.sh
ff1465 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/umask_defined.fail.sh
ff1465
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
ff1465 
new file mode 100644
ff1465 
index 00000000000..142f10a2157
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
ff1465 
@@ -0,0 +1,12 @@
ff1465 
+# platform = multi_platform_all
ff1465 
+# reboot = false
ff1465 
+# strategy = restrict
ff1465 
+# complexity = low
ff1465 
+# disruption = low
ff1465 
+
ff1465 
+- name: Ensure interactive local users are the owners of their respective initialization files
ff1465 
+  ansible.builtin.shell:
ff1465 
+    cmd: |
ff1465 
+      for dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $6}' /etc/passwd); do
ff1465 
+        sed -i 's/^\([\s]*umask\s*\)/#\1/g' $dir/.[^\.]?*
ff1465 
+      done
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..0644b221df8
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
ff1465 
@@ -0,0 +1,9 @@
ff1465 
+# platform = multi_platform_all
ff1465 
+# reboot = false
ff1465 
+# strategy = restrict
ff1465 
+# complexity = low
ff1465 
+# disruption = low
ff1465 
+
ff1465 
+for dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $6}' /etc/passwd); do
ff1465 
+    sed -i 's/^\([\s]*umask\s*\)/#\1/g' $dir/.[^\.]?*
ff1465 
+done
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
ff1465 
new file mode 100644
ff1465 
index 00000000000..42dbdbbae46
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
ff1465 
@@ -0,0 +1,40 @@
ff1465 
+<def-group>
ff1465 
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
ff1465 
+    {{{ oval_metadata("Ensure the Default Umask is Set Correctly For Interactive Users") }}}
ff1465 
+    <criteria>
ff1465 
+
ff1465 
+                 comment="Ensure the Default Umask is Set Correctly For Interactive Users"/>
ff1465 
+    </criteria>
ff1465 
+  </definition>
ff1465 
+
ff1465 
+  <unix:password_object id="object_accounts_umask_interactive_users_objects" version="1">
ff1465 
+    <unix:username datatype="string" operation="not equal">nobody</unix:username>
ff1465 
+    <filter action="include">state_accounts_umask_interactive_users_interactive_uids</filter>
ff1465 
+  </unix:password_object>
ff1465 
+
ff1465 
+  <unix:password_state id="state_accounts_umask_interactive_users_interactive_uids" version="1">
ff1465 
+    <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
ff1465 
+  </unix:password_state>
ff1465 
+
ff1465 
+
ff1465 
+                  comment="Variable including all home dirs from interactive users">
ff1465 
+
ff1465 
+                      object_ref="object_accounts_umask_interactive_users_objects"/>
ff1465 
+  </local_variable>
ff1465 
+
ff1465 
+
ff1465 
+
ff1465 
+                                comment="Umask value from initialization files" version="1">
ff1465 
+    <ind:path var_ref="var_accounts_umask_interactive_users_dirs" var_check="at least one"/>
ff1465 
+    <ind:filename operation="pattern match">^\..*</ind:filename>
ff1465 
+    <ind:pattern operation="pattern match">^[\s]*umask\s*</ind:pattern>
ff1465 
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
ff1465 
+  </ind:textfilecontent54_object>
ff1465 
+
ff1465 
+
ff1465 
+
ff1465 
+                  check_existence="none_exist" version="1"
ff1465 
+                  comment="Umask must not be defined in user initialization files">
ff1465 
+    <ind:object object_ref="object_accounts_umask_interactive_users"/>
ff1465 
+  </ind:textfilecontent54_test>
ff1465 
+</def-group>
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_all_absent.pass.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..af240252de3
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_all_absent.pass.sh
ff1465 
@@ -0,0 +1,6 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+USER="cac_user"
ff1465 
+useradd -M $USER
ff1465 
+# This make sure home dirs related to test environment users are also removed.
ff1465 
+rm -Rf /home/*
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_one_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_one_absent.pass.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..0ad9248d14b
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_one_absent.pass.sh
ff1465 
@@ -0,0 +1,10 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+USER1="cac_user1"
ff1465 
+USER2="cac_user2"
ff1465 
+
ff1465 
+useradd -m $USER1
ff1465 
+useradd -M $USER2
ff1465 
+
ff1465 
+# Make sure no umask definition exists in the startup files
ff1465 
+sed -i 's/^\([\s]*umask\s*\)/#\1/g' /home/$USER1/.[^\.]?*
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/interactive_users_absent.pass.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..ed34f0940a7
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/interactive_users_absent.pass.sh
ff1465 
@@ -0,0 +1,4 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+# remove all interactive users (ID >= 1000) from /etc/passwd
ff1465 
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/no_dot_file_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/no_dot_file_ignored.pass.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..27f580ae45a
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/no_dot_file_ignored.pass.sh
ff1465 
@@ -0,0 +1,5 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+USER="cac_user"
ff1465 
+useradd -m $USER
ff1465 
+echo "umask 022" > /home/$USER/nodotfile
ff1465 
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/umask_defined.fail.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/umask_defined.fail.sh
ff1465 
new file mode 100644
ff1465 
index 00000000000..f7835392acf
ff1465 
--- /dev/null
ff1465 
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/umask_defined.fail.sh
ff1465 
@@ -0,0 +1,5 @@
ff1465 
+#!/bin/bash
ff1465 
+
ff1465 
+USER="cac_user"
ff1465 
+useradd -m $USER
ff1465 
+echo "umask 022" >> /home/$USER/.bashrc

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation