|
|
ff1465 |
From 55ec5c49441f6b99914eef15c6cc559910311934 Mon Sep 17 00:00:00 2001
|
|
|
ff1465 |
From: Marcus Burghardt <maburgha@redhat.com>
|
|
|
ff1465 |
Date: Fri, 5 Nov 2021 14:02:09 +0100
|
|
|
ff1465 |
Subject: [PATCH 1/4] OVAL, tests and remediation for rule:
|
|
|
ff1465 |
|
|
|
ff1465 |
accounts_user_dot_user_ownership
|
|
|
ff1465 |
---
|
|
|
ff1465 |
.../ansible/shared.yml | 10 ++++
|
|
|
ff1465 |
.../bash/shared.sh | 7 +++
|
|
|
ff1465 |
.../oval/shared.xml | 52 +++++++++++++++++++
|
|
|
ff1465 |
.../accounts_user_dot_user_ownership/rule.yml | 9 ++++
|
|
|
ff1465 |
.../tests/expected_owner.pass.sh | 6 +++
|
|
|
ff1465 |
.../tests/home_dirs_all_absent.pass.sh | 6 +++
|
|
|
ff1465 |
.../home_dirs_one_absent_owner_ok.pass.sh | 10 ++++
|
|
|
ff1465 |
.../tests/interactive_users_absent.pass.sh | 4 ++
|
|
|
ff1465 |
.../tests/no_dot_file_ignored.pass.sh | 6 +++
|
|
|
ff1465 |
.../tests/unexpected_owner_system_uid.fail.sh | 6 +++
|
|
|
ff1465 |
.../unexpected_owner_unknown_uid.fail.sh | 6 +++
|
|
|
ff1465 |
.../tests/warning_swapped_owners.pass.sh | 15 ++++++
|
|
|
ff1465 |
12 files changed, 137 insertions(+)
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/ansible/shared.yml
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/bash/shared.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/oval/shared.xml
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/expected_owner.pass.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_all_absent.pass.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_one_absent_owner_ok.pass.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/interactive_users_absent.pass.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/no_dot_file_ignored.pass.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_system_uid.fail.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_unknown_uid.fail.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/warning_swapped_owners.pass.sh
|
|
|
ff1465 |
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/ansible/shared.yml
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..3801e0cfdec
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/ansible/shared.yml
|
|
|
ff1465 |
@@ -0,0 +1,10 @@
|
|
|
ff1465 |
+# platform = multi_platform_all
|
|
|
ff1465 |
+# reboot = false
|
|
|
ff1465 |
+# strategy = restrict
|
|
|
ff1465 |
+# complexity = low
|
|
|
ff1465 |
+# disruption = low
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+- name: Ensure interactive local users are the owners of their respective initialization files
|
|
|
ff1465 |
+ ansible.builtin.command:
|
|
|
ff1465 |
+ cmd: |
|
|
|
ff1465 |
+ awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) system("chown -f " $3" "$6"/.[^\.]?*") }' /etc/passwd
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/bash/shared.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..f362a2656aa
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/bash/shared.sh
|
|
|
ff1465 |
@@ -0,0 +1,7 @@
|
|
|
ff1465 |
+# platform = multi_platform_all
|
|
|
ff1465 |
+# reboot = false
|
|
|
ff1465 |
+# strategy = restrict
|
|
|
ff1465 |
+# complexity = low
|
|
|
ff1465 |
+# disruption = low
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) system("chown -f " $3" "$6"/.[^\.]?*") }' /etc/passwd
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/oval/shared.xml
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..fb12ce73b23
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/oval/shared.xml
|
|
|
ff1465 |
@@ -0,0 +1,52 @@
|
|
|
ff1465 |
+<def-group>
|
|
|
ff1465 |
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
ff1465 |
+ {{{ oval_metadata("User Initialization Files Must Be Owned By the Primary User") }}}
|
|
|
ff1465 |
+ <criteria>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ comment="User Initialization Files Must Be Owned By the Primary User"/>
|
|
|
ff1465 |
+ </criteria>
|
|
|
ff1465 |
+ </definition>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ <unix:password_object id="object_accounts_user_dot_user_ownership_objects" version="1">
|
|
|
ff1465 |
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
|
|
|
ff1465 |
+ <filter action="include">state_accounts_user_dot_user_ownership_interactive_uids</filter>
|
|
|
ff1465 |
+ </unix:password_object>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ <unix:password_state id="state_accounts_user_dot_user_ownership_interactive_uids" version="1">
|
|
|
ff1465 |
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
|
|
|
ff1465 |
+ </unix:password_state>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ comment="Variable including all home dirs from interactive users">
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ object_ref="object_accounts_user_dot_user_ownership_objects"/>
|
|
|
ff1465 |
+ </local_variable>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ comment="List of interactive users uids">
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ object_ref="object_accounts_user_dot_user_ownership_objects"/>
|
|
|
ff1465 |
+ </local_variable>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ <unix:file_object id="object_accounts_user_dot_user_ownership_init_files" version="1">
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ recurse_file_system="local"/>
|
|
|
ff1465 |
+ <unix:path var_ref="var_accounts_user_dot_user_ownership_dirs" var_check="at least one"/>
|
|
|
ff1465 |
+ <unix:filename operation="pattern match">^\..*</unix:filename>
|
|
|
ff1465 |
+ </unix:file_object>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ <unix:file_state id="state_accounts_user_dot_user_ownership_uids" version="1">
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ var_ref="var_accounts_user_dot_user_ownership_uids"/>
|
|
|
ff1465 |
+ </unix:file_state>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ check_existence="any_exist" version="1"
|
|
|
ff1465 |
+ comment="All user initialization files are owned by a local interactive user">
|
|
|
ff1465 |
+ <unix:object object_ref="object_accounts_user_dot_user_ownership_init_files"/>
|
|
|
ff1465 |
+ <unix:state state_ref="state_accounts_user_dot_user_ownership_uids"/>
|
|
|
ff1465 |
+ </unix:file_test>
|
|
|
ff1465 |
+</def-group>
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml
|
|
|
ff1465 |
index 37efb159c08..ec75aa01f12 100644
|
|
|
ff1465 |
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml
|
|
|
ff1465 |
@@ -9,6 +9,9 @@ description: |-
|
|
|
ff1465 |
the primary owner with the following command:
|
|
|
ff1465 |
$ sudo chown USER /home/USER/.*
|
|
|
ff1465 |
|
|
|
ff1465 |
+ This rule ensures every initialization file related to an interactive user
|
|
|
ff1465 |
+ is owned by an interactive user.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
rationale: |-
|
|
|
ff1465 |
Local initialization files are used to configure the user's shell environment
|
|
|
ff1465 |
upon logon. Malicious modification of these files could compromise accounts upon
|
|
|
ff1465 |
@@ -33,3 +36,9 @@ ocil: |-
|
|
|
ff1465 |
primary user, run the following command:
|
|
|
ff1465 |
$ sudo ls -al /home/USER/.*
|
|
|
ff1465 |
The user initialization files should be owned by USER.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+warnings:
|
|
|
ff1465 |
+ - general: |-
|
|
|
ff1465 |
+ Due to OVAL limitation, this rule can report a false negative in a
|
|
|
ff1465 |
+ specific situation where two interactive users swap the ownership of
|
|
|
ff1465 |
+ their respective initialization files.
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/expected_owner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/expected_owner.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..3d30238225e
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/expected_owner.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,6 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+USER="cac_user"
|
|
|
ff1465 |
+useradd -m $USER
|
|
|
ff1465 |
+touch /home/$USER/.bashrc
|
|
|
ff1465 |
+chown $USER /home/$USER/.bashrc
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_all_absent.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..af240252de3
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_all_absent.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,6 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+USER="cac_user"
|
|
|
ff1465 |
+useradd -M $USER
|
|
|
ff1465 |
+# This make sure home dirs related to test environment users are also removed.
|
|
|
ff1465 |
+rm -Rf /home/*
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_one_absent_owner_ok.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_one_absent_owner_ok.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..840477d2c83
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_one_absent_owner_ok.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,10 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+USER1="cac_user1"
|
|
|
ff1465 |
+USER2="cac_user2"
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+useradd -m $USER1
|
|
|
ff1465 |
+useradd -M $USER2
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+touch /home/$USER1/.bashrc
|
|
|
ff1465 |
+chown $USER1 /home/$USER1/.bashrc
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/interactive_users_absent.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..ed34f0940a7
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/interactive_users_absent.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,4 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+# remove all interactive users (ID >= 1000) from /etc/passwd
|
|
|
ff1465 |
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/no_dot_file_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/no_dot_file_ignored.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..9292a46b3b2
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/no_dot_file_ignored.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,6 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+USER="cac_user"
|
|
|
ff1465 |
+useradd -m $USER
|
|
|
ff1465 |
+touch /home/$USER/nodotfile
|
|
|
ff1465 |
+chown 2 /home/$USER/nodotfile
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_system_uid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_system_uid.fail.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..0373eb6a5f6
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_system_uid.fail.sh
|
|
|
ff1465 |
@@ -0,0 +1,6 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+USER="cac_user"
|
|
|
ff1465 |
+useradd -m $USER
|
|
|
ff1465 |
+touch /home/$USER/.bashrc
|
|
|
ff1465 |
+chown 2 /home/$USER/.bashrc
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_unknown_uid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_unknown_uid.fail.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..da7f50ce905
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_unknown_uid.fail.sh
|
|
|
ff1465 |
@@ -0,0 +1,6 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+USER="cac_user"
|
|
|
ff1465 |
+useradd -m $USER
|
|
|
ff1465 |
+touch /home/$USER/.bashrc
|
|
|
ff1465 |
+chown 10005 /home/$USER/.bashrc
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/warning_swapped_owners.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/warning_swapped_owners.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..b4a95ae2242
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/warning_swapped_owners.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,15 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+USER1="cac_user1"
|
|
|
ff1465 |
+USER2="cac_user2"
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+useradd -m $USER1
|
|
|
ff1465 |
+useradd -m $USER2
|
|
|
ff1465 |
+touch /home/$USER1/.bashrc
|
|
|
ff1465 |
+touch /home/$USER2/.bashrc
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+# Swap the ownership of files in two home directories
|
|
|
ff1465 |
+# WARNING: This test scenario will report a false negative, as explained in the
|
|
|
ff1465 |
+# warning section of this rule.
|
|
|
ff1465 |
+chown -f $USER2 /home/$USER1/.bashrc
|
|
|
ff1465 |
+chown -f $USER1 /home/$USER2/.bashrc
|
|
|
ff1465 |
|
|
|
ff1465 |
From cc6318c8afc898190a090058fbdfbdfc741d4d85 Mon Sep 17 00:00:00 2001
|
|
|
ff1465 |
From: Marcus Burghardt <maburgha@redhat.com>
|
|
|
ff1465 |
Date: Fri, 5 Nov 2021 14:05:19 +0100
|
|
|
ff1465 |
Subject: [PATCH 2/4] OVAL, tests and remediation for rule:
|
|
|
ff1465 |
|
|
|
ff1465 |
accounts_user_dot_group_ownership
|
|
|
ff1465 |
---
|
|
|
ff1465 |
.../ansible/shared.yml | 10 ++++
|
|
|
ff1465 |
.../bash/shared.sh | 7 +++
|
|
|
ff1465 |
.../oval/shared.xml | 52 +++++++++++++++++++
|
|
|
ff1465 |
.../rule.yml | 9 ++++
|
|
|
ff1465 |
.../tests/expected_groupowner.pass.sh | 6 +++
|
|
|
ff1465 |
.../tests/home_dirs_all_absent.pass.sh | 6 +++
|
|
|
ff1465 |
.../home_dirs_one_absent_group_ok.pass.sh | 10 ++++
|
|
|
ff1465 |
.../tests/interactive_users_absent.pass.sh | 4 ++
|
|
|
ff1465 |
.../tests/no_dot_file_ignored.pass.sh | 6 +++
|
|
|
ff1465 |
.../unexpected_groupowner_system_gid.fail.sh | 6 +++
|
|
|
ff1465 |
.../unexpected_groupowner_unknown_gid.fail.sh | 6 +++
|
|
|
ff1465 |
.../tests/warning_swapped_groupowners.pass.sh | 15 ++++++
|
|
|
ff1465 |
12 files changed, 137 insertions(+)
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/ansible/shared.yml
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/bash/shared.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/oval/shared.xml
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/expected_groupowner.pass.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_all_absent.pass.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_one_absent_group_ok.pass.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/interactive_users_absent.pass.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/no_dot_file_ignored.pass.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_system_gid.fail.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_unknown_gid.fail.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/warning_swapped_groupowners.pass.sh
|
|
|
ff1465 |
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/ansible/shared.yml
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..1a9fa192359
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/ansible/shared.yml
|
|
|
ff1465 |
@@ -0,0 +1,10 @@
|
|
|
ff1465 |
+# platform = multi_platform_all
|
|
|
ff1465 |
+# reboot = false
|
|
|
ff1465 |
+# strategy = restrict
|
|
|
ff1465 |
+# complexity = low
|
|
|
ff1465 |
+# disruption = low
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+- name: Ensure interactive local users are the group-owners of their respective initialization files
|
|
|
ff1465 |
+ ansible.builtin.command:
|
|
|
ff1465 |
+ cmd: |
|
|
|
ff1465 |
+ awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) system("chgrp -f " $3" "$6"/.[^\.]?*") }' /etc/passwd
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/bash/shared.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..2b0fe395e29
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/bash/shared.sh
|
|
|
ff1465 |
@@ -0,0 +1,7 @@
|
|
|
ff1465 |
+# platform = multi_platform_all
|
|
|
ff1465 |
+# reboot = false
|
|
|
ff1465 |
+# strategy = restrict
|
|
|
ff1465 |
+# complexity = low
|
|
|
ff1465 |
+# disruption = low
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) system("chgrp -f " $3" "$6"/.[^\.]?*") }' /etc/passwd
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/oval/shared.xml
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..7ee39a3e794
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/oval/shared.xml
|
|
|
ff1465 |
@@ -0,0 +1,52 @@
|
|
|
ff1465 |
+<def-group>
|
|
|
ff1465 |
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
ff1465 |
+ {{{ oval_metadata("User Initialization Files Must Be Group-Owned By The Primary User") }}}
|
|
|
ff1465 |
+ <criteria>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ comment="User Initialization Files Must Be Group-Owned By The Primary User"/>
|
|
|
ff1465 |
+ </criteria>
|
|
|
ff1465 |
+ </definition>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ <unix:password_object id="object_accounts_user_dot_group_ownership_objects" version="1">
|
|
|
ff1465 |
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
|
|
|
ff1465 |
+ <filter action="include">state_accounts_user_dot_group_ownership_interactive_gids</filter>
|
|
|
ff1465 |
+ </unix:password_object>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ <unix:password_state id="state_accounts_user_dot_group_ownership_interactive_gids" version="1">
|
|
|
ff1465 |
+ <unix:group_id datatype="int" operation="greater than or equal">{{{ gid_min }}}</unix:group_id>
|
|
|
ff1465 |
+ </unix:password_state>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ comment="Variable including all home dirs from interactive users">
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ object_ref="object_accounts_user_dot_group_ownership_objects"/>
|
|
|
ff1465 |
+ </local_variable>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ comment="List of interactive users gids">
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ object_ref="object_accounts_user_dot_group_ownership_objects"/>
|
|
|
ff1465 |
+ </local_variable>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ <unix:file_object id="object_accounts_user_dot_group_ownership_init_files" version="1">
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ recurse_file_system="local"/>
|
|
|
ff1465 |
+ <unix:path var_ref="var_accounts_user_dot_group_ownership_dirs" var_check="at least one"/>
|
|
|
ff1465 |
+ <unix:filename operation="pattern match">^\..*</unix:filename>
|
|
|
ff1465 |
+ </unix:file_object>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ <unix:file_state id="state_accounts_user_dot_group_ownership_gids" version="1">
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ var_ref="var_accounts_user_dot_group_ownership_gids"/>
|
|
|
ff1465 |
+ </unix:file_state>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ check_existence="any_exist" version="1"
|
|
|
ff1465 |
+ comment="All user initialization files are group-owned by a local interactive user">
|
|
|
ff1465 |
+ <unix:object object_ref="object_accounts_user_dot_group_ownership_init_files"/>
|
|
|
ff1465 |
+ <unix:state state_ref="state_accounts_user_dot_group_ownership_gids"/>
|
|
|
ff1465 |
+ </unix:file_test>
|
|
|
ff1465 |
+</def-group>
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml
|
|
|
ff1465 |
index a9cf96afc8c..d7d75a6600f 100644
|
|
|
ff1465 |
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml
|
|
|
ff1465 |
@@ -10,6 +10,9 @@ description: |-
|
|
|
ff1465 |
interactive user home directory, use the following command:
|
|
|
ff1465 |
$ sudo chgrp USER_GROUP /home/USER/.INIT_FILE
|
|
|
ff1465 |
|
|
|
ff1465 |
+ This rule ensures every initialization file related to an interactive user
|
|
|
ff1465 |
+ is group-owned by an interactive user.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
rationale: |-
|
|
|
ff1465 |
Local initialization files for interactive users are used to configure the
|
|
|
ff1465 |
user's shell environment upon logon. Malicious modification of these files could
|
|
|
ff1465 |
@@ -35,3 +38,9 @@ ocil: |-
|
|
|
ff1465 |
users in <tt>/etc/passwd</tt> and verify all initialization files under the
|
|
|
ff1465 |
respective users home directory. Check the group owner of all local interactive users
|
|
|
ff1465 |
initialization files.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+warnings:
|
|
|
ff1465 |
+ - general: |-
|
|
|
ff1465 |
+ Due to OVAL limitation, this rule can report a false negative in a
|
|
|
ff1465 |
+ specific situation where two interactive users swap the group-ownership
|
|
|
ff1465 |
+ of their respective initialization files.
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/expected_groupowner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/expected_groupowner.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..0b89e741fbf
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/expected_groupowner.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,6 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+USER="cac_user"
|
|
|
ff1465 |
+useradd -m $USER
|
|
|
ff1465 |
+touch /home/$USER/.bashrc
|
|
|
ff1465 |
+chgrp $USER /home/$USER/.bashrc
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_all_absent.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..af240252de3
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_all_absent.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,6 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+USER="cac_user"
|
|
|
ff1465 |
+useradd -M $USER
|
|
|
ff1465 |
+# This make sure home dirs related to test environment users are also removed.
|
|
|
ff1465 |
+rm -Rf /home/*
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_one_absent_group_ok.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_one_absent_group_ok.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..90e1787dccc
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_one_absent_group_ok.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,10 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+USER1="cac_user1"
|
|
|
ff1465 |
+USER2="cac_user2"
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+useradd -m $USER1
|
|
|
ff1465 |
+useradd -M $USER2
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+touch /home/$USER1/.bashrc
|
|
|
ff1465 |
+chgrp $USER1 /home/$USER1/.bashrc
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/interactive_users_absent.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..ed34f0940a7
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/interactive_users_absent.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,4 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+# remove all interactive users (ID >= 1000) from /etc/passwd
|
|
|
ff1465 |
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/no_dot_file_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/no_dot_file_ignored.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..5b9e17c5384
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/no_dot_file_ignored.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,6 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+USER="cac_user"
|
|
|
ff1465 |
+useradd -m $USER
|
|
|
ff1465 |
+touch /home/$USER/nodotfile
|
|
|
ff1465 |
+chgrp 2 /home/$USER/nodotfile
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_system_gid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_system_gid.fail.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..b21e7229ed2
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_system_gid.fail.sh
|
|
|
ff1465 |
@@ -0,0 +1,6 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+USER="cac_user"
|
|
|
ff1465 |
+useradd -m $USER
|
|
|
ff1465 |
+touch /home/$USER/.bashrc
|
|
|
ff1465 |
+chgrp 2 /home/$USER/.bashrc
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_unknown_gid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_unknown_gid.fail.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..7c1bcac44d6
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_unknown_gid.fail.sh
|
|
|
ff1465 |
@@ -0,0 +1,6 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+USER="cac_user"
|
|
|
ff1465 |
+useradd -m $USER
|
|
|
ff1465 |
+touch /home/$USER/.bashrc
|
|
|
ff1465 |
+chgrp 10005 /home/$USER/.bashrc
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/warning_swapped_groupowners.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/warning_swapped_groupowners.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..d58a9dd63bf
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/warning_swapped_groupowners.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,15 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+USER1="cac_user1"
|
|
|
ff1465 |
+USER2="cac_user2"
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+useradd -m $USER1
|
|
|
ff1465 |
+useradd -m $USER2
|
|
|
ff1465 |
+touch /home/$USER1/.bashrc
|
|
|
ff1465 |
+touch /home/$USER2/.bashrc
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+# Swap the ownership of files in two home directories
|
|
|
ff1465 |
+# WARNING: This test scenario will report a false negative, as explained in the
|
|
|
ff1465 |
+# warning section of this rule.
|
|
|
ff1465 |
+chgrp -f $USER2 /home/$USER1/.bashrc
|
|
|
ff1465 |
+chgrp -f $USER1 /home/$USER2/.bashrc
|
|
|
ff1465 |
|
|
|
ff1465 |
From 2e28bd10bfec8466362e74b7c5d95481e95d0ae9 Mon Sep 17 00:00:00 2001
|
|
|
ff1465 |
From: Marcus Burghardt <maburgha@redhat.com>
|
|
|
ff1465 |
Date: Fri, 5 Nov 2021 14:06:56 +0100
|
|
|
ff1465 |
Subject: [PATCH 3/4] OVAL, tests and remediation for rule:
|
|
|
ff1465 |
|
|
|
ff1465 |
accounts_user_dot_no_world_writable_programs
|
|
|
ff1465 |
---
|
|
|
ff1465 |
.../ansible/shared.yml | 10 ++++
|
|
|
ff1465 |
.../bash/shared.sh | 7 +++
|
|
|
ff1465 |
.../oval/shared.xml | 52 +++++++++++++++++++
|
|
|
ff1465 |
.../tests/expected_permissions.pass.sh | 6 +++
|
|
|
ff1465 |
.../tests/home_dirs_absent.pass.sh | 6 +++
|
|
|
ff1465 |
.../tests/interactive_users_absent.pass.sh | 4 ++
|
|
|
ff1465 |
.../tests/lenient_permission.fail.sh | 6 +++
|
|
|
ff1465 |
.../tests/more_restrictive_permission.pass.sh | 6 +++
|
|
|
ff1465 |
.../tests/no_dot_file_ignored.pass.sh | 6 +++
|
|
|
ff1465 |
9 files changed, 103 insertions(+)
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/ansible/shared.yml
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/bash/shared.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/oval/shared.xml
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/expected_permissions.pass.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/home_dirs_absent.pass.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/interactive_users_absent.pass.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/lenient_permission.fail.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/more_restrictive_permission.pass.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/no_dot_file_ignored.pass.sh
|
|
|
ff1465 |
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/ansible/shared.yml
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..210d12a53fe
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/ansible/shared.yml
|
|
|
ff1465 |
@@ -0,0 +1,10 @@
|
|
|
ff1465 |
+# platform = multi_platform_all
|
|
|
ff1465 |
+# reboot = false
|
|
|
ff1465 |
+# strategy = restrict
|
|
|
ff1465 |
+# complexity = low
|
|
|
ff1465 |
+# disruption = low
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+- name: Ensure interactive local users are the group-owners of their respective initialization files
|
|
|
ff1465 |
+ ansible.builtin.command:
|
|
|
ff1465 |
+ cmd: |
|
|
|
ff1465 |
+ awk -F':' '{ if ($3 >= {{{ gid_min }}} && $3 != 65534) system("chmod -f g-w,o-w "$6"/.[^\.]?*") }' /etc/passwd
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/bash/shared.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..24ff95c6cd7
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/bash/shared.sh
|
|
|
ff1465 |
@@ -0,0 +1,7 @@
|
|
|
ff1465 |
+# platform = multi_platform_all
|
|
|
ff1465 |
+# reboot = false
|
|
|
ff1465 |
+# strategy = restrict
|
|
|
ff1465 |
+# complexity = low
|
|
|
ff1465 |
+# disruption = low
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) system("chmod -f g-w,o-w "$6"/.[^\.]?*") }' /etc/passwd
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/oval/shared.xml
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..ca8ecb2b447
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/oval/shared.xml
|
|
|
ff1465 |
@@ -0,0 +1,52 @@
|
|
|
ff1465 |
+<def-group>
|
|
|
ff1465 |
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
ff1465 |
+ {{{ oval_metadata("User Initialization Files Must Not Run World-Writable Programs") }}}
|
|
|
ff1465 |
+ <criteria>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ comment="User Initialization Files Must Not Run World-Writable Programs"/>
|
|
|
ff1465 |
+ </criteria>
|
|
|
ff1465 |
+ </definition>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ version="1">
|
|
|
ff1465 |
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
|
|
|
ff1465 |
+ <filter action="include">state_accounts_user_dot_no_world_writable_programs_interactive_uids</filter>
|
|
|
ff1465 |
+ </unix:password_object>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ version="1">
|
|
|
ff1465 |
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
|
|
|
ff1465 |
+ </unix:password_state>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ datatype="string" version="1"
|
|
|
ff1465 |
+ comment="Variable including all home dirs from interactive users">
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ object_ref="object_accounts_user_dot_no_world_writable_programs_objects"/>
|
|
|
ff1465 |
+ </local_variable>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ version="1">
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ recurse_file_system="local"/>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ var_check="at least one"/>
|
|
|
ff1465 |
+ <unix:filename operation="pattern match">^\..*</unix:filename>
|
|
|
ff1465 |
+ </unix:file_object>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ operator='AND'>
|
|
|
ff1465 |
+ <unix:gwrite datatype="boolean">false</unix:gwrite>
|
|
|
ff1465 |
+ <unix:owrite datatype="boolean">false</unix:owrite>
|
|
|
ff1465 |
+ </unix:file_state>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ check_existence="any_exist" version="1"
|
|
|
ff1465 |
+ comment="All home directories have proper permissions">
|
|
|
ff1465 |
+ <unix:object object_ref="object_accounts_user_dot_no_world_writable_programs_init_files"/>
|
|
|
ff1465 |
+ <unix:state state_ref="state_accounts_user_dot_no_world_writable_programs"/>
|
|
|
ff1465 |
+ </unix:file_test>
|
|
|
ff1465 |
+</def-group>
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/expected_permissions.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/expected_permissions.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..7a2b35eba77
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/expected_permissions.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,6 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+USER="cac_user"
|
|
|
ff1465 |
+useradd -m $USER
|
|
|
ff1465 |
+echo "$USER" > /home/$USER/$USER.txt
|
|
|
ff1465 |
+chmod -f 755 /home/$USER/.*
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/home_dirs_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/home_dirs_absent.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..af240252de3
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/home_dirs_absent.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,6 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+USER="cac_user"
|
|
|
ff1465 |
+useradd -M $USER
|
|
|
ff1465 |
+# This make sure home dirs related to test environment users are also removed.
|
|
|
ff1465 |
+rm -Rf /home/*
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/interactive_users_absent.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..ed34f0940a7
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/interactive_users_absent.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,4 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+# remove all interactive users (ID >= 1000) from /etc/passwd
|
|
|
ff1465 |
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/lenient_permission.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/lenient_permission.fail.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..5fcf95f5f96
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/lenient_permission.fail.sh
|
|
|
ff1465 |
@@ -0,0 +1,6 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+USER="cac_user"
|
|
|
ff1465 |
+useradd -m $USER
|
|
|
ff1465 |
+touch /home/$USER/.bashrc
|
|
|
ff1465 |
+chmod -f o+w /home/$USER/.bashrc
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/more_restrictive_permission.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/more_restrictive_permission.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..655c6d32e47
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/more_restrictive_permission.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,6 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+USER="cac_user"
|
|
|
ff1465 |
+useradd -m $USER
|
|
|
ff1465 |
+echo "$USER" > /home/$USER/$USER.txt
|
|
|
ff1465 |
+chmod -f 700 /home/$USER/.*
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/no_dot_file_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/no_dot_file_ignored.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..66439b768ca
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/no_dot_file_ignored.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,6 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+USER="cac_user"
|
|
|
ff1465 |
+useradd -m $USER
|
|
|
ff1465 |
+echo "$USER" > /home/$USER/$USER.txt
|
|
|
ff1465 |
+chmod -f o+w /home/$USER/$USER.txt
|
|
|
ff1465 |
|
|
|
ff1465 |
From f7f5735115ad3fa98fac8644aa844ed54d4d5dd7 Mon Sep 17 00:00:00 2001
|
|
|
ff1465 |
From: Marcus Burghardt <maburgha@redhat.com>
|
|
|
ff1465 |
Date: Fri, 5 Nov 2021 14:07:55 +0100
|
|
|
ff1465 |
Subject: [PATCH 4/4] OVAL, tests and remediation for rule:
|
|
|
ff1465 |
|
|
|
ff1465 |
accounts_umask_interactive_users
|
|
|
ff1465 |
---
|
|
|
ff1465 |
.../ansible/shared.yml | 12 ++++++
|
|
|
ff1465 |
.../bash/shared.sh | 9 +++++
|
|
|
ff1465 |
.../oval/shared.xml | 40 +++++++++++++++++++
|
|
|
ff1465 |
.../tests/home_dirs_all_absent.pass.sh | 6 +++
|
|
|
ff1465 |
.../tests/home_dirs_one_absent.pass.sh | 10 +++++
|
|
|
ff1465 |
.../tests/interactive_users_absent.pass.sh | 4 ++
|
|
|
ff1465 |
.../tests/no_dot_file_ignored.pass.sh | 5 +++
|
|
|
ff1465 |
.../tests/umask_defined.fail.sh | 5 +++
|
|
|
ff1465 |
8 files changed, 91 insertions(+)
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_all_absent.pass.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_one_absent.pass.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/interactive_users_absent.pass.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/no_dot_file_ignored.pass.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/umask_defined.fail.sh
|
|
|
ff1465 |
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..142f10a2157
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
|
|
|
ff1465 |
@@ -0,0 +1,12 @@
|
|
|
ff1465 |
+# platform = multi_platform_all
|
|
|
ff1465 |
+# reboot = false
|
|
|
ff1465 |
+# strategy = restrict
|
|
|
ff1465 |
+# complexity = low
|
|
|
ff1465 |
+# disruption = low
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+- name: Ensure interactive local users are the owners of their respective initialization files
|
|
|
ff1465 |
+ ansible.builtin.shell:
|
|
|
ff1465 |
+ cmd: |
|
|
|
ff1465 |
+ for dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $6}' /etc/passwd); do
|
|
|
ff1465 |
+ sed -i 's/^\([\s]*umask\s*\)/#\1/g' $dir/.[^\.]?*
|
|
|
ff1465 |
+ done
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..0644b221df8
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
|
|
|
ff1465 |
@@ -0,0 +1,9 @@
|
|
|
ff1465 |
+# platform = multi_platform_all
|
|
|
ff1465 |
+# reboot = false
|
|
|
ff1465 |
+# strategy = restrict
|
|
|
ff1465 |
+# complexity = low
|
|
|
ff1465 |
+# disruption = low
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+for dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $6}' /etc/passwd); do
|
|
|
ff1465 |
+ sed -i 's/^\([\s]*umask\s*\)/#\1/g' $dir/.[^\.]?*
|
|
|
ff1465 |
+done
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..42dbdbbae46
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
|
|
|
ff1465 |
@@ -0,0 +1,40 @@
|
|
|
ff1465 |
+<def-group>
|
|
|
ff1465 |
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
ff1465 |
+ {{{ oval_metadata("Ensure the Default Umask is Set Correctly For Interactive Users") }}}
|
|
|
ff1465 |
+ <criteria>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ comment="Ensure the Default Umask is Set Correctly For Interactive Users"/>
|
|
|
ff1465 |
+ </criteria>
|
|
|
ff1465 |
+ </definition>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ <unix:password_object id="object_accounts_umask_interactive_users_objects" version="1">
|
|
|
ff1465 |
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
|
|
|
ff1465 |
+ <filter action="include">state_accounts_umask_interactive_users_interactive_uids</filter>
|
|
|
ff1465 |
+ </unix:password_object>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ <unix:password_state id="state_accounts_umask_interactive_users_interactive_uids" version="1">
|
|
|
ff1465 |
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
|
|
|
ff1465 |
+ </unix:password_state>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ comment="Variable including all home dirs from interactive users">
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ object_ref="object_accounts_umask_interactive_users_objects"/>
|
|
|
ff1465 |
+ </local_variable>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ comment="Umask value from initialization files" version="1">
|
|
|
ff1465 |
+ <ind:path var_ref="var_accounts_umask_interactive_users_dirs" var_check="at least one"/>
|
|
|
ff1465 |
+ <ind:filename operation="pattern match">^\..*</ind:filename>
|
|
|
ff1465 |
+ <ind:pattern operation="pattern match">^[\s]*umask\s*</ind:pattern>
|
|
|
ff1465 |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
ff1465 |
+ </ind:textfilecontent54_object>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ check_existence="none_exist" version="1"
|
|
|
ff1465 |
+ comment="Umask must not be defined in user initialization files">
|
|
|
ff1465 |
+ <ind:object object_ref="object_accounts_umask_interactive_users"/>
|
|
|
ff1465 |
+ </ind:textfilecontent54_test>
|
|
|
ff1465 |
+</def-group>
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_all_absent.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..af240252de3
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_all_absent.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,6 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+USER="cac_user"
|
|
|
ff1465 |
+useradd -M $USER
|
|
|
ff1465 |
+# This make sure home dirs related to test environment users are also removed.
|
|
|
ff1465 |
+rm -Rf /home/*
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_one_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_one_absent.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..0ad9248d14b
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_one_absent.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,10 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+USER1="cac_user1"
|
|
|
ff1465 |
+USER2="cac_user2"
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+useradd -m $USER1
|
|
|
ff1465 |
+useradd -M $USER2
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+# Make sure no umask definition exists in the startup files
|
|
|
ff1465 |
+sed -i 's/^\([\s]*umask\s*\)/#\1/g' /home/$USER1/.[^\.]?*
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/interactive_users_absent.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..ed34f0940a7
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/interactive_users_absent.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,4 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+# remove all interactive users (ID >= 1000) from /etc/passwd
|
|
|
ff1465 |
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/no_dot_file_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/no_dot_file_ignored.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..27f580ae45a
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/no_dot_file_ignored.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,5 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+USER="cac_user"
|
|
|
ff1465 |
+useradd -m $USER
|
|
|
ff1465 |
+echo "umask 022" > /home/$USER/nodotfile
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/umask_defined.fail.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/umask_defined.fail.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..f7835392acf
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/umask_defined.fail.sh
|
|
|
ff1465 |
@@ -0,0 +1,5 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+USER="cac_user"
|
|
|
ff1465 |
+useradd -m $USER
|
|
|
ff1465 |
+echo "umask 022" >> /home/$USER/.bashrc
|