rpms / scap-security-guide

Clone
Source Code
GIT

Files

  1.   ff1465361ce508f93601c5dcefe092ef09bc26bb
  2.   SOURCES
  3.   scap-security-guide-0.1.59-BZ1884687C-PR_7824.patch
Blob Blame History Raw 
commit dc273bb872cc53f2d52af4396f4d3bba0acc178f
Author: Gabriel Becker <ggasparb@redhat.com>
Date:   Thu Feb 24 17:30:42 2022 +0100

    Manual edited patch scap-security-guide-0.1.59-BZ1884687C-PR_7824.patch.

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/ansible/shared.yml
new file mode 100644
index 0000000..ff41e19
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/ansible/shared.yml
@@ -0,0 +1,32 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Get all local users from /etc/passwd
+  ansible.builtin.getent:
+    database: passwd
+    split: ':'
+
+- name: Create local_users variable from the getent output
+  ansible.builtin.set_fact:
+    local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
+
+- name: Test for existence home directories to avoid creating them, but only fixing ownership
+  ansible.builtin.stat:
+    path: '{{ item.value[4] }}'
+  register: path_exists
+  loop: '{{ local_users }}'
+  when:
+    - item.value[2]|int >= {{{ gid_min }}}
+    - item.value[2]|int != 65534
+
+- name: Ensure interactive local users are the owners of their respective home directories
+  ansible.builtin.file:
+    path: '{{ item.0.value[4] }}'
+    group: '{{ item.0.value[2] }}'
+    recurse: yes
+  loop: '{{ local_users|zip(path_exists.results)|list }}'
+  when:
+    - item.1.stat is defined and item.1.stat.exists
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/bash/shared.sh
new file mode 100644
index 0000000..e392d2f
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/bash/shared.sh
@@ -0,0 +1,14 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+for user in $(awk -F':' '{ if ($4 >= {{{ gid_min }}} && $4 != 65534) print $1 }' /etc/passwd); do
+    home_dir=$(getent passwd $user | cut -d: -f6)
+    group=$(getent passwd $user | cut -d: -f4)
+    # Only update the group-ownership when necessary. This will avoid changing the inode timestamp
+    # when the group is already defined as expected, therefore not impacting in possible integrity
+    # check systems that also check inodes timestamps.
+    find $home_dir -not -group $group -exec chgrp -f $group {} \;
+done
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml
new file mode 100644
index 0000000..1fd016a
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml
@@ -0,0 +1,52 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User") }}}
+    <criteria>
+      <criterion test_ref="test_accounts_users_home_files_groupownership"
+                 comment="All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User"/>
+    </criteria>
+  </definition>
+
+  <unix:password_object id="object_accounts_users_home_files_groupownership_objects" version="1">
+    <unix:username datatype="string" operation="not equal">nobody</unix:username>
+    <filter action="include">state_accounts_users_home_files_groupownership_interactive_gids</filter>
+  </unix:password_object>
+
+  <unix:password_state id="state_accounts_users_home_files_groupownership_interactive_gids" version="1">
+    <unix:user_id datatype="int" operation="greater than or equal">{{{ gid_min }}}</unix:user_id>
+  </unix:password_state>
+
+  <local_variable id="var_accounts_users_home_files_groupownership_dirs" datatype="string" version="1"
+                  comment="Variable including all home dirs from interactive users">
+    <object_component item_field="home_dir"
+                      object_ref="object_accounts_users_home_files_groupownership_objects"/>
+  </local_variable>
+
+  <local_variable id="var_accounts_users_home_files_groupownership_gids" datatype="int" version="1"
+                  comment="List of interactive users gids">
+    <object_component item_field="group_id"
+                      object_ref="object_accounts_users_home_files_groupownership_objects"/>
+  </local_variable>
+
+  <!-- #### creation of object #### -->
+  <unix:file_object id="object_accounts_users_home_files_groupownership_dirs" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1"
+                    recurse_file_system="local"/>
+    <unix:path var_ref="var_accounts_users_home_files_groupownership_dirs" var_check="at least one"/>
+    <unix:filename operation="pattern match">.*</unix:filename>
+  </unix:file_object>
+
+  <!-- #### creation of state #### -->
+  <unix:file_state id="state_accounts_users_home_files_groupownership_gids" version="1">
+    <unix:group_id datatype="int" var_check="only one"
+                  var_ref="var_accounts_users_home_files_groupownership_gids"/>
+  </unix:file_state>
+
+  <!-- #### creation of test #### -->
+  <unix:file_test id="test_accounts_users_home_files_groupownership" check="all"
+                  check_existence="any_exist" version="1"
+                  comment="All home directories files are group-owned by a local interactive user">
+    <unix:object object_ref="object_accounts_users_home_files_groupownership_dirs"/>
+    <unix:state state_ref="state_accounts_users_home_files_groupownership_gids"/>
+  </unix:file_test>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml
index 1c0f93a..31a0f1d 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml
@@ -10,6 +10,9 @@ description: |-
     local interactive users files and directories, use the following command:
     <pre>$ sudo chgrp <i>USER_GROUP</i> /home/<i>USER</i>/<i>FILE_DIR</i></pre>
 
+    This rule ensures every file or directory under the home directory related
+    to an interactive user is group-owned by an interactive user.
+
 rationale: |-
     If a local interactive users files are group-owned by a group of which the
     user is not a member, unintended users may be able to access them.
@@ -33,3 +36,9 @@ ocil: |-
     group-owned by a group the user is a member of, run the
     following command:
     <pre>$ sudo ls -lLR /home/<i>USER</i></pre>
+
+warnings:
+    - general: |-
+       Due to OVAL limitation, this rule can report a false negative in a
+       specific situation where two interactive users swap the group-ownership
+       of folders or files in their respective home directories.
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/expected_groupowner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/expected_groupowner.pass.sh
new file mode 100644
index 0000000..8538430
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/expected_groupowner.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "$USER" > /home/$USER/$USER.txt
+chgrp -f $USER /home/$USER/$USER.txt
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_all_absent.pass.sh
new file mode 100644
index 0000000..af24025
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_all_absent.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -M $USER
+# This make sure home dirs related to test environment users are also removed.
+rm -Rf /home/*
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_one_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_one_absent.pass.sh
new file mode 100644
index 0000000..5bce517
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_one_absent.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+USER1="cac_user1"
+USER2="cac_user2"
+
+useradd -m $USER1
+useradd -M $USER2
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/interactive_users_absent.pass.sh
new file mode 100644
index 0000000..ed34f09
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/interactive_users_absent.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# remove all interactive users (ID >= 1000) from /etc/passwd
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_system_gid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_system_gid.fail.sh
new file mode 100644
index 0000000..f105723
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_system_gid.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "$USER" > /home/$USER/$USER.txt
+chgrp 2 /home/$USER/$USER.txt
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_unknown_gid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_unknown_gid.fail.sh
new file mode 100644
index 0000000..00fa481
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_unknown_gid.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "$USER" > /home/$USER/$USER.txt
+chgrp 10005 /home/$USER/$USER.txt
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/warning_home_dirs_swapped_groupowner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/warning_home_dirs_swapped_groupowner.pass.sh
new file mode 100644
index 0000000..052aa7c
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/warning_home_dirs_swapped_groupowner.pass.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+USER1="cac_user1"
+USER2="cac_user2"
+
+useradd -m $USER1
+useradd -m $USER2
+echo "$USER1" > /home/$USER1/$USER1.txt
+echo "$USER2" > /home/$USER2/$USER2.txt
+# Swap the ownership of files in two home directories
+# WARNING: This test scenario will report a false negative, as explained in the
+# warning section of this rule.
+chgrp -f $USER2 /home/$USER1/$USER1.txt
+chgrp -f $USER1 /home/$USER2/$USER2.txt
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/ansible/shared.yml
new file mode 100644
index 0000000..40a0579
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/ansible/shared.yml
@@ -0,0 +1,32 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Get all local users from /etc/passwd
+  ansible.builtin.getent:
+    database: passwd
+    split: ':'
+
+- name: Create local_users variable from the getent output
+  ansible.builtin.set_fact:
+    local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
+
+- name: Test for existence home directories to avoid creating them, but only fixing ownership
+  ansible.builtin.stat:
+    path: '{{ item.value[4] }}'
+  register: path_exists
+  loop: '{{ local_users }}'
+  when:
+    - item.value[1]|int >= {{{ uid_min }}}
+    - item.value[1]|int != 65534
+
+- name: Ensure interactive local users are the owners of their respective home directories
+  ansible.builtin.file:
+    path: '{{ item.0.value[4] }}'
+    owner: '{{ item.0.value[1] }}'
+    recurse: yes
+  loop: '{{ local_users|zip(path_exists.results)|list }}'
+  when:
+    - item.1.stat is defined and item.1.stat.exists
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/bash/shared.sh
new file mode 100644
index 0000000..236c800
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/bash/shared.sh
@@ -0,0 +1,13 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+for user in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $1 }' /etc/passwd); do
+    home_dir=$(getent passwd $user | cut -d: -f6)
+    # Only update the ownership when necessary. This will avoid changing the inode timestamp
+    # when the owner is already defined as expected, therefore not impacting in possible integrity
+    # check systems that also check inodes timestamps.
+    find $home_dir -not -user $user -exec chown -f $user {} \;
+done
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml
new file mode 100644
index 0000000..1850cfb
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml
@@ -0,0 +1,52 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("All User Files and Directories In The Home Directory Must Have a Valid Owner") }}}
+    <criteria>
+      <criterion test_ref="test_accounts_users_home_files_ownership"
+                 comment="All User Files and Directories In The Home Directory Must Have a Valid Owner"/>
+    </criteria>
+  </definition>
+
+  <unix:password_object id="object_accounts_users_home_files_ownership_objects" version="1">
+    <unix:username datatype="string" operation="not equal">nobody</unix:username>
+    <filter action="include">state_accounts_users_home_files_ownership_interactive_uids</filter>
+  </unix:password_object>
+
+  <unix:password_state id="state_accounts_users_home_files_ownership_interactive_uids" version="1">
+    <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
+  </unix:password_state>
+
+  <local_variable id="var_accounts_users_home_files_ownership_dirs" datatype="string" version="1"
+                  comment="Variable including all home dirs from interactive users">
+    <object_component item_field="home_dir"
+                      object_ref="object_accounts_users_home_files_ownership_objects"/>
+  </local_variable>
+
+  <local_variable id="var_accounts_users_home_files_ownership_uids" datatype="int" version="1"
+                  comment="List of interactive users uids">
+    <object_component item_field="user_id"
+                      object_ref="object_accounts_users_home_files_ownership_objects"/>
+  </local_variable>
+
+  <!-- #### creation of object #### -->
+  <unix:file_object id="object_accounts_users_home_files_ownership_dirs" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1"
+                    recurse_file_system="local"/>
+    <unix:path var_ref="var_accounts_users_home_files_ownership_dirs" var_check="at least one"/>
+    <unix:filename operation="pattern match">.*</unix:filename>
+  </unix:file_object>
+
+  <!-- #### creation of state #### -->
+  <unix:file_state id="state_accounts_users_home_files_ownership_uids" version="1">
+    <unix:user_id datatype="int" var_check="only one"
+                  var_ref="var_accounts_users_home_files_ownership_uids"/>
+  </unix:file_state>
+
+  <!-- #### creation of test #### -->
+  <unix:file_test id="test_accounts_users_home_files_ownership" check="all"
+                  check_existence="any_exist" version="1"
+                  comment="All home directories files are owned by a local interactive user">
+    <unix:object object_ref="object_accounts_users_home_files_ownership_dirs"/>
+    <unix:state state_ref="state_accounts_users_home_files_ownership_uids"/>
+  </unix:file_test>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml
index 13f6bfe..5bfb388 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml
@@ -10,6 +10,9 @@ description: |-
     directories, use the following command:
     <pre>$ sudo chown -R <i>USER</i> /home/<i>USER</i></pre>
 
+    This rule ensures every file or directory under the home directory related
+    to an interactive user is owned by an interactive user.
+
 rationale: |-
     If local interactive users do not own the files in their directories,
     unauthorized users may be able to access them. Additionally, if files are not
@@ -34,3 +37,9 @@ ocil: |-
     To verify all files and directories in interactive users home directory
     are owned by the user, run the following command:
     <pre>$ sudo ls -lLR /home/<i>USER</i></pre>
+
+warnings:
+    - general: |-
+       Due to OVAL limitation, this rule can report a false negative in a
+       specific situation where two interactive users swap the ownership of
+       folders or files in their respective home directories.
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/expected_owner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/expected_owner.pass.sh
new file mode 100644
index 0000000..da68cb4
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/expected_owner.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "$USER" > /home/$USER/$USER.txt
+chown $USER /home/$USER/$USER.txt
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_all_absent.pass.sh
new file mode 100644
index 0000000..af24025
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_all_absent.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -M $USER
+# This make sure home dirs related to test environment users are also removed.
+rm -Rf /home/*
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_one_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_one_absent.pass.sh
new file mode 100644
index 0000000..5bce517
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_one_absent.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+USER1="cac_user1"
+USER2="cac_user2"
+
+useradd -m $USER1
+useradd -M $USER2
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/interactive_users_absent.pass.sh
new file mode 100644
index 0000000..ed34f09
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/interactive_users_absent.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# remove all interactive users (ID >= 1000) from /etc/passwd
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_system_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_system_id.fail.sh
new file mode 100644
index 0000000..59c46a9
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_system_id.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "$USER" > /home/$USER/$USER.txt
+chown 2 /home/$USER/$USER.txt
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_unknown_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_unknown_id.fail.sh
new file mode 100644
index 0000000..e0f5514
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_unknown_id.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "$USER" > /home/$USER/$USER.txt
+chown 10005 /home/$USER/$USER.txt
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/warning_home_dirs_swapped_owner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/warning_home_dirs_swapped_owner.pass.sh
new file mode 100644
index 0000000..1174ec6
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/warning_home_dirs_swapped_owner.pass.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+USER1="cac_user1"
+USER2="cac_user2"
+
+useradd -m $USER1
+useradd -m $USER2
+echo "$USER1" > /home/$USER1/$USER1.txt
+echo "$USER2" > /home/$USER2/$USER2.txt
+# Swap the ownership of files in two home directories
+# WARNING: This test scenario will report a false negative, as explained in the
+# warning section of this rule.
+chown -f $USER2 /home/$USER1/$USER1.txt
+chown -f $USER1 /home/$USER2/$USER2.txt
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/ansible/shared.yml
new file mode 100644
index 0000000..9473710
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/ansible/shared.yml
@@ -0,0 +1,33 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Get all local users from /etc/passwd
+  ansible.builtin.getent:
+    database: passwd
+    split: ':'
+
+- name: Create local_users variable from the getent output
+  ansible.builtin.set_fact:
+    local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
+
+- name: Test for existence home directories to avoid creating them, but only fixing group ownership
+  ansible.builtin.stat:
+    path: '{{ item.value[4] }}'
+  register: path_exists
+  loop: '{{ local_users }}'
+  when:
+    - item.value[2]|int >= {{{ uid_min }}}
+    - item.value[2]|int != 65534
+
+- name: Ensure interactive local users are the group-owners of their respective home directories
+  ansible.builtin.file:
+    path: '{{ item.0.value[4] }}'
+    mode: 'g-w,o=-'
+    follow: no
+    recurse: yes
+  loop: '{{ local_users|zip(path_exists.results)|list }}'
+  when:
+    - item.1.stat is defined and item.1.stat.exists
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/bash/shared.sh
new file mode 100644
index 0000000..186d55d
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/bash/shared.sh
@@ -0,0 +1,12 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+for home_dir in $(awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) print $6 }' /etc/passwd); do
+    # Only update the permissions when necessary. This will avoid changing the inode timestamp when
+    # the permission is already defined as expected, therefore not impacting in possible integrity
+    # check systems that also check inodes timestamps.
+    find $home_dir -perm /027 -exec chmod g-w,o=- {} \;
+done
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml
new file mode 100644
index 0000000..d3db46d
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml
@@ -0,0 +1,52 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive") }}}
+    <criteria>
+      <criterion test_ref="test_accounts_users_home_files_permissions"
+                 comment="All files under interactive user's Home Directories must have proper permissions"/>
+    </criteria>
+  </definition>
+
+  <!-- For detailed comments about logic used in this OVAL, check the
+       "file_ownership_home_directories" rule. -->
+  <unix:password_object id="object_accounts_users_home_files_permissions_objects" version="1">
+    <unix:username datatype="string" operation="not equal">nobody</unix:username>
+    <filter action="include">state_accounts_users_home_files_permissions_interactive_uids</filter>
+  </unix:password_object>
+
+  <unix:password_state id="state_accounts_users_home_files_permissions_interactive_uids" version="1">
+    <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
+  </unix:password_state>
+
+  <!-- #### prepare for test_file_permissions_home_directories #### -->
+  <local_variable id="var_accounts_users_home_files_permissions_dirs" datatype="string" version="1"
+                  comment="Variable including all home dirs from interactive users">
+    <object_component item_field="home_dir" object_ref="object_accounts_users_home_files_permissions_objects"/>
+  </local_variable>
+
+  <!-- #### creation of object #### -->
+  <unix:file_object id="object_accounts_users_home_files_permissions_dirs" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1"
+                    recurse_file_system="local"/>
+    <unix:path var_ref="var_accounts_users_home_files_permissions_dirs" var_check="at least one"/>
+    <unix:filename operation="pattern match">.*</unix:filename>
+  </unix:file_object>
+
+  <!-- #### creation of state #### -->
+  <unix:file_state id="state_accounts_users_home_files_permissions_dirs" version="1" operator='AND'>
+    <unix:suid datatype="boolean">false</unix:suid>
+    <unix:sgid datatype="boolean">false</unix:sgid>
+    <unix:sticky datatype="boolean">false</unix:sticky>
+    <unix:gwrite datatype="boolean">false</unix:gwrite>
+    <unix:oread datatype="boolean">false</unix:oread>
+    <unix:owrite datatype="boolean">false</unix:owrite>
+    <unix:oexec datatype="boolean">false</unix:oexec>
+  </unix:file_state>
+
+  <!-- #### creation of test #### -->
+  <unix:file_test id="test_accounts_users_home_files_permissions" check="all" check_existence="any_exist"
+                  version="1" comment="All home directories have proper permissions">
+    <unix:object object_ref="object_accounts_users_home_files_permissions_dirs"/>
+    <unix:state state_ref="state_accounts_users_home_files_permissions_dirs"/>
+  </unix:file_test>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/acceptable_permission.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/acceptable_permission.pass.sh
new file mode 100644
index 0000000..3561847
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/acceptable_permission.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "$USER" > /home/$USER/$USER.txt
+chmod -Rf 750 /home/$USER/.*
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/expected_permissions.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/expected_permissions.pass.sh
new file mode 100644
index 0000000..8ed7fa2
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/expected_permissions.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "$USER" > /home/$USER/$USER.txt
+chmod -Rf 700 /home/$USER/.*
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/home_dirs_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/home_dirs_absent.pass.sh
new file mode 100644
index 0000000..af24025
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/home_dirs_absent.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -M $USER
+# This make sure home dirs related to test environment users are also removed.
+rm -Rf /home/*
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/interactive_users_absent.pass.sh
new file mode 100644
index 0000000..ed34f09
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/interactive_users_absent.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# remove all interactive users (ID >= 1000) from /etc/passwd
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission.fail.sh
new file mode 100644
index 0000000..b561671
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "$USER" > /home/$USER/$USER.txt
+chmod -Rf 700 /home/$USER/.*
+chmod -f o+r /home/$USER/$USER.txt
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission_hidden_files.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission_hidden_files.fail.sh
new file mode 100644
index 0000000..d7811bc
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission_hidden_files.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "$USER" > /home/$USER/.init_file
+chmod -Rf 700 /home/$USER/.*
+chmod -f o+r /home/$USER/.init_file
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_uid.fail.sh
similarity index 100%
rename from linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_id.fail.sh
rename to linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_uid.fail.sh
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_uid.fail.sh
similarity index 100%
rename from linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_id.fail.sh
rename to linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_uid.fail.sh

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation