What were you trying to do that didn't work?

When applying STIG profile, all interactive users must have a home directory:

Title   All Interactive Users Must Have A Home Directory Defined
Rule    xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined
Ident   CCE-88964-2
Result  pass

As soon as a user logged into cockpit, the rule fails because the rule, relying on getent passwd output, doesn't strip the dynamic users:

[root@vm-stig9 ~]# getent passwd 
root:x:0:0:root:/root:/bin/bash
[...]
admin:x:1000:1000::/home/admin:/bin/bash
cockpit-systemd-service:x:61789:61789:Dynamic User:/:/usr/sbin/nologin
cockpit-session-socket:x:63205:63205:Dynamic User:/:/usr/sbin/nologin
cockpit-wsinstance-https:x:63714:63714:Dynamic User:/:/usr/sbin/nologin
cockpit-wsinstance-socket:x:62764:62764:Dynamic User:/:/usr/sbin/nologin

There are actually 2 distinct issues here:

1. It doesn't strip the users because they have login shell /usr/sbin/nologin whereas the macro building the interactive users list only considers /sbin/nologin (see line 1228):

   1194 {{%- macro create_interactive_users_list_object(object_id, include_root=False) -%}}
   1195   {{%- set ignored_users_list="(nobody|nfsnobody)" %}}
    :
   1212   <unix:password_object id="{{{ object_id }}}_others" version="1">
   1213     <unix:username datatype="string" operation="pattern match">.*</unix:username>
   1214     <filter action="include">state_{{{ rule_id }}}_users_uids</filter>
   1215     <filter action="exclude">state_{{{ rule_id }}}_users_ignored</filter>
   1216     <filter action="exclude">state_{{{ rule_id }}}_users_nologin_shell</filter>
   1217   </unix:password_object>
    :
   1227   <unix:password_state id="state_{{{ rule_id }}}_users_nologin_shell" version="1">
   1228     <unix:login_shell datatype="string" operation="pattern match">^/sbin/nologin$</unix:login_shell>
   1229   </unix:password_state>
   

2. As per STIG documentation, getent passwd is not supposed to be used to retrieve the users list, but only /etc/passwd be parsed instead
   See attached screenshot of page 448 of CIS_Red_Hat_Enterprise_Linux_9_STIG_Benchmark_v1.0.0.pdf.

What is the impact of this issue to you?

Fail to comply to STIG

Please provide the package NVR for which the bug is seen:

scap-security-guide-0.1.78-1.el9
Upstream scap-security-guide

How reproducible is this bug?:

Always

Steps to reproduce

1. Install a fresh system with STIG
2. Install cockpit and start the cockpit.socket unit
3. Log into cockpit
4. Perform a scan

   # oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --rule xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

Expected results

Rule PASSes

Actual results

Rule FAILs

Additional information

I'm attaching a patch which fixes Issue 1.