Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-118647

xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined fails when a user logged in once in cockpit

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-9.6, rhel-10.0
    • scap-security-guide
    • None
    • rhel-security-compliance
    • 3
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      When applying STIG profile, all interactive users must have a home directory:

      Title   All Interactive Users Must Have A Home Directory Defined
      Rule    xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined
      Ident   CCE-88964-2
      Result  pass
      

      As soon as a user logged into cockpit, the rule fails because the rule, relying on getent passwd output, doesn't strip the dynamic users:

      [root@vm-stig9 ~]# getent passwd 
      root:x:0:0:root:/root:/bin/bash
      [...]
      admin:x:1000:1000::/home/admin:/bin/bash
      cockpit-systemd-service:x:61789:61789:Dynamic User:/:/usr/sbin/nologin
      cockpit-session-socket:x:63205:63205:Dynamic User:/:/usr/sbin/nologin
      cockpit-wsinstance-https:x:63714:63714:Dynamic User:/:/usr/sbin/nologin
      cockpit-wsinstance-socket:x:62764:62764:Dynamic User:/:/usr/sbin/nologin
      

      There are actually 2 distinct issues here:

      1. It doesn't strip the users because they have login shell /usr/sbin/nologin whereas the macro building the interactive users list only considers /sbin/nologin (see line 1228):
        1194 {{%- macro create_interactive_users_list_object(object_id, include_root=False) -%}}
        1195   {{%- set ignored_users_list="(nobody|nfsnobody)" %}}
         :
        1212   <unix:password_object id="{{{ object_id }}}_others" version="1">
        1213     <unix:username datatype="string" operation="pattern match">.*</unix:username>
        1214     <filter action="include">state_{{{ rule_id }}}_users_uids</filter>
        1215     <filter action="exclude">state_{{{ rule_id }}}_users_ignored</filter>
        1216     <filter action="exclude">state_{{{ rule_id }}}_users_nologin_shell</filter>
        1217   </unix:password_object>
         :
        1227   <unix:password_state id="state_{{{ rule_id }}}_users_nologin_shell" version="1">
        1228     <unix:login_shell datatype="string" operation="pattern match">^/sbin/nologin$</unix:login_shell>
        1229   </unix:password_state>
        
      2. As per STIG documentation, getent passwd is not supposed to be used to retrieve the users list, but only /etc/passwd be parsed instead
        See attached screenshot of page 448 of CIS_Red_Hat_Enterprise_Linux_9_STIG_Benchmark_v1.0.0.pdf.

      What is the impact of this issue to you?

      Fail to comply to STIG

      Please provide the package NVR for which the bug is seen:

      scap-security-guide-0.1.78-1.el9
      Upstream scap-security-guide

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Install a fresh system with STIG
      2. Install cockpit and start the cockpit.socket unit
      3. Log into cockpit
      4. Perform a scan
        # oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --rule xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

      Expected results

      Rule PASSes

      Actual results

      Rule FAILs

      Additional information

      I'm attaching a patch which fixes Issue 1.

        1. rhcase04267938.patch
          0.8 kB
        2. STIG_rule.png
          STIG_rule.png
          153 kB

              ggasparb Gabriel Gaspar Becker
              rhn-support-rmetrich Renaud Métrich
              Vojtech Polasek Vojtech Polasek
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: