commit 549241cec9404bd211a580454fdd28cb72dfe520 Author: Gabriel Becker Date: Thu Feb 24 17:24:17 2022 +0100 Manual edited patch scap-security-guide-0.1.59-BZ1884687-PR_7770.patch. diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/ansible/shared.yml new file mode 100644 index 0000000..09d1984 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/ansible/shared.yml @@ -0,0 +1,31 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +- name: Get all local users from /etc/passwd + ansible.builtin.getent: + database: passwd + split: ':' + +- name: Create local_users variable from the getent output + ansible.builtin.set_fact: + local_users: '{{ ansible_facts.getent_passwd|dict2items }}' + +- name: Test for existence of home directories to avoid creating them, but only fixing group ownership + ansible.builtin.stat: + path: '{{ item.value[4] }}' + register: path_exists + loop: '{{ local_users }}' + when: + - item.value[2]|int >= {{{ gid_min }}} + - item.value[2]|int != 65534 + +- name: Ensure interactive local users are the group-owners of their respective home directories + ansible.builtin.file: + path: '{{ item.0.value[4] }}' + group: '{{ item.0.value[2] }}' + loop: '{{ local_users|zip(path_exists.results)|list }}' + when: + - item.1.stat is defined and item.1.stat.exists diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/bash/shared.sh new file mode 100644 index 0000000..08f7307 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/bash/shared.sh @@ -0,0 +1,7 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +awk -F':' '{ if ($4 >= {{{ gid_min }}} && $4 != 65534) system("chgrp -f " $4" "$6) }' /etc/passwd diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml new file mode 100644 index 0000000..a1d1f2e --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml @@ -0,0 +1,89 @@ + + + {{{ oval_metadata("All interactive user's Home Directories must be group-owned by its user") }}} + + + + + + + + + nobody + state_file_groupownership_home_directories_interactive_gids + + + + {{{ gid_min }}} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + var_file_groupownership_home_directories_gids_count + + + + + + + + + + + + + + diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml index 2e6ce60..e33660f 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml @@ -10,6 +10,10 @@ description: |- interactive users home directory, use the following command:
$ sudo chgrp USER_GROUP /home/USER
+ This rule ensures every home directory related to an interactive user is + group-owned by an interactive user. It also ensures that interactive users + are group-owners of one and only one home directory. + rationale: |- If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorized @@ -42,3 +46,9 @@ ocil: |- To verify the assigned home directory of all interactive users is group- owned by that users primary GID, run the following command:
# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)
+ +warnings: + - general: |- + Due to OVAL limitation, this rule can report a false negative in a + specific situation where two interactive users swap the group-ownership + of their respective home directories. diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/expected_groupowner.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/expected_groupowner.pass.sh new file mode 100644 index 0000000..1605339 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/expected_groupowner.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +USER="cac_user" +useradd -m $USER +chgrp $USER /home/$USER diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_all_absent.pass.sh new file mode 100644 index 0000000..af24025 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_all_absent.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +USER="cac_user" +useradd -M $USER +# This make sure home dirs related to test environment users are also removed. +rm -Rf /home/* diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_one_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_one_absent.pass.sh new file mode 100644 index 0000000..5bce517 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_one_absent.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +USER1="cac_user1" +USER2="cac_user2" + +useradd -m $USER1 +useradd -M $USER2 diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_with_same_groupowner.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_with_same_groupowner.fail.sh new file mode 100644 index 0000000..9d0f765 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_with_same_groupowner.fail.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +USER1="cac_user1" +USER2="cac_user2" + +useradd -m $USER1 +useradd -m $USER2 +# Define the same owner for two home directories +chgrp $USER1 /home/$USER1 +chgrp $USER1 /home/$USER2 diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/interactive_users_absent.pass.sh new file mode 100644 index 0000000..ed34f09 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/interactive_users_absent.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +# remove all interactive users (ID >= 1000) from /etc/passwd +sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_id.fail.sh new file mode 100644 index 0000000..c1a87c1 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_id.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +USER="cac_user" +useradd -m $USER +chgrp 2 /home/$USER diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_id.fail.sh new file mode 100644 index 0000000..d352011 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_id.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +USER="cac_user" +useradd -m $USER +chgrp 10005 /home/$USER diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/warning_home_dirs_crossed_groupowner.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/warning_home_dirs_crossed_groupowner.pass.sh new file mode 100644 index 0000000..0cffa4a --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/warning_home_dirs_crossed_groupowner.pass.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +USER1="cac_user1" +USER2="cac_user2" + +useradd -m $USER1 +useradd -m $USER2 +# Define the same owner for two home directories +chgrp $USER2 /home/$USER1 +chgrp $USER1 /home/$USER2 diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/warning_home_dirs_swapped_groupowner.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/warning_home_dirs_swapped_groupowner.pass.sh new file mode 100644 index 0000000..3e5b778 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/warning_home_dirs_swapped_groupowner.pass.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +USER1="cac_user1" +USER2="cac_user2" + +useradd -m $USER1 +useradd -m $USER2 +# Swap the group-ownership of two home directories +# WARNING: This test scenario will report a false negative, as explained in the +# warning section of this rule. +chgrp $USER2 /home/$USER1 +chgrp $USER1 /home/$USER2 diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/ansible/shared.yml new file mode 100644 index 0000000..97d4274 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/ansible/shared.yml @@ -0,0 +1,31 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +- name: Get all local users from /etc/passwd + ansible.builtin.getent: + database: passwd + split: ':' + +- name: Create local_users variable from the getent output + ansible.builtin.set_fact: + local_users: '{{ ansible_facts.getent_passwd|dict2items }}' + +- name: Test for existence home directories to avoid creating them, but only fixing ownership + ansible.builtin.stat: + path: '{{ item.value[4] }}' + register: path_exists + loop: '{{ local_users }}' + when: + - item.value[1]|int >= {{{ uid_min }}} + - item.value[1]|int != 65534 + +- name: Ensure interactive local users are the owners of their respective home directories + ansible.builtin.file: + path: '{{ item.0.value[4] }}' + owner: '{{ item.0.value[1] }}' + loop: '{{ local_users|zip(path_exists.results)|list }}' + when: + - item.1.stat is defined and item.1.stat.exists diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/bash/shared.sh new file mode 100644 index 0000000..1d1e675 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/bash/shared.sh @@ -0,0 +1,7 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) system("chown -f " $3" "$6) }' /etc/passwd diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml new file mode 100644 index 0000000..3d0b9ae --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml @@ -0,0 +1,142 @@ + + + + + {{{ oval_metadata("All interactive user's Home Directories must be owned by its user") }}} + + + + + + + + + nobody + state_file_ownership_home_directories_interactive_uids + + + + + {{{ uid_min }}} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + var_file_ownership_home_directories_uids_count + + + + + + + + + + + + + diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml index 198a9be..042f484 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml @@ -10,6 +10,10 @@ description: |- the following command:
$ sudo chown USER /home/USER
+ This rule ensures every home directory related to an interactive user is + owned by an interactive user. It also ensures that interactive users are + owners of one and only one home directory. + rationale: |- If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to @@ -31,3 +35,9 @@ ocil_clause: 'the user ownership is incorrect' ocil: |- To verify the home directory ownership, run the following command:
# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)
+ +warnings: + - general: |- + Due to OVAL limitation, this rule can report a false negative in a + specific situation where two interactive users swap the ownership of + their respective home directories. diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/expected_owner.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/expected_owner.pass.sh new file mode 100644 index 0000000..585f759 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/expected_owner.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +USER="cac_user" +useradd -m $USER +chown $USER /home/$USER diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dir_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dir_absent.pass.sh new file mode 100644 index 0000000..7c181af --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dir_absent.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +USER="cac_user" +useradd -M $USER diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_all_absent.pass.sh new file mode 100644 index 0000000..af24025 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_all_absent.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +USER="cac_user" +useradd -M $USER +# This make sure home dirs related to test environment users are also removed. +rm -Rf /home/* diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_one_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_one_absent.pass.sh new file mode 100644 index 0000000..5bce517 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_one_absent.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +USER1="cac_user1" +USER2="cac_user2" + +useradd -m $USER1 +useradd -M $USER2 diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_with_same_owner.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_with_same_owner.fail.sh new file mode 100644 index 0000000..e6aef9e --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_with_same_owner.fail.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +USER1="cac_user1" +USER2="cac_user2" + +useradd -m $USER1 +useradd -m $USER2 +# Define the same owner for two home directories +chown $USER1 /home/$USER1 +chown $USER1 /home/$USER2 diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/interactive_users_absent.pass.sh new file mode 100644 index 0000000..ed34f09 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/interactive_users_absent.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +# remove all interactive users (ID >= 1000) from /etc/passwd +sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/unexpected_owner_system_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/unexpected_owner_system_id.fail.sh new file mode 100644 index 0000000..011b315 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/unexpected_owner_system_id.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +USER="cac_user" +useradd -m $USER +chown 2 /home/$USER diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/unexpected_owner_unknown_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/unexpected_owner_unknown_id.fail.sh new file mode 100644 index 0000000..733af78 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/unexpected_owner_unknown_id.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +USER="cac_user" +useradd -m $USER +chown 10005 /home/$USER diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/warning_home_dirs_crossed_owner.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/warning_home_dirs_crossed_owner.pass.sh new file mode 100644 index 0000000..df5655f --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/warning_home_dirs_crossed_owner.pass.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +USER1="cac_user1" +USER2="cac_user2" + +useradd -m $USER1 +useradd -m $USER2 +# Define the same owner for two home directories +chown $USER2 /home/$USER1 +chown $USER1 /home/$USER2 diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/warning_home_dirs_swapped_owner.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/warning_home_dirs_swapped_owner.pass.sh new file mode 100644 index 0000000..e9cfd5b --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/warning_home_dirs_swapped_owner.pass.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +USER1="cac_user1" +USER2="cac_user2" + +useradd -m $USER1 +useradd -m $USER2 +# Swap the ownership of two home directories +# WARNING: This test scenario will report a false negative, as explained in the +# warning section of this rule. +chown $USER2 /home/$USER1 +chown $USER1 /home/$USER2 diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/ansible/shared.yml new file mode 100644 index 0000000..945ed7e --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/ansible/shared.yml @@ -0,0 +1,31 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +- name: Get all local users from /etc/passwd + ansible.builtin.getent: + database: passwd + split: ':' + +- name: Create local_users variable from the getent output + ansible.builtin.set_fact: + local_users: '{{ ansible_facts.getent_passwd|dict2items }}' + +- name: Test for existence home directories to avoid creating them, but only fixing group ownership + ansible.builtin.stat: + path: '{{ item.value[4] }}' + register: path_exists + loop: '{{ local_users }}' + when: + - item.value[2]|int >= {{{ uid_min }}} + - item.value[2]|int != 65534 + +- name: Ensure interactive local users are the group-owners of their respective home directories + ansible.builtin.file: + path: '{{ item.0.value[4] }}' + mode: '0700' + loop: '{{ local_users|zip(path_exists.results)|list }}' + when: + - item.1.stat is defined and item.1.stat.exists diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/bash/shared.sh new file mode 100644 index 0000000..4ebc674 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/bash/shared.sh @@ -0,0 +1,7 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) system("chmod -f 700 "$6) }' /etc/passwd diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/oval/shared.xml new file mode 100644 index 0000000..0cb261e --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/oval/shared.xml @@ -0,0 +1,51 @@ + + + {{{ oval_metadata("All Interactive User Home Directories Must Have mode 0750 Or Less Permissive") }}} + + + + + + + + nobody + state_file_permissions_home_directories_interactive_uids + + + + {{{ uid_min }}} + + + + + + + + + + + + + + + + directory + false + false + false + false + false + false + false + + + + + + + + diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/acceptable_permission.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/acceptable_permission.pass.sh new file mode 100644 index 0000000..aaf939e --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/acceptable_permission.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +USER="cac_user" +useradd -m $USER +chmod 750 /home/$USER diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/expected_permissions.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/expected_permissions.pass.sh new file mode 100644 index 0000000..5dfd426 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/expected_permissions.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +USER="cac_user" +useradd -m $USER +chmod 700 /home/$USER diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/home_dirs_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/home_dirs_absent.pass.sh new file mode 100644 index 0000000..af24025 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/home_dirs_absent.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +USER="cac_user" +useradd -M $USER +# This make sure home dirs related to test environment users are also removed. +rm -Rf /home/* diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/interactive_users_absent.pass.sh new file mode 100644 index 0000000..ed34f09 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/interactive_users_absent.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +# remove all interactive users (ID >= 1000) from /etc/passwd +sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/lenient_permission.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/lenient_permission.fail.sh new file mode 100644 index 0000000..2f337d2 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/lenient_permission.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +USER="cac_user" +useradd -m $USER +chmod 755 /home/$USER diff --git a/ssg/constants.py b/ssg/constants.py index e2d3077..64e2712 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -380,6 +380,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = { # Application constants +DEFAULT_GID_MIN = 1000 DEFAULT_UID_MIN = 1000 DEFAULT_GRUB2_BOOT_PATH = '/boot/grub2' DEFAULT_DCONF_GDM_DIR = 'gdm.d' diff --git a/ssg/products.py b/ssg/products.py index 25178b7..e410e06 100644 --- a/ssg/products.py +++ b/ssg/products.py @@ -7,6 +7,7 @@ from glob import glob from .build_cpe import ProductCPEs from .constants import (product_directories, + DEFAULT_GID_MIN, DEFAULT_UID_MIN, DEFAULT_GRUB2_BOOT_PATH, DEFAULT_DCONF_GDM_DIR, @@ -39,6 +40,9 @@ def _get_implied_properties(existing_properties): if pkg_manager in PKG_MANAGER_TO_CONFIG_FILE: result["pkg_manager_config_file"] = PKG_MANAGER_TO_CONFIG_FILE[pkg_manager] + if "gid_min" not in existing_properties: + result["gid_min"] = DEFAULT_GID_MIN + if "uid_min" not in existing_properties: result["uid_min"] = DEFAULT_UID_MIN