commit dc273bb872cc53f2d52af4396f4d3bba0acc178f Author: Gabriel Becker Date: Thu Feb 24 17:30:42 2022 +0100 Manual edited patch scap-security-guide-0.1.59-BZ1884687C-PR_7824.patch. diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/ansible/shared.yml new file mode 100644 index 0000000..ff41e19 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/ansible/shared.yml @@ -0,0 +1,32 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +- name: Get all local users from /etc/passwd + ansible.builtin.getent: + database: passwd + split: ':' + +- name: Create local_users variable from the getent output + ansible.builtin.set_fact: + local_users: '{{ ansible_facts.getent_passwd|dict2items }}' + +- name: Test for existence home directories to avoid creating them, but only fixing ownership + ansible.builtin.stat: + path: '{{ item.value[4] }}' + register: path_exists + loop: '{{ local_users }}' + when: + - item.value[2]|int >= {{{ gid_min }}} + - item.value[2]|int != 65534 + +- name: Ensure interactive local users are the owners of their respective home directories + ansible.builtin.file: + path: '{{ item.0.value[4] }}' + group: '{{ item.0.value[2] }}' + recurse: yes + loop: '{{ local_users|zip(path_exists.results)|list }}' + when: + - item.1.stat is defined and item.1.stat.exists diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/bash/shared.sh new file mode 100644 index 0000000..e392d2f --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/bash/shared.sh @@ -0,0 +1,14 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +for user in $(awk -F':' '{ if ($4 >= {{{ gid_min }}} && $4 != 65534) print $1 }' /etc/passwd); do + home_dir=$(getent passwd $user | cut -d: -f6) + group=$(getent passwd $user | cut -d: -f4) + # Only update the group-ownership when necessary. This will avoid changing the inode timestamp + # when the group is already defined as expected, therefore not impacting in possible integrity + # check systems that also check inodes timestamps. + find $home_dir -not -group $group -exec chgrp -f $group {} \; +done diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml new file mode 100644 index 0000000..1fd016a --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml @@ -0,0 +1,52 @@ + + + {{{ oval_metadata("All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User") }}} + + + + + + + nobody + state_accounts_users_home_files_groupownership_interactive_gids + + + + {{{ gid_min }}} + + + + + + + + + + + + + + + .* + + + + + + + + + + + + + diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml index 1c0f93a..31a0f1d 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml @@ -10,6 +10,9 @@ description: |- local interactive users files and directories, use the following command:
$ sudo chgrp USER_GROUP /home/USER/FILE_DIR
+ This rule ensures every file or directory under the home directory related + to an interactive user is group-owned by an interactive user. + rationale: |- If a local interactive users files are group-owned by a group of which the user is not a member, unintended users may be able to access them. @@ -33,3 +36,9 @@ ocil: |- group-owned by a group the user is a member of, run the following command:
$ sudo ls -lLR /home/USER
+ +warnings: + - general: |- + Due to OVAL limitation, this rule can report a false negative in a + specific situation where two interactive users swap the group-ownership + of folders or files in their respective home directories. diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/expected_groupowner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/expected_groupowner.pass.sh new file mode 100644 index 0000000..8538430 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/expected_groupowner.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +USER="cac_user" +useradd -m $USER +echo "$USER" > /home/$USER/$USER.txt +chgrp -f $USER /home/$USER/$USER.txt diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_all_absent.pass.sh new file mode 100644 index 0000000..af24025 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_all_absent.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +USER="cac_user" +useradd -M $USER +# This make sure home dirs related to test environment users are also removed. +rm -Rf /home/* diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_one_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_one_absent.pass.sh new file mode 100644 index 0000000..5bce517 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_one_absent.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +USER1="cac_user1" +USER2="cac_user2" + +useradd -m $USER1 +useradd -M $USER2 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/interactive_users_absent.pass.sh new file mode 100644 index 0000000..ed34f09 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/interactive_users_absent.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +# remove all interactive users (ID >= 1000) from /etc/passwd +sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_system_gid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_system_gid.fail.sh new file mode 100644 index 0000000..f105723 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_system_gid.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +USER="cac_user" +useradd -m $USER +echo "$USER" > /home/$USER/$USER.txt +chgrp 2 /home/$USER/$USER.txt diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_unknown_gid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_unknown_gid.fail.sh new file mode 100644 index 0000000..00fa481 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_unknown_gid.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +USER="cac_user" +useradd -m $USER +echo "$USER" > /home/$USER/$USER.txt +chgrp 10005 /home/$USER/$USER.txt diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/warning_home_dirs_swapped_groupowner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/warning_home_dirs_swapped_groupowner.pass.sh new file mode 100644 index 0000000..052aa7c --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/warning_home_dirs_swapped_groupowner.pass.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +USER1="cac_user1" +USER2="cac_user2" + +useradd -m $USER1 +useradd -m $USER2 +echo "$USER1" > /home/$USER1/$USER1.txt +echo "$USER2" > /home/$USER2/$USER2.txt +# Swap the ownership of files in two home directories +# WARNING: This test scenario will report a false negative, as explained in the +# warning section of this rule. +chgrp -f $USER2 /home/$USER1/$USER1.txt +chgrp -f $USER1 /home/$USER2/$USER2.txt diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/ansible/shared.yml new file mode 100644 index 0000000..40a0579 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/ansible/shared.yml @@ -0,0 +1,32 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +- name: Get all local users from /etc/passwd + ansible.builtin.getent: + database: passwd + split: ':' + +- name: Create local_users variable from the getent output + ansible.builtin.set_fact: + local_users: '{{ ansible_facts.getent_passwd|dict2items }}' + +- name: Test for existence home directories to avoid creating them, but only fixing ownership + ansible.builtin.stat: + path: '{{ item.value[4] }}' + register: path_exists + loop: '{{ local_users }}' + when: + - item.value[1]|int >= {{{ uid_min }}} + - item.value[1]|int != 65534 + +- name: Ensure interactive local users are the owners of their respective home directories + ansible.builtin.file: + path: '{{ item.0.value[4] }}' + owner: '{{ item.0.value[1] }}' + recurse: yes + loop: '{{ local_users|zip(path_exists.results)|list }}' + when: + - item.1.stat is defined and item.1.stat.exists diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/bash/shared.sh new file mode 100644 index 0000000..236c800 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/bash/shared.sh @@ -0,0 +1,13 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +for user in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $1 }' /etc/passwd); do + home_dir=$(getent passwd $user | cut -d: -f6) + # Only update the ownership when necessary. This will avoid changing the inode timestamp + # when the owner is already defined as expected, therefore not impacting in possible integrity + # check systems that also check inodes timestamps. + find $home_dir -not -user $user -exec chown -f $user {} \; +done diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml new file mode 100644 index 0000000..1850cfb --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml @@ -0,0 +1,52 @@ + + + {{{ oval_metadata("All User Files and Directories In The Home Directory Must Have a Valid Owner") }}} + + + + + + + nobody + state_accounts_users_home_files_ownership_interactive_uids + + + + {{{ uid_min }}} + + + + + + + + + + + + + + + .* + + + + + + + + + + + + + diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml index 13f6bfe..5bfb388 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml @@ -10,6 +10,9 @@ description: |- directories, use the following command:
$ sudo chown -R USER /home/USER
+ This rule ensures every file or directory under the home directory related + to an interactive user is owned by an interactive user. + rationale: |- If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not @@ -34,3 +37,9 @@ ocil: |- To verify all files and directories in interactive users home directory are owned by the user, run the following command:
$ sudo ls -lLR /home/USER
+ +warnings: + - general: |- + Due to OVAL limitation, this rule can report a false negative in a + specific situation where two interactive users swap the ownership of + folders or files in their respective home directories. diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/expected_owner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/expected_owner.pass.sh new file mode 100644 index 0000000..da68cb4 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/expected_owner.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +USER="cac_user" +useradd -m $USER +echo "$USER" > /home/$USER/$USER.txt +chown $USER /home/$USER/$USER.txt diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_all_absent.pass.sh new file mode 100644 index 0000000..af24025 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_all_absent.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +USER="cac_user" +useradd -M $USER +# This make sure home dirs related to test environment users are also removed. +rm -Rf /home/* diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_one_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_one_absent.pass.sh new file mode 100644 index 0000000..5bce517 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_one_absent.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +USER1="cac_user1" +USER2="cac_user2" + +useradd -m $USER1 +useradd -M $USER2 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/interactive_users_absent.pass.sh new file mode 100644 index 0000000..ed34f09 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/interactive_users_absent.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +# remove all interactive users (ID >= 1000) from /etc/passwd +sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_system_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_system_id.fail.sh new file mode 100644 index 0000000..59c46a9 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_system_id.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +USER="cac_user" +useradd -m $USER +echo "$USER" > /home/$USER/$USER.txt +chown 2 /home/$USER/$USER.txt diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_unknown_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_unknown_id.fail.sh new file mode 100644 index 0000000..e0f5514 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_unknown_id.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +USER="cac_user" +useradd -m $USER +echo "$USER" > /home/$USER/$USER.txt +chown 10005 /home/$USER/$USER.txt diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/warning_home_dirs_swapped_owner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/warning_home_dirs_swapped_owner.pass.sh new file mode 100644 index 0000000..1174ec6 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/warning_home_dirs_swapped_owner.pass.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +USER1="cac_user1" +USER2="cac_user2" + +useradd -m $USER1 +useradd -m $USER2 +echo "$USER1" > /home/$USER1/$USER1.txt +echo "$USER2" > /home/$USER2/$USER2.txt +# Swap the ownership of files in two home directories +# WARNING: This test scenario will report a false negative, as explained in the +# warning section of this rule. +chown -f $USER2 /home/$USER1/$USER1.txt +chown -f $USER1 /home/$USER2/$USER2.txt diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/ansible/shared.yml new file mode 100644 index 0000000..9473710 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/ansible/shared.yml @@ -0,0 +1,33 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +- name: Get all local users from /etc/passwd + ansible.builtin.getent: + database: passwd + split: ':' + +- name: Create local_users variable from the getent output + ansible.builtin.set_fact: + local_users: '{{ ansible_facts.getent_passwd|dict2items }}' + +- name: Test for existence home directories to avoid creating them, but only fixing group ownership + ansible.builtin.stat: + path: '{{ item.value[4] }}' + register: path_exists + loop: '{{ local_users }}' + when: + - item.value[2]|int >= {{{ uid_min }}} + - item.value[2]|int != 65534 + +- name: Ensure interactive local users are the group-owners of their respective home directories + ansible.builtin.file: + path: '{{ item.0.value[4] }}' + mode: 'g-w,o=-' + follow: no + recurse: yes + loop: '{{ local_users|zip(path_exists.results)|list }}' + when: + - item.1.stat is defined and item.1.stat.exists diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/bash/shared.sh new file mode 100644 index 0000000..186d55d --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/bash/shared.sh @@ -0,0 +1,12 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +for home_dir in $(awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) print $6 }' /etc/passwd); do + # Only update the permissions when necessary. This will avoid changing the inode timestamp when + # the permission is already defined as expected, therefore not impacting in possible integrity + # check systems that also check inodes timestamps. + find $home_dir -perm /027 -exec chmod g-w,o=- {} \; +done diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml new file mode 100644 index 0000000..d3db46d --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml @@ -0,0 +1,52 @@ + + + {{{ oval_metadata("All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive") }}} + + + + + + + + nobody + state_accounts_users_home_files_permissions_interactive_uids + + + + {{{ uid_min }}} + + + + + + + + + + + + .* + + + + + false + false + false + false + false + false + false + + + + + + + + diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/acceptable_permission.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/acceptable_permission.pass.sh new file mode 100644 index 0000000..3561847 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/acceptable_permission.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +USER="cac_user" +useradd -m $USER +echo "$USER" > /home/$USER/$USER.txt +chmod -Rf 750 /home/$USER/.* diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/expected_permissions.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/expected_permissions.pass.sh new file mode 100644 index 0000000..8ed7fa2 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/expected_permissions.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +USER="cac_user" +useradd -m $USER +echo "$USER" > /home/$USER/$USER.txt +chmod -Rf 700 /home/$USER/.* diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/home_dirs_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/home_dirs_absent.pass.sh new file mode 100644 index 0000000..af24025 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/home_dirs_absent.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +USER="cac_user" +useradd -M $USER +# This make sure home dirs related to test environment users are also removed. +rm -Rf /home/* diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/interactive_users_absent.pass.sh new file mode 100644 index 0000000..ed34f09 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/interactive_users_absent.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +# remove all interactive users (ID >= 1000) from /etc/passwd +sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission.fail.sh new file mode 100644 index 0000000..b561671 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +USER="cac_user" +useradd -m $USER +echo "$USER" > /home/$USER/$USER.txt +chmod -Rf 700 /home/$USER/.* +chmod -f o+r /home/$USER/$USER.txt diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission_hidden_files.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission_hidden_files.fail.sh new file mode 100644 index 0000000..d7811bc --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission_hidden_files.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +USER="cac_user" +useradd -m $USER +echo "$USER" > /home/$USER/.init_file +chmod -Rf 700 /home/$USER/.* +chmod -f o+r /home/$USER/.init_file diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_uid.fail.sh similarity index 100% rename from linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_id.fail.sh rename to linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_uid.fail.sh diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_uid.fail.sh similarity index 100% rename from linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_id.fail.sh rename to linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_uid.fail.sh