From 62bf1be5a2f2789196a9b81ca7cd246d148dfb5b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Jun 2020 10:54:51 +0200
Subject: [PATCH 1/3] no_shelllogin_for_systemaccounts: add tests
---
.../no_shelllogin_for_systemaccounts/tests/default.pass.sh | 4 ++++
.../tests/no_sys_uids.pass.sh | 7 +++++++
.../tests/only_system_users.pass.sh | 6 ++++++
.../tests/system_user_with_shell.fail.sh | 6 ++++++
4 files changed, 23 insertions(+)
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
new file mode 100644
index 0000000000..6d48ad78fd
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
@@ -0,0 +1,4 @@
+# remediation = none
+
+#!/bin/bash
+true
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
new file mode 100644
index 0000000000..bc4f9cee8c
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
@@ -0,0 +1,7 @@
+# remediation = none
+
+#!/bin/bash
+
+# Force unset of SYS_UID values
+sed -i '/^SYS_UID_MIN/d' /etc/login.defs
+sed -i '/^SYS_UID_MAX/d' /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
new file mode 100644
index 0000000000..0cdb820bbb
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
@@ -0,0 +1,6 @@
+# remediation = none
+
+#!/bin/bash
+
+# remove any non-system user
+sed -Ei '/^root|nologin$|halt$|sync$|shutdown$/!d' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
new file mode 100644
index 0000000000..7639a8809d
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
@@ -0,0 +1,6 @@
+# remediation = none
+
+#!/bin/bash
+
+# change system user "mail" shell to bash
+usermod --shell /bin/bash mail
From 403cf63228a838bb80e09d8a6750bc5ee8597ce4 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Jun 2020 11:27:48 +0200
Subject: [PATCH 2/3] no_shelllogin_for_systemaccounts: simplify check for
range of UIDs
There is no need to make calculations on top of the UIDs, we can compare
the collected UIDs with shell againt the states that define the valid range.
Avoiding the calculations has the added benefit of not using/referencing
a variable that can be empty (when no user has shell, except root).
---
.../oval/shared.xml | 198 +++---------------
1 file changed, 33 insertions(+), 165 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml
index 7e68441867..d0e836515b 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml
@@ -79,13 +79,6 @@
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
- <!-- Extract UIDs from /etc/passwd entries into OVAL variable -->
- <local_variable id="variable_sys_uids_etc_passwd" datatype="int"
- comment="UIDs retrieved from /etc/passwd" version="1">
- <object_component item_field="subexpression"
- object_ref="object_etc_passwd_entries" />
- </local_variable>
-
<!-- FIRST CRITERION -->
<!-- If both SYS_UID_MIN and SYS_UID_MAX aren't defined in /etc/login.defs
perform the check that all /etc/passwd entries having shell defined have
@@ -100,63 +93,23 @@
</regex_capture>
</local_variable>
- <!-- OVAL entities below are workaround for the OpenSCAP bug:
- https://github.com/OpenSCAP/openscap/issues/428
-
- Within the test below we will check if all /etc/passwd entries
- having shell defined have UIDs outside of <0, UID_MIN - 1> range.
- If at least one UID is within the range, test will fail.
-
- Observation: Number "x" is outside of <a, b> range if the following
- inequality is met (x - a) * (x - b) > 0
- -->
-
- <!-- OVAL variable to hold (x - 0) * (x - (UID_MIN -1)) range -->
- <local_variable id="variable_default_range_quad_expr" datatype="int"
- comment="Construct (x - 0) * (x - (UID_MIN - 1)) expression"
- version="1">
- <!-- Construct the final multiplication -->
- <arithmetic arithmetic_operation="multiply">
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
- <!-- (x - 0) = x => use just "x" value -->
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
- <!-- Get (x - (UID_MIN -1)) result -->
- <arithmetic arithmetic_operation="add">
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
- <!-- Get -1 * (UID_MIN - 1) result -->
- <arithmetic arithmetic_operation="multiply">
- <literal_component datatype="int">-1</literal_component>
- <!-- Get (UID_MIN -1) result -->
- <arithmetic arithmetic_operation="add">
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
- <variable_component var_ref="variable_uid_min_value" />
- <literal_component datatype="int">-1</literal_component>
- </arithmetic>
- </arithmetic>
- </arithmetic>
- </arithmetic>
- </local_variable>
-
- <!-- Foreach previously collected UID store the expression into
- corresponding OVAL object -->
- <ind:variable_object id="object_shell_defined_default_uid_range" version="1">
- <ind:var_ref>variable_default_range_quad_expr</ind:var_ref>
- </ind:variable_object>
-
- <!-- Finally verify that (x - a) * (x - b) > 0 -->
- <ind:variable_state id="state_shell_defined_default_uid_range" version="1">
- <ind:value datatype="int" operation="greater than">0</ind:value>
- </ind:variable_state>
-
<!-- Perform the default <0, UID_MIN - 1> UID range test itself -->
<!-- Thus check that all /etc/passwd entries having shell defined
have UID outside of <0, UID_MIN -1> range -->
- <ind:variable_test id="test_shell_defined_default_uid_range" check="all"
+ <ind:textfilecontent54_test state_operator="OR" id="test_shell_defined_default_uid_range" check="all"
check_existence="all_exist" comment="<0, UID_MIN - 1> system UIDs having shell set"
version="1">
- <ind:object object_ref="object_shell_defined_default_uid_range" />
- <ind:state state_ref="state_shell_defined_default_uid_range" />
- </ind:variable_test>
+ <ind:object object_ref="object_etc_passwd_entries" />
+ <ind:state state_ref="state_uid_less_than_zero" />
+ <ind:state state_ref="state_uid_greater_than_or_equal_uid_min" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_state id="state_uid_less_than_zero" version="1">
+ <ind:subexpression datatype="int" operation="less than">0</ind:subexpression>
+ </ind:textfilecontent54_state>
+ <ind:textfilecontent54_state id="state_uid_greater_than_or_equal_uid_min" version="1">
+ <ind:subexpression datatype="int" operation="greater than or equal" var_ref="variable_uid_min_value" />
+ </ind:textfilecontent54_state>
<!-- Test if SYS_UID_MIN not defined in /etc/login.defs -->
<ind:textfilecontent54_test id="test_sys_uid_min_not_defined"
@@ -200,121 +153,36 @@
</regex_capture>
</local_variable>
- <!-- OVAL entities below are workaround for the OpenSCAP bug:
- https://github.com/OpenSCAP/openscap/issues/428
-
- Within the test below we will check if all /etc/passwd entries
- having shell defined have UIDs outside of <0, SYS_UID_MIN> range.
- If at least one UID is within the range, test will fail.
-
- Observation: Number "x" is outside of <a, b> range if the following
- inequality is met (x - a) * (x - b) > 0
- -->
-
- <!-- OVAL variable to hold UIDs for reserved system accounts, thus
- UIDs from the range <0, SYS_UID_MIN> -->
- <local_variable id="variable_reserved_range_quad_expr" datatype="int"
- comment="Construct (x - 0) * (x - SYS_UID_MIN) expression"
- version="1">
- <!-- Construct the final multiplication -->
- <arithmetic arithmetic_operation="multiply">
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
- <!-- (x - 0) = x => use just "x" value -->
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
- <!-- Construct (x - SYS_UID_MIN) expression -->
- <arithmetic arithmetic_operation="add">
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
- <!-- Get negative value of SYS_UID_MIN -->
- <arithmetic arithmetic_operation="multiply">
- <literal_component datatype="int">-1</literal_component>
- <variable_component var_ref="variable_sys_uid_min_value" />
- </arithmetic>
- </arithmetic>
- </arithmetic>
- </local_variable>
-
- <!-- Foreach previously collected UID store the expression into
- corresponding OVAL object -->
- <ind:variable_object id="object_shell_defined_reserved_uid_range" version="1">
- <ind:var_ref>variable_reserved_range_quad_expr</ind:var_ref>
- </ind:variable_object>
-
- <!-- Finally verify that (x - a) * (x - b) > 0 -->
- <ind:variable_state id="state_shell_defined_reserved_uid_range" version="1">
- <ind:value datatype="int" operation="greater than">0</ind:value>
- </ind:variable_state>
-
<!-- Perform the reserved UID range <0, SYS_UID_MIN> test itself -->
<!-- Thus check that all /etc/passwd entries having shell defined
have UID outside of <0, SYS_UID_MIN> range -->
- <ind:variable_test id="test_shell_defined_reserved_uid_range" check="all"
- check_existence="all_exist" comment="<0, SYS_UID_MIN> system UIDs having shell set"
- version="1">
- <ind:object object_ref="object_shell_defined_reserved_uid_range" />
- <ind:state state_ref="state_shell_defined_reserved_uid_range" />
- </ind:variable_test>
-
- <!-- OVAL entities below are workaround for the OpenSCAP bug:
- https://github.com/OpenSCAP/openscap/issues/428
-
- Within the test below we will check if all /etc/passwd entries
- having shell defined have UIDs outside of <SYS_UID_MIN, SYS_UID_MAX> range.
- If at least one UID is within the range, test will fail.
-
- Observation: Number "x" is outside of <a, b> range if the following
- inequality is met (x - a) * (x - b) > 0
- -->
-
- <!-- OVAL variable to hold UIDs for dynamically allocated system accounts,
- thus UIDs from the range <SYS_UID_MIN, SYS_UID_MAX> -->
- <local_variable id="variable_dynalloc_range_quad_expr" datatype="int"
- comment="Construct (x - SYS_UID_MIN) * (x - SYS_UID_MAX) expression"
+ <ind:textfilecontent54_test state_operator="OR" id="test_shell_defined_reserved_uid_range" check="all"
+ check_existence="any_exist" comment="<0, SYS_UID_MIN> system UIDs having shell set"
version="1">
- <!-- Construct the final multiplication -->
- <arithmetic arithmetic_operation="multiply">
- <!-- Construct (x - SYS_UID_MIN) expression -->
- <arithmetic arithmetic_operation="add">
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
- <!-- Get negative value of SYS_UID_MIN -->
- <arithmetic arithmetic_operation="multiply">
- <literal_component datatype="int">-1</literal_component>
- <variable_component var_ref="variable_sys_uid_min_value" />
- </arithmetic>
- </arithmetic>
- <!-- Construct (x - SYS_UID_MAX) expression -->
- <arithmetic arithmetic_operation="add">
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
- <!-- Get negative value of SYS_UID_MAX -->
- <arithmetic arithmetic_operation="multiply">
- <literal_component datatype="int">-1</literal_component>
- <variable_component var_ref="variable_sys_uid_max_value" />
- </arithmetic>
- </arithmetic>
- </arithmetic>
- </local_variable>
-
- <!-- Foreach previously collected UID store the expression into
- corresponding OVAL object -->
- <ind:variable_object id="object_shell_defined_dynalloc_uid_range" version="1">
- <ind:var_ref>variable_dynalloc_range_quad_expr</ind:var_ref>
- </ind:variable_object>
+ <ind:object object_ref="object_etc_passwd_entries" />
+ <ind:state state_ref="state_uid_less_than_zero" />
+ <ind:state state_ref="state_uid_greater_than_or_equal_sys_uid_min" />
+ </ind:textfilecontent54_test>
- <!-- Finally verify that (x - a) * (x - b) > 0 -->
- <ind:variable_state id="state_shell_defined_dynalloc_uid_range" version="1">
- <ind:value datatype="int" operation="greater than">0</ind:value>
- </ind:variable_state>
+ <ind:textfilecontent54_state id="state_uid_greater_than_or_equal_sys_uid_min" version="1">
+ <ind:subexpression datatype="int" operation="greater than or equal" var_ref="variable_sys_uid_min_value" />
+ </ind:textfilecontent54_state>
<!-- Perform the dynamically allocated UID range <SYS_UID_MIN, SYS_UID_MAX> test itself -->
<!-- Thus check that all /etc/passwd entries having shell defined
have UID outside of <SYS_UID_MIN, SYS_UID_MAX> range -->
- <ind:variable_test id="test_shell_defined_dynalloc_uid_range" check="all"
- check_existence="all_exist" comment="<SYS_UID_MIN, SYS_UID_MAX> system UIDS having shell set"
+ <ind:textfilecontent54_test state_operator="OR" id="test_shell_defined_dynalloc_uid_range" check="all"
+ check_existence="any_exist" comment="<SYS_UID_MIN, SYS_UID_MAX> system UIDS having shell set"
version="1">
- <ind:object object_ref="object_shell_defined_dynalloc_uid_range" />
- <ind:state state_ref="state_shell_defined_dynalloc_uid_range" />
- </ind:variable_test>
+ <ind:object object_ref="object_etc_passwd_entries" />
+ <ind:state state_ref="state_uid_less_than_sys_uid_min" />
+ <ind:state state_ref="state_uid_greater_than_or_equal_sys_uid_max" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_state id="state_uid_less_than_sys_uid_min" version="1">
+ <ind:subexpression datatype="int" operation="less than" var_ref="variable_sys_uid_min_value" />
+ </ind:textfilecontent54_state>
+ <ind:textfilecontent54_state id="state_uid_greater_than_or_equal_sys_uid_max" version="1">
+ <ind:subexpression datatype="int" operation="greater than or equal" var_ref="variable_sys_uid_max_value" />
+ </ind:textfilecontent54_state>
</def-group>
From 31654f72ee7cd30f937f84889c870fd330e7c366 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 4 Jun 2020 14:04:37 +0200
Subject: [PATCH 3/3] no_shelllogin_for_systemaccounts: Fix text shebangs
---
.../no_shelllogin_for_systemaccounts/tests/default.pass.sh | 2 +-
.../no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh | 3 +--
.../tests/only_system_users.pass.sh | 3 +--
.../tests/system_user_with_shell.fail.sh | 3 +--
4 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
index 6d48ad78fd..833831f79d 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
@@ -1,4 +1,4 @@
+#!/bin/bash
# remediation = none
-#!/bin/bash
true
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
index bc4f9cee8c..6769895eb2 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
@@ -1,6 +1,5 @@
-# remediation = none
-
#!/bin/bash
+# remediation = none
# Force unset of SYS_UID values
sed -i '/^SYS_UID_MIN/d' /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
index 0cdb820bbb..06edf671ce 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
@@ -1,6 +1,5 @@
-# remediation = none
-
#!/bin/bash
+# remediation = none
# remove any non-system user
sed -Ei '/^root|nologin$|halt$|sync$|shutdown$/!d' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
index 7639a8809d..10312593b8 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
@@ -1,6 +1,5 @@
-# remediation = none
-
#!/bin/bash
+# remediation = none
# change system user "mail" shell to bash
usermod --shell /bin/bash mail