Skip users with ID above UID MAX on accounts_user_interactive_home_directory_defined#12527
Conversation
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined' differs.
--- xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined
+++ xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined
@@ -34,6 +34,7 @@
when:
- item.value[2]|int >= 1000
- item.value[2]|int != 65534
+ - item.value[2]|int < 61184 or item.value[2]|int > 65519
- not item.value[4] | regex_search('^\/\w*\/\w{1,}')
tags:
- CCE-84036-3 |
dodys
left a comment
There was a problem hiding this comment.
lgtm, thanks!
Ubuntu CI failures is because this rule is not present in our benchmarks
vojtapolasek
left a comment
There was a problem hiding this comment.
Looks good. See my specific comment.
out of curiosity, why in the past it did not matter that test files for some distros in tests/data/product_stability do not exist? It makes this PR quite big.
| nobody_gid: 65534 | ||
| nobody_uid: 65534 | ||
| auid: 1000 | ||
| uid_max: 60000 |
There was a problem hiding this comment.
Maybe the number can be this one, per http://0pointer.net/blog/dynamic-users-with-systemd.html, you can see it few lines under the heading called "Introducing dynamic users".
| uid_max: 60000 | |
| uid_max: 60183 |
651fc7e to
d8f7855
Compare
vojtapolasek
left a comment
There was a problem hiding this comment.
Nice catch with the whole dynamic uid range. But I think this needs to be fixed.
|
/packit build |
…interactive_home_directory_defined/ansible/shared.yml Co-authored-by: vojtapolasek <krecoun@gmail.com>
d7e008e to
708fc41
Compare
|
Code Climate has analyzed commit 708fc41 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 60.9% (0.0% change). View more on Code Climate. |
|
@Mab879 There is a failing Automatus test on SLE which seems valid. |
This isn't a new issue, it is also failing on master. At least testing with OpenSUSE. |
|
OK @Mab879 merging. Thank you. |
|
/packit retest-failed |
Description:
To skip systemd dynamic users.
Since accounts_user_interactive_home_directory_defined only works on local users this should be fine.
Since bash remediation accesses
/etc/passwddirectly and the systemd dynamic users do not show up in that file, the bash remediation was not updated.Rationale:
Fix Ansible playbook failures.