-
Notifications
You must be signed in to change notification settings - Fork 695
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Skip users with ID above UID MAX on accounts_user_interactive_home_directory_defined #12527
base: master
Are you sure you want to change the base?
Skip users with ID above UID MAX on accounts_user_interactive_home_directory_defined #12527
Conversation
This datastream diff is auto generated by the check Click here to see the full diffansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined' differs.
--- xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined
+++ xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined
@@ -34,6 +34,7 @@
when:
- item.value[2]|int >= 1000
- item.value[2]|int != 65534
+ - item.value[2]|int < 61184 or item.value[2]|int > 61184
- not item.value[4] | regex_search('^\/\w*\/\w{1,}')
tags:
- CCE-84036-3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, thanks!
Ubuntu CI failures is because this rule is not present in our benchmarks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. See my specific comment.
out of curiosity, why in the past it did not matter that test files for some distros in tests/data/product_stability do not exist? It makes this PR quite big.
product_properties/10-ids.yml
Outdated
@@ -5,3 +5,4 @@ default: | |||
nobody_gid: 65534 | |||
nobody_uid: 65534 | |||
auid: 1000 | |||
uid_max: 60000 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe the number can be this one, per http://0pointer.net/blog/dynamic-users-with-systemd.html, you can see it few lines under the heading called "Introducing dynamic users".
uid_max: 60000 | |
uid_max: 60183 |
651fc7e
to
d8f7855
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
changes LGTM
Code Climate has analyzed commit d8f7855 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 60.9% (0.0% change). View more on Code Climate. |
Description:
To skip systemd dynamic users.
Since accounts_user_interactive_home_directory_defined only works on local users this should be fine.
Since bash remediation accesses
/etc/passwd
directly and the systemd dynamic users do not show up in that file, the bash remediation was not updated.Rationale:
Fix Ansible playbook failures.