Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFE: Use numeric comparison in jinja macro create_local_interactive_users_object #10845

Open
jan-cerny opened this issue Jul 14, 2023 · 1 comment
Open

RFE: Use numeric comparison in jinja macro create_local_interactive_users_object #10845

jan-cerny opened this issue Jul 14, 2023 · 1 comment
Labels
help-wanted This PR/Issue needs help to go forward. OVAL OVAL update. Related to the systems assessments.

Comments

@jan-cerny
Copy link
Collaborator

Description of problem:

Jinja macro create_local_interactive_users_object which generates OVAL objects related to local interactive users needs to be enhanced for better readability and for better customization abilities.

At this moment, the macro relies on the fact that local interactive users have UIDs greater than or equal 1000 and that smaller UIDs are non-interactive. Moreover, the regular expression used there requires that the UID field consists of at least 4 digits. Therefore, it won't match users with UID consisting of 3 digits, ie less than or equal 999.

It's been done this way because in OVAL textfilecontet54_object you can't have multiple different subexpression capturing groups in the regex, and I already need to capture the user name field in a subexpression. I think that to have a proper comparison with 1000 in the OVAL I would have to create one more layer of objects and variables.

This problem has been pointed out by @vojtapolasek during review of #10825. We decided to report the problem as an upstream RFE.

SCAP Security Guide Version:

A branch with #10825 merged in.

Operating System Version:

all

Steps to Reproduce:

  1. review create_local_interactive_users_object and the regexes used there

Actual Results:

Regular expression is used to determine interactive users.

Expected Results:

Numeric comparison of actual values of UIDs is used to determine interactive users.

Additional Information/Debugging Steps:

No.
@jan-cerny jan-cerny added help-wanted This PR/Issue needs help to go forward. OVAL OVAL update. Related to the systems assessments. labels Jul 14, 2023
@jan-cerny jan-cerny mentioned this issue Jul 14, 2023
Merged
@mpurg
Copy link
Contributor

mpurg commented Feb 15, 2024
edited
Loading

Hey @jan-cerny , good work with the original fix which solves the main issue of not enumerating non-local accounts.
I expanded it a bit to also work on Ubuntu in #11589 but I agree that there is still room for improvement.
According to CIS (I checked only Ubuntu 20.04, Ubuntu 22.04 and RHEL8), the UID is not used to determine
whether or not the user is interactive, so we might want to drop it altogether. Instead we could use the shells
listed in /etc/shells as a qualifier for an interactive user, as suggested by CIS. Does that sound plausible?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help-wanted This PR/Issue needs help to go forward. OVAL OVAL update. Related to the systems assessments.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mpurg @jan-cerny