Add a switch to include root to user list

This change will include the root user to the user list only if needed. We will use the root in the rule file_permission_user_init_file. But we will not use the root in accounts_user_interactive_home_directory_defined where we keep the old behavior.
ComplianceAsCode · Mar 20, 2024 · 126841d · 126841d
1 parent 872d4d8
commit 126841d
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 6 deletions.
diff --git a/...os/guide/system/accounts/accounts-session/file_permission_user_init_files/oval/shared.xml b/...os/guide/system/accounts/accounts-session/file_permission_user_init_files/oval/shared.xml
@@ -33,7 +33,7 @@
 
 
     {{%- set interactive_users_object = "object_" ~ rule_id ~ "_objects" -%}}
-    {{{ create_interactive_users_list_object(interactive_users_object) }}}
+    {{{ create_interactive_users_list_object(interactive_users_object, include_root=True) }}}
 
     <local_variable id="var_{{{ rule_id }}}_home_dirs" datatype="string" version="1"
                     comment="Variable including all home dirs from interactive users">

diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
@@ -1151,21 +1151,27 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
 
 :param object_id: Object id to be created.
 :type object_id: str
+:param include_root: If set to true, the "root" user account will be included to the list. Default: False.
+:type include_root: bool
 
 #}}
-{{%- macro create_interactive_users_list_object(object_id) -%}}
+{{%- macro create_interactive_users_list_object(object_id, include_root=False) -%}}
   {{%- set ignored_users_list="(nobody|nfsnobody)" %}}
 
   <unix:password_object id="{{{ object_id }}}" version="1">
     <set>
-      <object_reference>{{{ object_id }}}_root</object_reference>
+      {{% if include_root %}}
+        <object_reference>{{{ object_id }}}_root</object_reference>
+      {{% endif %}}
       <object_reference>{{{ object_id }}}_others</object_reference>
     </set>
   </unix:password_object>
 
-  <unix:password_object id="{{{ object_id }}}_root" version="1">
-    <unix:username datatype="string" operation="equals">root</unix:username>
-  </unix:password_object>
+  {{% if include_root %}}
+    <unix:password_object id="{{{ object_id }}}_root" version="1">
+      <unix:username datatype="string" operation="equals">root</unix:username>
+    </unix:password_object>
+  {{% endif %}}
 
   <unix:password_object id="{{{ object_id }}}_others" version="1">
     <unix:username datatype="string" operation="pattern match">.*</unix:username>