Add root user to interactive users

The rule file_permission_user_init_files now checks only dot files of
users with UID greater than or equal 1000. But according to RHEL 9 STIG
and CIS benchmarks it should check also the root user's dot files.

This commit creates a new rule file_permission_user_init_files_root
which is almost the same as file_permission_user_init_files, but the
new rule accounts also for the root user and his init files.

We also change the OVAL jinja macro. This change will include the root
user to the user list only if needed. We will use the root in the rule
file_permission_user_init_file. But we will not use the root in
accounts_user_interactive_home_directory_defined where we keep the old
behavior.

The commit also adds a simple test scenario covering this situation.

Fixes: #11699

components/pam.yml

@@ -146,6 +146,7 @@ rules:
 - file_ownership_home_directories
 - file_ownership_lastlog
 - file_permission_user_init_files
+- file_permission_user_init_files_root
 - file_permissions_etc_issue
 - file_permissions_etc_issue_net
 - file_permissions_etc_motd

controls/stig_rhel9.yml

@@ -989,7 +989,7 @@ controls:
             - medium
         title: All RHEL 9 local initialization files must have mode 0740 or less permissive.
         rules:
-            - file_permission_user_init_files
+            - file_permission_user_init_files_root
         status: automated
 
     -   id: RHEL-09-232050

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/ansible/shared.yml

@@ -0,0 +1,34 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_instantiate_variables("var_user_initialization_files_regex") }}}
+
+
+- name: '{{{ rule_title }}} - Gather User Info'
+  ansible.builtin.getent:
+    database: passwd
+
+- name: '{{{ rule_title }}} - Find Init Files'
+  ansible.builtin.find:
+    paths: "{{ item.value[4] }}"
+    pattern: "{{ var_user_initialization_files_regex }}"
+    hidden: true
+    use_regex: true
+  with_dict: "{{ ansible_facts.getent_passwd }}"
+  when:
+    - item.value[4] != "/sbin/nologin"
+    - item.key not in ["nobody", "nfsnobody"]
+    - item.value[1] | int >= {{{ uid_min }}} or item.key == "root"
+  register: found_init_files
+
+- name: '{{{ rule_title }}} - Fix Init Files Permissions'
+  ansible.builtin.file:
+    path: "{{ item.1.path }}"
+    mode: u-s,g-wxs,o=
+  loop: "{{ q('ansible.builtin.subelements',
+              found_init_files.results,
+              'files',
+              {'skip_missing': True}) }}"

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/bash/shared.sh

@@ -0,0 +1,26 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ bash_instantiate_variables("var_user_initialization_files_regex") }}}
+
+readarray -t interactive_users < <(awk -F: '$3==0 || $3>={{{ uid_min }}}   {print $1}' /etc/passwd)
+readarray -t interactive_users_home < <(awk -F: '$3==0 || $3>={{{ uid_min }}}   {print $6}' /etc/passwd)
+readarray -t interactive_users_shell < <(awk -F: '$3==0 || $3>={{{ uid_min }}}   {print $7}' /etc/passwd)
+
+USERS_IGNORED_REGEX='nobody|nfsnobody'
+
+for (( i=0; i<"${#interactive_users[@]}"; i++ )); do
+    if ! grep -qP "$USERS_IGNORED_REGEX" <<< "${interactive_users[$i]}" && \
+        [ "${interactive_users_shell[$i]}" != "/sbin/nologin" ]; then
+
+        readarray -t init_files < <(find "${interactive_users_home[$i]}" -maxdepth 1 \
+            -exec basename {} \; | grep -P "$var_user_initialization_files_regex")
+        for file in "${init_files[@]}"; do
+            chmod u-s,g-wxs,o= "${interactive_users_home[$i]}/$file"
+        done
+    fi
+done
+

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/oval/shared.xml

@@ -0,0 +1,46 @@
+<def-group>
+    <definition class="compliance" id="{{{ rule_id }}}" version="1">
+        {{{ oval_metadata("User initialization files have mode 0740 or less permissive") }}}
+        <criteria>
+            <criterion comment="Initialization files have mode 0740 or less permissive"
+                test_ref="test_{{{ rule_id }}}" />
+        </criteria>
+    </definition>
+
+    <unix:file_test id="test_{{{ rule_id }}}" check="all"
+                    check_existence="any_exist" version="1"
+                    comment="Init files have mode 0740 or less permissive">
+        <unix:object object_ref="object_{{{ rule_id }}}"/>
+        <unix:state state_ref="state_{{{ rule_id }}}"/>
+    </unix:file_test>
+
+    <unix:file_object id="object_{{{ rule_id }}}" version="1">
+        <unix:path var_ref="var_{{{ rule_id }}}_home_dirs" var_check="at least one"/>
+        <unix:filename operation="pattern match" var_ref="var_user_initialization_files_regex"/>
+    </unix:file_object>
+
+
+    <unix:file_state id="state_{{{ rule_id }}}" operator="AND" version="1">
+        <unix:suid datatype="boolean">false</unix:suid>
+        <unix:sgid datatype="boolean">false</unix:sgid>
+        <unix:sticky datatype="boolean">false</unix:sticky>
+        <unix:gwrite datatype="boolean">false</unix:gwrite>
+        <unix:gexec datatype="boolean">false</unix:gexec>
+        <unix:oread datatype="boolean">false</unix:oread>
+        <unix:owrite datatype="boolean">false</unix:owrite>
+        <unix:oexec datatype="boolean">false</unix:oexec>
+    </unix:file_state>
+
+
+    {{%- set interactive_users_object = "object_" ~ rule_id ~ "_objects" -%}}
+    {{{ create_interactive_users_list_object(interactive_users_object, include_root=True) }}}
+
+    <local_variable id="var_{{{ rule_id }}}_home_dirs" datatype="string" version="1"
+                    comment="Variable including all home dirs from interactive users">
+        <object_component item_field="home_dir"
+                        object_ref="{{{ interactive_users_object }}}"/>
+    </local_variable>
+
+    <external_variable comment="init files regex" datatype="int"
+        id="var_user_initialization_files_regex" version="1" />
+</def-group>

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/policy/stig/shared.yml

@@ -0,0 +1,28 @@
+srg_requirement: |-
+    All {{{ full_name }}} local initialization files must have mode 0740 or less permissive.
+
+vuldiscussion: |-
+    Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.
+
+checktext: |-
+    Verify that all local initialization files have a mode of "0740" or less permissive with the following command:
+
+    Note: The example will be for the "wadea" user, who has a home directory of "/home/wadea".
+
+    $ sudo ls -al /home/wadea/.[^.]* | more
+
+    -rwxr-xr-x 1 wadea users 896 Mar 10 2011 .profile
+    -rwxr-xr-x 1 wadea users 497 Jan 6 2007 .login
+    -rwxr-xr-x 1 wadea users 886 Jan 6 2007 .something
+
+    If any local initialization files have a mode more permissive than "0740", this is a finding.
+
+fixtext: |-
+    Set the mode of the local initialization files to "0740" with the following command:
+
+    Note: The example will be for the wadea user, who has a home directory of "/home/wadea".
+
+    $ sudo chmod 0740 /home/wadea/.&ltINIT_FILE&gt
+
+vuln_discussion: |-
+    Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml

@@ -0,0 +1,42 @@
+documentation_complete: true
+
+title: 'Ensure All User Initialization Files Have Mode 0740 Or Less Permissive'
+
+description: |-
+    Set the mode of the user initialization files, including the <tt>root</tt> user,
+    to <tt>0740</tt> with the following commands:
+    <pre>
+    $ sudo chmod 0740 /root/.<i>INIT_FILE</i>
+    $ sudo chmod 0740 /home/<i>USER</i>/.<i>INIT_FILE</i>
+    </pre>
+
+rationale: |-
+    Local initialization files are used to configure the user's shell environment
+    upon logon. Malicious modification of these files could compromise accounts upon
+    logon.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-87087-3
+
+references:
+    disa: CCI-000366
+    srg: SRG-OS-000480-GPOS-00227
+
+ocil_clause: 'they are not 0740 or more permissive'
+
+ocil: |-
+    To verify that all user initialization files have a mode of <tt>0740</tt> or
+    less permissive, run the following command:
+    <pre>$ sudo find /home -type f -name '\.*' \( -perm -0002 -o -perm -0020 \)</pre>
+    There should be no output.
+
+fixtext: |-
+    Set the mode of the local initialization files to "0740" with the following command:
+
+    Note: The example will be for the smithj user, who has a home directory of "/home/smithj".
+
+    $ sudo chmod 0740 /home/smithj/.
+
+srg_requirement: 'All {{{ full_name }}} local initialization files must have mode 0740 or less permissive.'

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/tests/all_permissions.fail.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# variables = var_user_initialization_files_regex=\.init
+
+source common.sh
+
+chmod 7777 /home/dummy/.init

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/tests/common.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+for username in $(awk -F: '($3>={{{ uid_min }}} && $3!=65534) {print $1}' /etc/passwd)
+do
+    userdel -fr $username
+done
+
+touch /root/.init
+chmod 0740 /root/.init
+
+useradd -m dummy
+
+touch /home/dummy/.init
+chmod 0740 /home/dummy/.init
+
+touch /home/dummy/.ignored_file
+chmod 0777 /home/dummy/.ignored_file

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/tests/correct_permissions.pass.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+# variables = var_user_initialization_files_regex=\.init
+
+source common.sh

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/tests/different_home_correct_permissions.pass.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# variables = var_user_initialization_files_regex=\.init
+
+source common.sh
+
+useradd -d /var/dummy2 dummy2
+
+touch /var/dummy2/.init
+chmod 0740 /var/dummy2/.init

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/tests/different_home_wrong_permissions.fail.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# variables = var_user_initialization_files_regex=\.init
+
+source common.sh
+
+useradd -d /var/dummy2 dummy2
+
+touch /var/dummy2/.init
+chmod 0750 /var/dummy2/.init

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/tests/lenient_permissions.fail.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# variables = var_user_initialization_files_regex=\.init
+
+source common.sh
+
+chmod 0750 /home/dummy/.init

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/tests/lenient_permissions_root.fail.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# variables = var_user_initialization_files_regex=\.init
+
+source common.sh
+
+touch /root/.init
+chmod 0750 /root/.init

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/tests/stricter_permissions.pass.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# variables = var_user_initialization_files_regex=\.init
+
+source common.sh
+
+chmod 0700 /home/dummy/.init

shared/macros/10-oval.jinja

@@ -1151,12 +1151,29 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
 
 :param object_id: Object id to be created.
 :type object_id: str
+:param include_root: If set to true, the "root" user account will be included to the list. Default: False.
+:type include_root: bool
 
 #}}
-{{%- macro create_interactive_users_list_object(object_id) -%}}
+{{%- macro create_interactive_users_list_object(object_id, include_root=False) -%}}
   {{%- set ignored_users_list="(nobody|nfsnobody)" %}}
 
   <unix:password_object id="{{{ object_id }}}" version="1">
+    <set>
+      {{% if include_root %}}
+        <object_reference>{{{ object_id }}}_root</object_reference>
+      {{% endif %}}
+      <object_reference>{{{ object_id }}}_others</object_reference>
+    </set>
+  </unix:password_object>
+
+  {{% if include_root %}}
+    <unix:password_object id="{{{ object_id }}}_root" version="1">
+      <unix:username datatype="string" operation="equals">root</unix:username>
+    </unix:password_object>
+  {{% endif %}}
+
+  <unix:password_object id="{{{ object_id }}}_others" version="1">
     <unix:username datatype="string" operation="pattern match">.*</unix:username>
     <filter action="include">state_{{{ rule_id }}}_users_uids</filter>
     <filter action="exclude">state_{{{ rule_id }}}_users_ignored</filter>

shared/references/cce-redhat-avail.txt

@@ -479,7 +479,6 @@ CCE-87083-2
 CCE-87084-0
 CCE-87085-7
 CCE-87086-5
-CCE-87087-3
 CCE-87091-5
 CCE-87092-3
 CCE-87093-1

tests/data/profile_stability/rhel9/stig.profile

@@ -281,7 +281,7 @@ selections:
 - file_owner_var_log_messages
 - file_ownership_binary_dirs
 - file_ownership_library_dirs
-- file_permission_user_init_files
+- file_permission_user_init_files_root
 - file_permissions_backup_etc_group
 - file_permissions_backup_etc_gshadow
 - file_permissions_backup_etc_passwd

tests/data/profile_stability/rhel9/stig_gui.profile

@@ -293,7 +293,7 @@ selections:
 - file_owner_var_log_messages
 - file_ownership_binary_dirs
 - file_ownership_library_dirs
-- file_permission_user_init_files
+- file_permission_user_init_files_root
 - file_permissions_backup_etc_group
 - file_permissions_backup_etc_gshadow
 - file_permissions_backup_etc_passwd