Add root user to interactive users

components/pam.yml

@@ -146,6 +146,7 @@ rules:
 - file_ownership_home_directories
 - file_ownership_lastlog
 - file_permission_user_init_files
+- file_permission_user_init_files_root
 - file_permissions_etc_issue
 - file_permissions_etc_issue_net
 - file_permissions_etc_motd

controls/stig_rhel9.yml

@@ -989,7 +989,7 @@ controls:
             - medium
         title: All RHEL 9 local initialization files must have mode 0740 or less permissive.
         rules:
-            - file_permission_user_init_files
+            - file_permission_user_init_files_root
         status: automated
 
     -   id: RHEL-09-232050

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/ansible/shared.yml

@@ -0,0 +1,34 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_instantiate_variables("var_user_initialization_files_regex") }}}
+
+
+- name: '{{{ rule_title }}} - Gather User Info'
+  ansible.builtin.getent:
+    database: passwd
+
+- name: '{{{ rule_title }}} - Find Init Files'
+  ansible.builtin.find:
+    paths: "{{ item.value[4] }}"
+    pattern: "{{ var_user_initialization_files_regex }}"
+    hidden: true
+    use_regex: true
+  with_dict: "{{ ansible_facts.getent_passwd }}"
+  when:
+    - item.value[4] != "/sbin/nologin"
+    - item.key not in ["nobody", "nfsnobody"]
+    - item.value[1] | int >= {{{ uid_min }}} or item.key == "root"
+  register: found_init_files
+
+- name: '{{{ rule_title }}} - Fix Init Files Permissions'
+  ansible.builtin.file:
+    path: "{{ item.1.path }}"
+    mode: u-s,g-wxs,o=
+  loop: "{{ q('ansible.builtin.subelements',
+              found_init_files.results,
+              'files',
+              {'skip_missing': True}) }}"

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/bash/shared.sh

@@ -0,0 +1,26 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ bash_instantiate_variables("var_user_initialization_files_regex") }}}
+
+readarray -t interactive_users < <(awk -F: '$3==0 || $3>={{{ uid_min }}}   {print $1}' /etc/passwd)
+readarray -t interactive_users_home < <(awk -F: '$3==0 || $3>={{{ uid_min }}}   {print $6}' /etc/passwd)
+readarray -t interactive_users_shell < <(awk -F: '$3==0 || $3>={{{ uid_min }}}   {print $7}' /etc/passwd)
+
+USERS_IGNORED_REGEX='nobody|nfsnobody'
+
+for (( i=0; i<"${#interactive_users[@]}"; i++ )); do
+    if ! grep -qP "$USERS_IGNORED_REGEX" <<< "${interactive_users[$i]}" && \
+        [ "${interactive_users_shell[$i]}" != "/sbin/nologin" ]; then
+
+        readarray -t init_files < <(find "${interactive_users_home[$i]}" -maxdepth 1 \
+            -exec basename {} \; | grep -P "$var_user_initialization_files_regex")
+        for file in "${init_files[@]}"; do
+            chmod u-s,g-wxs,o= "${interactive_users_home[$i]}/$file"
+        done
+    fi
+done
+

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/oval/shared.xml

@@ -0,0 +1,46 @@
+<def-group>
+    <definition class="compliance" id="{{{ rule_id }}}" version="1">
+        {{{ oval_metadata("User initialization files have mode 0740 or less permissive") }}}
+        <criteria>
+            <criterion comment="Initialization files have mode 0740 or less permissive"
+                test_ref="test_{{{ rule_id }}}" />
+        </criteria>
+    </definition>
+
+    <unix:file_test id="test_{{{ rule_id }}}" check="all"
+                    check_existence="any_exist" version="1"
+                    comment="Init files have mode 0740 or less permissive">
+        <unix:object object_ref="object_{{{ rule_id }}}"/>
+        <unix:state state_ref="state_{{{ rule_id }}}"/>
+    </unix:file_test>
+
+    <unix:file_object id="object_{{{ rule_id }}}" version="1">
+        <unix:path var_ref="var_{{{ rule_id }}}_home_dirs" var_check="at least one"/>
+        <unix:filename operation="pattern match" var_ref="var_user_initialization_files_regex"/>
+    </unix:file_object>
+
+
+    <unix:file_state id="state_{{{ rule_id }}}" operator="AND" version="1">
+        <unix:suid datatype="boolean">false</unix:suid>
+        <unix:sgid datatype="boolean">false</unix:sgid>
+        <unix:sticky datatype="boolean">false</unix:sticky>
+        <unix:gwrite datatype="boolean">false</unix:gwrite>
+        <unix:gexec datatype="boolean">false</unix:gexec>
+        <unix:oread datatype="boolean">false</unix:oread>
+        <unix:owrite datatype="boolean">false</unix:owrite>
+        <unix:oexec datatype="boolean">false</unix:oexec>
+    </unix:file_state>
+
+
+    {{%- set interactive_users_object = "object_" ~ rule_id ~ "_objects" -%}}
+    {{{ create_interactive_users_list_object(interactive_users_object, include_root=True) }}}
+
+    <local_variable id="var_{{{ rule_id }}}_home_dirs" datatype="string" version="1"
+                    comment="Variable including all home dirs from interactive users">
+        <object_component item_field="home_dir"
+                        object_ref="{{{ interactive_users_object }}}"/>
+    </local_variable>
+
+    <external_variable comment="init files regex" datatype="int"
+        id="var_user_initialization_files_regex" version="1" />
+</def-group>

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/policy/stig/shared.yml

@@ -0,0 +1,28 @@
+srg_requirement: |-
+    All {{{ full_name }}} local initialization files must have mode 0740 or less permissive.
+
+vuldiscussion: |-
+    Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.
+
+checktext: |-
+    Verify that all local initialization files have a mode of "0740" or less permissive with the following command:
+
+    Note: The example will be for the "wadea" user, who has a home directory of "/home/wadea".
+
+    $ sudo ls -al /home/wadea/.[^.]* | more
+
+    -rwxr-xr-x 1 wadea users 896 Mar 10 2011 .profile
+    -rwxr-xr-x 1 wadea users 497 Jan 6 2007 .login
+    -rwxr-xr-x 1 wadea users 886 Jan 6 2007 .something
+
+    If any local initialization files have a mode more permissive than "0740", this is a finding.
+
+fixtext: |-
+    Set the mode of the local initialization files to "0740" with the following command:
+
+    Note: The example will be for the wadea user, who has a home directory of "/home/wadea".
+
+    $ sudo chmod 0740 /home/wadea/.&ltINIT_FILE&gt
+
+vuln_discussion: |-
+    Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml

@@ -0,0 +1,42 @@
+documentation_complete: true
+
+title: 'Ensure All User Initialization Files Have Mode 0740 Or Less Permissive'
+
+description: |-
+    Set the mode of the user initialization files, including the <tt>root</tt> user,
+    to <tt>0740</tt> with the following commands:
+    <pre>
+    $ sudo chmod 0740 /root/.<i>INIT_FILE</i>
+    $ sudo chmod 0740 /home/<i>USER</i>/.<i>INIT_FILE</i>
+    </pre>
+
+rationale: |-
+    Local initialization files are used to configure the user's shell environment
+    upon logon. Malicious modification of these files could compromise accounts upon
+    logon.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-87087-3
+
+references:
+    disa: CCI-000366
+    srg: SRG-OS-000480-GPOS-00227
+
+ocil_clause: 'they are not 0740 or more permissive'
+
+ocil: |-
+    To verify that all user initialization files have a mode of <tt>0740</tt> or
+    less permissive, run the following command:
+    <pre>$ sudo find /home -type f -name '\.*' \( -perm -0002 -o -perm -0020 \)</pre>
+    There should be no output.
+
+fixtext: |-
+    Set the mode of the local initialization files to "0740" with the following command:
+
+    Note: The example will be for the smithj user, who has a home directory of "/home/smithj".
+
+    $ sudo chmod 0740 /home/smithj/.
+
+srg_requirement: 'All {{{ full_name }}} local initialization files must have mode 0740 or less permissive.'

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/tests/all_permissions.fail.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# variables = var_user_initialization_files_regex=\.init
+
+source common.sh
+
+chmod 7777 /home/dummy/.init

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/tests/common.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+for username in $(awk -F: '($3>={{{ uid_min }}} && $3!=65534) {print $1}' /etc/passwd)
+do
+    userdel -fr $username
+done
+
+touch /root/.init
+chmod 0740 /root/.init
+
+useradd -m dummy
+
+touch /home/dummy/.init
+chmod 0740 /home/dummy/.init
+
+touch /home/dummy/.ignored_file
+chmod 0777 /home/dummy/.ignored_file

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/tests/correct_permissions.pass.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+# variables = var_user_initialization_files_regex=\.init
+
+source common.sh

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/tests/different_home_correct_permissions.pass.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# variables = var_user_initialization_files_regex=\.init
+
+source common.sh
+
+useradd -d /var/dummy2 dummy2
+
+touch /var/dummy2/.init
+chmod 0740 /var/dummy2/.init

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/tests/different_home_wrong_permissions.fail.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# variables = var_user_initialization_files_regex=\.init
+
+source common.sh
+
+useradd -d /var/dummy2 dummy2
+
+touch /var/dummy2/.init
+chmod 0750 /var/dummy2/.init

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/tests/lenient_permissions.fail.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# variables = var_user_initialization_files_regex=\.init
+
+source common.sh
+
+chmod 0750 /home/dummy/.init

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/tests/lenient_permissions_root.fail.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# variables = var_user_initialization_files_regex=\.init
+
+source common.sh
+
+touch /root/.init
+chmod 0750 /root/.init

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/tests/stricter_permissions.pass.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# variables = var_user_initialization_files_regex=\.init
+
+source common.sh
+
+chmod 0700 /home/dummy/.init

shared/macros/10-oval.jinja

@@ -1151,12 +1151,29 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
 
 :param object_id: Object id to be created.
 :type object_id: str
+:param include_root: If set to true, the "root" user account will be included to the list. Default: False.
+:type include_root: bool
 
 #}}
-{{%- macro create_interactive_users_list_object(object_id) -%}}
+{{%- macro create_interactive_users_list_object(object_id, include_root=False) -%}}
   {{%- set ignored_users_list="(nobody|nfsnobody)" %}}
 
   <unix:password_object id="{{{ object_id }}}" version="1">
+    <set>
+      {{% if include_root %}}
+        <object_reference>{{{ object_id }}}_root</object_reference>
+      {{% endif %}}
+      <object_reference>{{{ object_id }}}_others</object_reference>
+    </set>
+  </unix:password_object>
+
+  {{% if include_root %}}
+    <unix:password_object id="{{{ object_id }}}_root" version="1">
+      <unix:username datatype="string" operation="equals">root</unix:username>
+    </unix:password_object>
+  {{% endif %}}
+
+  <unix:password_object id="{{{ object_id }}}_others" version="1">
     <unix:username datatype="string" operation="pattern match">.*</unix:username>
     <filter action="include">state_{{{ rule_id }}}_users_uids</filter>
     <filter action="exclude">state_{{{ rule_id }}}_users_ignored</filter>

shared/references/cce-redhat-avail.txt

@@ -479,7 +479,6 @@ CCE-87083-2
 CCE-87084-0
 CCE-87085-7
 CCE-87086-5
-CCE-87087-3
 CCE-87091-5
 CCE-87092-3
 CCE-87093-1

tests/data/profile_stability/rhel9/stig.profile

@@ -281,7 +281,7 @@ selections:
 - file_owner_var_log_messages
 - file_ownership_binary_dirs
 - file_ownership_library_dirs
-- file_permission_user_init_files
+- file_permission_user_init_files_root
 - file_permissions_backup_etc_group
 - file_permissions_backup_etc_gshadow
 - file_permissions_backup_etc_passwd

tests/data/profile_stability/rhel9/stig_gui.profile

@@ -293,7 +293,7 @@ selections:
 - file_owner_var_log_messages
 - file_ownership_binary_dirs
 - file_ownership_library_dirs
-- file_permission_user_init_files
+- file_permission_user_init_files_root
 - file_permissions_backup_etc_group
 - file_permissions_backup_etc_gshadow
 - file_permissions_backup_etc_passwd