ansible-lockdown / RHEL8-STIG

Ansible role for Red Hat 8 STIG Baseline
https://ansible-lockdown.readthedocs.io
MIT License
99 stars 58 forks source link

RHEL-08-010740 PATCH Task fails if home directory is set to /dev/null #284

Open SeanathanVT opened 5 months ago

SeanathanVT commented 5 months ago

Describe the Issue On el8 baselines, the tss user’s home directory appears to be set to /dev/null. This causes the Task to fail as /dev/null is a not a directory.

Expected Behavior Task should gracefully handle a situation where a user’s "home directory” is not actually a directory.

Actual Behavior Execution of the RHEL-08-010740 PATCH logic fails if a local user’s home directory (as defined in /etc/passwd) is not actually a directory due to the Task’s inclusion of “state: directory”. I acknowledge the intent behind this (why would a home directory not be a home directory?), but in the case of the tss user on el8 baselines, the home directory is not actually a directory.

Control(s) Affected RHEL-08-010740

Environment (please complete the following information):

Additional Notes

Possible Solution Either remove the “state: directory” definition or add a conditional that excludes an item if its path is /dev/null (ex. item.dir != '/dev/null') or filter based on shell (ex. item.shell != '/sbin/nologin'). Not sure how you guys would prefer to handle this situation, so I don’t want to assume the proper resolution. Also unsure how likely this is to surface with a non-directory defined as a home directory that isn’t /dev/null.

SeanathanVT commented 5 months ago

Looks like the logic introduced with the resolution of https://github.com/ansible-lockdown/RHEL8-STIG/issues/251 impacted both RHEL-08-010740 as well as RHEL-08-010741. The latter logic attempts to access transient paths under /proc/self that may have existed during initial query but not during attempted “resolution”.

As with the initial issue and its workaround (item.dir != '/dev/null'), I am currently working around this issue by excluding paths containing /proc/self ('/proc/self' not in item.dir). Filtering based on shell is probably cleaner.

SeanathanVT commented 5 months ago

Also, with https://github.com/ansible-lockdown/RHEL8-STIG/commit/2f81776ecc07b7b8a717077c4de0e69d2a353965#diff-35cfe8756c71552d3b6700a13f666c527fb0611caa46588369338d2d95f1eb49 we seem to be parsing all of /etc/passwd but arbitrarily filtering out the root, halt, sync, and shutdown users. If the task-specific conditionals that I referenced above are not the preferred way of resolving this, I would prefer to filter based on login shell (do not parse /sbin/nologin users as they are explicitly non-interactive) which would resolve issues with both referenced Controls, or at the very least add the nss user (for resolving the /dev/null problem with RHEL-08-010740) and then the dbus, nobody, system-coredump, systemd-resolve, polkitd, sssd, and clamscan users (for resolving the /proc/self problem with RHEL-08-010741) as their home directories are defined as /. Unsure if these are the only accounts that cause this issue with RHEL-08-010741.. Need more testing.

SeanathanVT commented 5 months ago

This issue is still present in the latest (3.3.0 // V1R13) release.

uk-bolly commented 2 weeks ago

hi @SeanathanVT

Thank you for the detailed information. I can see this has been attempted to be addressed a few times and so as to utilise different data to ensure its matching as expected. Apologies for not picking this up sooner. Running locally in testing this appears to be addressed? Can you confirm if you are still seeing issues with these control listed?

Many thanks

uk-bolly