RHEL-08-010740 PATCH Task fails if home directory is set to /dev/null

[SeanathanVT]

Describe the Issue On el8 baselines, the tss user’s home directory appears to be set to /dev/null. This causes the Task to fail as /dev/null is a not a directory.

Expected Behavior Task should gracefully handle a situation where a user’s "home directory” is not actually a directory.

Actual Behavior Execution of the RHEL-08-010740 PATCH logic fails if a local user’s home directory (as defined in /etc/passwd) is not actually a directory due to the Task’s inclusion of “state: directory”. I acknowledge the intent behind this (why would a home directory not be a home directory?), but in the case of the tss user on el8 baselines, the home directory is not actually a directory.

Control(s) Affected RHEL-08-010740

Environment (please complete the following information):

• branch being used: the latest release (STIG V1R12 April release)
• Ansible Version: 8.3.0
• Host Python Version: 3.11.5
• Ansible Server Python Version: 3.11.5
• Additional Details: N/A

Additional Notes

• https://access.redhat.com/solutions/6625061
• https://access.redhat.com/solutions/6996195

Possible Solution Either remove the “state: directory” definition or add a conditional that excludes an item if its path is /dev/null (ex. item.dir != '/dev/null') or filter based on shell (ex. item.shell != '/sbin/nologin'). Not sure how you guys would prefer to handle this situation, so I don’t want to assume the proper resolution. Also unsure how likely this is to surface with a non-directory defined as a home directory that isn’t /dev/null.

[SeanathanVT]

Looks like the logic introduced with the resolution of https://github.com/ansible-lockdown/RHEL8-STIG/issues/251 impacted both RHEL-08-010740 as well as RHEL-08-010741. The latter logic attempts to access transient paths under /proc/self that may have existed during initial query but not during attempted “resolution”.

As with the initial issue and its workaround (item.dir != '/dev/null'), I am currently working around this issue by excluding paths containing /proc/self ('/proc/self' not in item.dir). Filtering based on shell is probably cleaner.

[SeanathanVT]

Also, with https://github.com/ansible-lockdown/RHEL8-STIG/commit/2f81776ecc07b7b8a717077c4de0e69d2a353965#diff-35cfe8756c71552d3b6700a13f666c527fb0611caa46588369338d2d95f1eb49 we seem to be parsing all of /etc/passwd but arbitrarily filtering out the root, halt, sync, and shutdown users. If the task-specific conditionals that I referenced above are not the preferred way of resolving this, I would prefer to filter based on login shell (do not parse /sbin/nologin users as they are explicitly non-interactive) which would resolve issues with both referenced Controls, or at the very least add the nss user (for resolving the /dev/null problem with RHEL-08-010740) and then the dbus, nobody, system-coredump, systemd-resolve, polkitd, sssd, and clamscan users (for resolving the /proc/self problem with RHEL-08-010741) as their home directories are defined as /. Unsure if these are the only accounts that cause this issue with RHEL-08-010741.. Need more testing.

[SeanathanVT]

This issue is still present in the latest (3.3.0 // V1R13) release.

[uk-bolly]

hi @SeanathanVT

Thank you for the detailed information. I can see this has been attempted to be addressed a few times and so as to utilise different data to ensure its matching as expected. Apologies for not picking this up sooner. Running locally in testing this appears to be addressed? Can you confirm if you are still seeing issues with these control listed?

Many thanks

uk-bolly