Skip users with ID above UID MAX on accounts_user_interactive_home_directory_defined #12527
Conversation
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined' differs.
--- xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined
+++ xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined
@@ -34,6 +34,7 @@
when:
- item.value[2]|int >= 1000
- item.value[2]|int != 65534
+ - item.value[2]|int < 61184 or item.value[2]|int > 65519
- not item.value[4] | regex_search('^\/\w*\/\w{1,}')
tags:
- CCE-84036-3 |
product_properties/10-ids.yml
Outdated
| @@ -5,3 +5,4 @@ default: | |||
| nobody_gid: 65534 | |||
| nobody_uid: 65534 | |||
| auid: 1000 | |||
| uid_max: 60000 | |||
There was a problem hiding this comment.
Maybe the number can be this one, per http://0pointer.net/blog/dynamic-users-with-systemd.html, you can see it few lines under the heading called "Introducing dynamic users".
| uid_max: 60000 | |
| uid_max: 60183 |
Mab879
force-pushed
the
fix_systemd_dyn_users_interactive_home
branch
from
651fc7e
to
d8f7855
Compare
openshift-ci
bot
added
the
do-not-merge/work-in-progress
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
...ccounts/accounts-session/accounts_user_interactive_home_directory_defined/ansible/shared.yml
Outdated
Show resolved
Hide resolved
|
/packit build |
…interactive_home_directory_defined/ansible/shared.yml Co-authored-by: vojtapolasek <[email protected]>
Mab879
force-pushed
the
fix_systemd_dyn_users_interactive_home
branch
from
d7e008e
to
708fc41
Compare
|
Code Climate has analyzed commit 708fc41 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 60.9% (0.0% change). View more on Code Climate. |
|
@Mab879 There is a failing Automatus test on SLE which seems valid. |
This isn't a new issue, it is also failing on master. At least testing with OpenSUSE. |
|
OK @Mab879 merging. Thank you. |
|
/packit retest-failed |
vojtapolasek
merged commit 06cc241
into
ComplianceAsCode:master
Description:
To skip systemd dynamic users.
Since accounts_user_interactive_home_directory_defined only works on local users this should be fine.
Since bash remediation accesses
/etc/passwddirectly and the systemd dynamic users do not show up in that file, the bash remediation was not updated.Rationale:
Fix Ansible playbook failures.