Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

All user accounts are locked during hardening execution #21

Closed
fgierlinger opened this issue Aug 15, 2022 · 3 comments
Closed

All user accounts are locked during hardening execution #21

fgierlinger opened this issue Aug 15, 2022 · 3 comments
Assignees

Comments

@fgierlinger
Copy link

fgierlinger commented Aug 15, 2022

Describe the Issue
There seems to be a logic flaw when detecting system accounts. The condition checks if the threshold min_int_uid is smaller than the user id of user accounts, instead of checking if the user id is smaller than min_int_uid.

Let's assume a user has the uid 1001 and a group named after the user with the group id 1001 and is therefore considered not a system account. In the tasks 5.6.2 the min_int_uid is checked if it is smaller than the user group id. Since 1000 is smaller than 1001 the user account is set to no login and locked.

- name: "5.6.2 | Ensure system accounts are secured | Set nologin"
user:
name: "{{ item.id }}"
shell: /usr/sbin/nologin
with_items:
- "{{ rhel9cis_passwd }}"
when:
- item.id != "root"
- item.id != "sync"
- item.id != "shutdown"
- item.id != "halt"
- item.id != "nfsnobody"
- min_int_uid | int < item.gid
- item.shell != " /bin/false"
- item.shell != " /usr/sbin/nologin"
loop_control:
label: "{{ item.id }}"
- name: "5.6.2 | PATCH | Ensure system accounts are secured | Lock accounts"
user:
name: "{{ item.id }}"
password_lock: true
with_items:
- "{{ rhel9cis_passwd }}"
when:
- item.id != "halt"
- item.id != "shutdown"
- item.id != "sync"
- item.id != "root"
- item.id != "nfsnobody"
- min_int_uid | int < item.gid
- item.shell != " /bin/false"
- item.shell != " /usr/sbin/nologin"
loop_control:
label: "{{ item.id }}"

Further is the comparison of the group id (gid) instead of the user id (uid) to the min_int_uid intentional? I noticed that the comparison of the group id with min_int_uid is consistent with rhel8-cis and rhel7-cis.

https://github.com/ansible-lockdown/RHEL8-CIS/blob/33d4c643cbf8c22f6f1ed784e7c70e479630685e/tasks/section_5/cis_5.6.x.yml#L16

https://github.com/ansible-lockdown/RHEL7-CIS/blob/90f3d9a5fecebb75e16afe32ba096bf7817cd034/tasks/section_5/cis_5.5.x.yml#L17

Expected Behavior
Only accounts with the uid smaller than min_int_uid are locked.

Actual Behavior
All accounts with the uid bigger than min_int_uid are locked.

Control(s) Affected
5.6.2

Environment (please complete the following information):

  • branch being used: level (f769197)
  • Ansible Version: 4.10.0 (core 2.11.12)
  • Host Python Version: 3.9.10
  • Ansible Server Python Version: 3.6.8
  • Additional Details: -

Additional Notes

Possible Solution
Change the conditional from min_int_uid | int < item.gid to item.gid < min_int_uid | int.

uk-bolly added a commit that referenced this issue Aug 23, 2022
@uk-bolly uk-bolly self-assigned this Aug 23, 2022
@uk-bolly
Copy link
Member

hi @fgierlinger

Thank you again for the feedback on this new repository, prior to the PR approval i have managed to add this correcting in aswell.

Many thanks once again
uk-bolly

@fgierlinger
Copy link
Author

@uk-bolly Further: is the comparison of the group id (gid) instead of the user id (uid) to the min_int_uid intentional? I noticed that the comparison of the group id with min_int_uid is consistent with rhel8-cis and rhel7-cis.

@uk-bolly
Copy link
Member

hi @fgierlinger

We have been trying to keep it consistent across them all. Does this now work as expected?

Many thanks

uk-bolly

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants