Merge pull request #14370 from vojtapolasek/add_rule_home_dirs_on_separate_partition

Add rule accounts_user_interactive_home_directory_on_separate_partition

Author: Mab879

components/operating-system.yml

@@ -6,6 +6,7 @@ rules:
 - accounts_user_home_paths_only
 - accounts_user_interactive_home_directory_defined
 - accounts_user_interactive_home_directory_exists
+- accounts_user_interactive_home_directory_on_separate_partition
 - bios_assign_password
 - bios_disable_usb_boot
 - bios_enable_execution_restrictions

linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/oval/shared.xml

@@ -0,0 +1,71 @@
+<def-group>
+  <definition class="compliance"
+              id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("All interactive user home directories must reside on a separate partition from root.", rule_title=rule_title) }}}
+    <criteria operator="OR">
+      <criterion test_ref="test_{{{ rule_id }}}"
+                 comment="All interactive user home directories are on a separate partition"/>
+      <criterion test_ref="test_{{{ rule_id }}}_no_interactive_users"
+                 comment="No interactive users exist on the system"/>
+    </criteria>
+  </definition>
+
+  <!-- ============================================================ -->
+  <!-- Part 1: Collect all non-root mount points from the system     -->
+  <!-- ============================================================ -->
+  <linux:partition_object id="object_{{{ rule_id }}}_non_root_partitions" version="1">
+    <linux:mount_point operation="not equal">/</linux:mount_point>
+  </linux:partition_object>
+
+  <!-- Build regex patterns from mount points: ^<mount_point>(/|$)
+       The (/|$) suffix prevents substring false matches, e.g.
+       mount point /home should not match home directory /home2/user -->
+  <local_variable id="var_{{{ rule_id }}}_mount_regex" datatype="string" version="1"
+                  comment="Regex patterns to match home dirs on non-root partitions">
+    <concat>
+      <literal_component>^</literal_component>
+      <object_component item_field="mount_point"
+                        object_ref="object_{{{ rule_id }}}_non_root_partitions"/>
+      <literal_component>(/|$)</literal_component>
+    </concat>
+  </local_variable>
+
+  <!-- ============================================================ -->
+  <!-- Part 2: Extract home directories of interactive users         -->
+  <!-- Interactive users: UID >= 1000, shell not nologin,             -->
+  <!-- username not nobody/nfsnobody                                 -->
+  <!-- ============================================================ -->
+  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_interactive_users" version="1">
+    <ind:filepath>/etc/passwd</ind:filepath>
+    <ind:pattern operation="pattern match"
+      >^(?:(?!nobody|nfsnobody)[^:]*):(?:[^:]*:)[1-9]\d{3,}:(?:[^:]*:){2}([^:]+):(?!(?:/usr)?/sbin/nologin$)[^:]*$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <!-- ============================================================ -->
+  <!-- Part 3: Test that ALL interactive users' home directories     -->
+  <!-- match at least one non-root mount point regex                 -->
+  <!-- ============================================================ -->
+  <ind:textfilecontent54_test id="test_{{{ rule_id }}}"
+                              check="all" check_existence="at_least_one_exists"
+                              version="1"
+                              comment="All interactive user home dirs are on separate partitions">
+    <ind:object object_ref="object_{{{ rule_id }}}_interactive_users"/>
+    <ind:state state_ref="state_{{{ rule_id }}}_on_separate_partition"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_state id="state_{{{ rule_id }}}_on_separate_partition" version="1">
+    <ind:subexpression operation="pattern match" var_check="at least one"
+                       var_ref="var_{{{ rule_id }}}_mount_regex"/>
+  </ind:textfilecontent54_state>
+
+  <!-- ============================================================ -->
+  <!-- Part 4: Handle edge case - no interactive users on system     -->
+  <!-- ============================================================ -->
+  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_no_interactive_users"
+                              check="all" check_existence="none_exist"
+                              version="1"
+                              comment="No interactive users exist on the system">
+    <ind:object object_ref="object_{{{ rule_id }}}_interactive_users"/>
+  </ind:textfilecontent54_test>
+</def-group>

linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/rule.yml

@@ -0,0 +1,48 @@
+documentation_complete: true
+
+title: 'All Interactive User Home Directories Must Reside On a Separate Partition'
+
+description: |-
+    All interactive user home directories must be located on a file system
+    partition separate from the root (<tt>/</tt>) partition. If any interactive
+    user's home directory resides directly on the root file system, a failure
+    of that file system or a user filling it up could impact system operation.
+
+rationale: |-
+    Ensuring that interactive user home directories are on a separate
+    partition from the root file system prevents users from filling the root
+    partition, which could result in system instability or denial of service.
+    It also allows administrators to apply more restrictive mount options
+    such as <tt>noexec</tt>, <tt>nosuid</tt>, and <tt>nodev</tt> to the
+    partition containing user home directories.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-90711-3
+
+references:
+    srg: SRG-OS-000480-GPOS-00227
+
+ocil_clause: 'any interactive user home directory is on the root partition'
+
+ocil: |-
+    Verify that all interactive user home directories are on a separate
+    file system partition with the following commands:
+
+    List interactive users and their home directories:
+    <pre>$ awk -F: '($3&gt;={{{ uid_min }}})&amp;&amp;($7 !~ /nologin/){print $1, $6}' /etc/passwd</pre>
+
+    For each home directory listed, verify it is on a separate partition:
+    <pre>$ df &lt;home_directory&gt; | tail -1 | awk '{print $6}'</pre>
+
+    If the command returns <tt>/</tt> for any interactive user home directory,
+    this is a finding.
+
+fixtext: |-
+    Migrate interactive user home directories that reside on the root
+    file system to a separate partition.
+
+srg_requirement: 'All {{{ full_name }}} interactive user home directories must reside on a file system separate from the root partition.'
+
+platform: machine

linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_root_partition.fail.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_all
+# remediation = none
+
+{{{ bash_remove_interactive_users_from_passwd_by_uid() }}}
+
+mkdir -p /root_home
+useradd -m -d /root_home/testUser1 testUser1

linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_separate_partition.pass.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+. $SHARED/partition.sh
+
+{{{ bash_remove_interactive_users_from_passwd_by_uid() }}}
+
+umount /srv || true
+
+clean_up_partition /srv
+
+create_partition
+
+make_fstab_correct_partition_line /srv
+
+mount_partition /srv
+
+mkdir -p /srv/home
+useradd -m -d /srv/home/testUser1 testUser1

linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/mixed_users_one_on_root.fail.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+# platform = multi_platform_all
+# remediation = none
+
+. $SHARED/partition.sh
+
+{{{ bash_remove_interactive_users_from_passwd_by_uid() }}}
+
+umount /srv || true
+
+clean_up_partition /srv
+
+create_partition
+
+make_fstab_correct_partition_line /srv
+
+mount_partition /srv
+
+mkdir -p /srv/home
+useradd -m -d /srv/home/testUser1 testUser1
+
+mkdir -p /root_home
+useradd -m -d /root_home/testUser2 testUser2

linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/no_interactive_users.pass.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+{{{ bash_remove_interactive_users_from_passwd_by_uid() }}}

shared/references/cce-redhat-avail.txt

@@ -2342,7 +2342,6 @@ CCE-90705-5
 CCE-90706-3
 CCE-90707-1
 CCE-90710-5
-CCE-90711-3
 CCE-90715-4
 CCE-90720-4
 CCE-90721-2