Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

5.6.2 Use uid instead of gid for user loop #57

Closed
drscream opened this issue Apr 25, 2023 · 2 comments
Closed

5.6.2 Use uid instead of gid for user loop #57

drscream opened this issue Apr 25, 2023 · 2 comments
Assignees
@uk-bolly
Labels
bug Something isn't working

Comments

@drscream
Copy link
Contributor

Describe the Issue
The current code uses the GID to loop the system accounts with a test of smaller than min_int_uid. I think based on the variable name the UID should be used.

Expected Behavior
Use the UID to lookup for system accounts which are smaller than min_int_uid. That would result in only system accounts are found.

Actual Behavior
If a users primary group is users which is GID 100 it is matches to be a system account.

Control(s) Affected

  • v8 3.3 Configure Data Access Control Lists
  • v7 14.6 Protect Information through Access Control Lists

Environment (please complete the following information):

  • branch being used: devel
  • Ansible Version: 2.14.5
  • Host Python Version: 3.10.9
  • Ansible Server Python Version: 3.10.9
  • Additional Details:

Additional Notes
If my assumption is wrong, maybe an additional variable min_int_gid should be added.

Possible Solution

diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml
index 56b3d5f..3e49a46 100644
--- a/tasks/section_5/cis_5.6.x.yml
+++ b/tasks/section_5/cis_5.6.x.yml
@@ -13,7 +13,7 @@
             - item.id != "shutdown"
             - item.id != "halt"
             - item.id != "nfsnobody"
-            - item.gid < min_int_uid | int
+            - item.uid < min_int_uid | int
             - item.shell != "      /bin/false"
             - item.shell != "      /usr/sbin/nologin"
         loop_control:
@@ -30,7 +30,7 @@
             - item.id != "sync"
             - item.id != "root"
             - item.id != "nfsnobody"
-            - item.gid < min_int_uid | int
+            - item.uid < min_int_uid | int
             - item.shell != "      /bin/false"
             - item.shell != "      /usr/sbin/nologin"
         loop_control:
@drscream drscream added the bug Something isn't working label Apr 25, 2023
uk-bolly added a commit that referenced this issue May 16, 2023
@uk-bolly
#57
2da0d87 
great catch

Signed-off-by: Mark Bolwell <[email protected]>
@uk-bolly uk-bolly mentioned this issue May 16, 2023
Merged
@uk-bolly uk-bolly self-assigned this May 16, 2023
@uk-bolly
Copy link
Member

hi @drscream

Great catch, thank you for taking the time to feedback.
This issues is now added into the branch may23_updates with PR #62

many thanks

uk-bolly

@frederickw082922
Copy link

Thank you @drscream for submitting the issue!

@uk-bolly uk-bolly mentioned this issue Jun 6, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@uk-bolly uk-bolly

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@drscream @uk-bolly @frederickw082922