From beb0e07f29ece7abdc861dd1909418653c573d06 Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.com>
Date: Fri, 25 Mar 2022 09:59:41 +0100
Subject: [PATCH 1/2] Exclude user nfsnobody when checking home directories

---
 .../file_groupownership_home_directories/oval/shared.xml | 9 +++++++++
 .../file_ownership_home_directories/oval/shared.xml      | 9 +++++++++
 .../file_permissions_home_directories/oval/shared.xml    | 9 +++++++++
 3 files changed, 27 insertions(+)

diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml
index a1d1f2ef52e7..67aeffab0cdf 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml
@@ -14,12 +14,21 @@
   <unix:password_object id="object_file_groupownership_home_directories_objects" version="1">
     <unix:username datatype="string" operation="not equal">nobody</unix:username>
     <filter action="include">state_file_groupownership_home_directories_interactive_gids</filter>
+  {{%- if product == 'rhel7' %}}
+    <filter action="exclude">state_file_permissions_groupownership_nfsnobody</filter>
+  {{%- endif %}}
   </unix:password_object>
 
   <unix:password_state id="state_file_groupownership_home_directories_interactive_gids" version="1">
     <unix:group_id datatype="int" operation="greater than or equal">{{{ gid_min }}}</unix:group_id>
   </unix:password_state>
 
+{{%- if product == 'rhel7' %}}
+  <unix:password_state id="state_file_permissions_groupownership_nfsnobody" version="1">
+    <unix:username datatype="string" operation="equals">nfsnobody</unix:username>
+  </unix:password_state>
+{{%- endif %}}
+
   <!-- #### prepare for test_file_groupownership_home_directories #### -->
   <local_variable id="var_file_groupownership_home_directories_dirs" datatype="string" version="1"
                   comment="Variable including all home dirs from primary interactive groups">
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml
index 3d0b9aecbae3..a4a67f437092 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml
@@ -23,6 +23,9 @@
   <unix:password_object id="object_file_ownership_home_directories_objects" version="1">
     <unix:username datatype="string" operation="not equal">nobody</unix:username>
     <filter action="include">state_file_ownership_home_directories_interactive_uids</filter>
+  {{%- if product == 'rhel7' %}}
+    <filter action="exclude">state_file_ownership_home_directories_nfsnobody</filter>
+  {{%- endif %}}
   </unix:password_object>
 
   <!--
@@ -34,6 +37,12 @@
     <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
   </unix:password_state>
 
+{{%- if product == 'rhel7' %}}
+  <unix:password_state id="state_file_ownership_home_directories_nfsnobody" version="1">
+    <unix:username datatype="string" operation="equals">nfsnobody</unix:username>
+  </unix:password_state>
+{{%- endif %}}
+
   <!-- 
     #### prepare for test_file_groupownership_home_directories ####
     From the list of interactive users objects we create a local variable composed of their home dirs.
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/oval/shared.xml
index 0cb261e2c579..d810d79d111b 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/oval/shared.xml
@@ -12,12 +12,21 @@
   <unix:password_object id="object_file_permissions_home_directories_objects" version="1">
     <unix:username datatype="string" operation="not equal">nobody</unix:username>
     <filter action="include">state_file_permissions_home_directories_interactive_uids</filter>
+  {{%- if product == 'rhel7' %}}
+    <filter action="exclude">state_file_permissions_home_files_permissions_nfsnobody</filter>
+  {{%- endif %}}
   </unix:password_object>
 
   <unix:password_state id="state_file_permissions_home_directories_interactive_uids" version="1">
     <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
   </unix:password_state>
 
+{{%- if product == 'rhel7' %}}
+  <unix:password_state id="state_file_permissions_home_files_permissions_nfsnobody" version="1">
+    <unix:username datatype="string" operation="equals">nfsnobody</unix:username>
+  </unix:password_state>
+{{%- endif %}}
+
   <!-- #### prepare for test_file_permissions_home_directories #### -->
   <local_variable id="var_file_permissions_home_directories_dirs" datatype="string" version="1"
                   comment="Variable including all home dirs from interactive users">

From 037056764223a3740fb6702e864e3f2d041a8dba Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.com>
Date: Fri, 25 Mar 2022 16:54:54 +0100
Subject: [PATCH 2/2] Define list of excluded users to check as shared variable

---
 .../oval/shared.xml                                  | 12 ++++--------
 .../oval/shared.xml                                  | 12 ++++--------
 .../oval/shared.xml                                  | 12 ++++--------
 .../oval/shared.xml                                  | 12 ++++--------
 .../file_ownership_home_directories/oval/shared.xml  | 12 ++++--------
 .../oval/shared.xml                                  | 12 ++++--------
 shared/macros-oval.jinja                             |  9 +++++++++
 7 files changed, 33 insertions(+), 48 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml
index eb4774983738..180ded56be55 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml
@@ -8,22 +8,18 @@
   </definition>
 
   <unix:password_object id="object_accounts_users_home_files_groupownership_objects" version="1">
-    <unix:username datatype="string" operation="not equal">nobody</unix:username>
+    <unix:username datatype="string" operation="pattern match">.*</unix:username>
     <filter action="include">state_accounts_users_home_files_groupownership_interactive_gids</filter>
-{{%- if product == 'rhel7' %}}
-    <filter action="exclude">state_accounts_users_home_files_groupownership_nfsnobody</filter>
-{{%- endif %}}
+    <filter action="exclude">state_accounts_users_home_files_groupownership_user_list</filter>
   </unix:password_object>
 
   <unix:password_state id="state_accounts_users_home_files_groupownership_interactive_gids" version="1">
     <unix:user_id datatype="int" operation="greater than or equal">{{{ gid_min }}}</unix:user_id>
   </unix:password_state>
 
-{{%- if product == 'rhel7' %}}
-  <unix:password_state id="state_accounts_users_home_files_groupownership_nfsnobody" version="1">
-    <unix:username datatype="string" operation="equals">nfsnobody</unix:username>
+  <unix:password_state id="state_accounts_users_home_files_groupownership_user_list" version="1">
+    <unix:username datatype="string" operation="pattern match">^{{{ user_list }}}$</unix:username>
   </unix:password_state>
-{{%- endif %}}
 
   <local_variable id="var_accounts_users_home_files_groupownership_dirs" datatype="string" version="1"
                   comment="Variable including all home dirs from interactive users">
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml
index 503cc5daf7a9..72becc081297 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml
@@ -8,22 +8,18 @@
   </definition>
 
   <unix:password_object id="object_accounts_users_home_files_ownership_objects" version="1">
-    <unix:username datatype="string" operation="not equal">nobody</unix:username>
+    <unix:username datatype="string" operation="pattern match">.*</unix:username>
     <filter action="include">state_accounts_users_home_files_ownership_interactive_uids</filter>
-{{%- if product == 'rhel7' %}}
-    <filter action="exclude">state_accounts_users_home_files_ownership_nfsnobody</filter>
-{{%- endif %}}
+    <filter action="exclude">state_accounts_users_home_files_ownership_user_list</filter>
   </unix:password_object>
 
   <unix:password_state id="state_accounts_users_home_files_ownership_interactive_uids" version="1">
     <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
   </unix:password_state>
 
-{{%- if product == 'rhel7' %}}
-  <unix:password_state id="state_accounts_users_home_files_ownership_nfsnobody" version="1">
-    <unix:username datatype="string" operation="equals">nfsnobody</unix:username>
+  <unix:password_state id="state_accounts_users_home_files_ownership_user_list" version="1">
+    <unix:username datatype="string" operation="pattern match">^{{{ user_list }}}$</unix:username>
   </unix:password_state>
-{{%- endif %}}
 
   <local_variable id="var_accounts_users_home_files_ownership_dirs" datatype="string" version="1"
                   comment="Variable including all home dirs from interactive users">
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml
index 1763f789ca47..39128ccea20a 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml
@@ -10,22 +10,18 @@
   <!-- For detailed comments about logic used in this OVAL, check the
        "file_ownership_home_directories" rule. -->
   <unix:password_object id="object_accounts_users_home_files_permissions_objects" version="1">
-    <unix:username datatype="string" operation="not equal">nobody</unix:username>
+    <unix:username datatype="string" operation="pattern match">.*</unix:username>
     <filter action="include">state_accounts_users_home_files_permissions_interactive_uids</filter>
-{{%- if product == 'rhel7' %}}
-    <filter action="exclude">state_accounts_users_home_files_permissions_nfsnobody</filter>
-{{%- endif %}}
+    <filter action="exclude">state_accounts_users_home_files_permissions_user_list</filter>
   </unix:password_object>
 
   <unix:password_state id="state_accounts_users_home_files_permissions_interactive_uids" version="1">
     <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
   </unix:password_state>
 
-{{%- if product == 'rhel7' %}}
-  <unix:password_state id="state_accounts_users_home_files_permissions_nfsnobody" version="1">
-    <unix:username datatype="string" operation="equals">nfsnobody</unix:username>
+  <unix:password_state id="state_accounts_users_home_files_permissions_user_list" version="1">
+    <unix:username datatype="string" operation="pattern match">^{{{ user_list }}}$</unix:username>
   </unix:password_state>
-{{%- endif %}}
 
   <!-- #### prepare for test_file_permissions_home_directories #### -->
   <local_variable id="var_accounts_users_home_files_permissions_dirs" datatype="string" version="1"
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml
index 67aeffab0cdf..ed2b14b0c7f7 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml
@@ -12,22 +12,18 @@
   <!-- For detailed comments about logic used in this OVAL, check the
        "file_ownership_home_directories" rule. -->
   <unix:password_object id="object_file_groupownership_home_directories_objects" version="1">
-    <unix:username datatype="string" operation="not equal">nobody</unix:username>
+    <unix:username datatype="string" operation="pattern match">.*</unix:username>
     <filter action="include">state_file_groupownership_home_directories_interactive_gids</filter>
-  {{%- if product == 'rhel7' %}}
-    <filter action="exclude">state_file_permissions_groupownership_nfsnobody</filter>
-  {{%- endif %}}
+    <filter action="exclude">state_file_permissions_groupownership_user_list</filter>
   </unix:password_object>
 
   <unix:password_state id="state_file_groupownership_home_directories_interactive_gids" version="1">
     <unix:group_id datatype="int" operation="greater than or equal">{{{ gid_min }}}</unix:group_id>
   </unix:password_state>
 
-{{%- if product == 'rhel7' %}}
-  <unix:password_state id="state_file_permissions_groupownership_nfsnobody" version="1">
-    <unix:username datatype="string" operation="equals">nfsnobody</unix:username>
+  <unix:password_state id="state_file_permissions_groupownership_user_list" version="1">
+    <unix:username datatype="string" operation="pattern match">^{{{ user_list }}}$</unix:username>
   </unix:password_state>
-{{%- endif %}}
 
   <!-- #### prepare for test_file_groupownership_home_directories #### -->
   <local_variable id="var_file_groupownership_home_directories_dirs" datatype="string" version="1"
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml
index a4a67f437092..d6f604f37b51 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml
@@ -21,11 +21,9 @@
     create local variables composed by UIDs e Home Dirs.
   -->
   <unix:password_object id="object_file_ownership_home_directories_objects" version="1">
-    <unix:username datatype="string" operation="not equal">nobody</unix:username>
+    <unix:username datatype="string" operation="pattern match">.*</unix:username>
     <filter action="include">state_file_ownership_home_directories_interactive_uids</filter>
-  {{%- if product == 'rhel7' %}}
-    <filter action="exclude">state_file_ownership_home_directories_nfsnobody</filter>
-  {{%- endif %}}
+    <filter action="exclude">state_file_ownership_home_directories_user_list</filter>
   </unix:password_object>
 
   <!--
@@ -37,11 +35,9 @@
     <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
   </unix:password_state>
 
-{{%- if product == 'rhel7' %}}
-  <unix:password_state id="state_file_ownership_home_directories_nfsnobody" version="1">
-    <unix:username datatype="string" operation="equals">nfsnobody</unix:username>
+  <unix:password_state id="state_file_ownership_home_directories_user_list" version="1">
+    <unix:username datatype="string" operation="pattern match">^{{{ user_list }}}$</unix:username>
   </unix:password_state>
-{{%- endif %}}
 
   <!-- 
     #### prepare for test_file_groupownership_home_directories ####
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/oval/shared.xml
index d810d79d111b..54249e6a7f9f 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/oval/shared.xml
@@ -10,22 +10,18 @@
   <!-- For detailed comments about logic used in this OVAL, check the
        "file_ownership_home_directories" rule. -->
   <unix:password_object id="object_file_permissions_home_directories_objects" version="1">
-    <unix:username datatype="string" operation="not equal">nobody</unix:username>
+    <unix:username datatype="string" operation="pattern match">.*</unix:username>
     <filter action="include">state_file_permissions_home_directories_interactive_uids</filter>
-  {{%- if product == 'rhel7' %}}
-    <filter action="exclude">state_file_permissions_home_files_permissions_nfsnobody</filter>
-  {{%- endif %}}
+    <filter action="exclude">state_file_permissions_home_files_permissions_user_list</filter>
   </unix:password_object>
 
   <unix:password_state id="state_file_permissions_home_directories_interactive_uids" version="1">
     <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
   </unix:password_state>
 
-{{%- if product == 'rhel7' %}}
-  <unix:password_state id="state_file_permissions_home_files_permissions_nfsnobody" version="1">
-    <unix:username datatype="string" operation="equals">nfsnobody</unix:username>
+  <unix:password_state id="state_file_permissions_home_files_permissions_user_list" version="1">
+    <unix:username datatype="string" operation="pattern match">^{{{ user_list }}}$</unix:username>
   </unix:password_state>
-{{%- endif %}}
 
   <!-- #### prepare for test_file_permissions_home_directories #### -->
   <local_variable id="var_file_permissions_home_directories_dirs" datatype="string" version="1"
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
index e9eac999a46d..01f39e005320 100644
--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
@@ -902,3 +902,12 @@
   {{%- endif %}}
 </def-group>
 {{%- endmacro %}}
+
+{{#
+  User list in form of regex that are excluded when checking user home directory permissions and ownerships.
+#}}
+{{%- if product in ["rhel7", "ol7"] %}}
+  {{%- set user_list="(nobody|nfsnobody)" %}}
+{{%- else %}}
+  {{%- set user_list="nobody" %}}
+{{%- endif %}}