Merge fixes from v0.1.61 stabilization into master (#2)

docs/templates/template_reference.md

@@ -259,6 +259,8 @@
 
     -   **filepath** - File path to be checked. If the file path ends
         with `/` it describes a directory. Can also be a list of paths.
+        If **file_regex** is not specified, the rule will only check
+        and remediate directories.
 
     -   **filepath_is_regex** - If set to `"true"` the OVAL will
         consider the value of **filepath** as a regular expression.
@@ -294,6 +296,8 @@ they must be of the same length.
 
     -   **filepath** - File path to be checked. If the file path ends
         with `/` it describes a directory. Can also be a list of paths.
+        If **file_regex** is not specified, the rule will only check
+        and remediate directories.
 
     -   **filepath_is_regex** - If set to `"true"` the OVAL will
         consider the value of **filepath** as a regular expression.
@@ -329,6 +333,8 @@ they must be of the same length.
 
     -   **filepath** - File path to be checked. If the file path ends
         with `/` it describes a directory. Can also be a list of paths.
+        If **file_regex** is not specified, the rule will only check
+        and remediate directories.
 
     -   **filepath_is_regex** - If set to `"true"` the OVAL will
         consider the value of **filepath** as a regular expression.

linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml

@@ -8,14 +8,19 @@
   </definition>
 
   <unix:password_object id="object_accounts_users_home_files_groupownership_objects" version="1">
-    <unix:username datatype="string" operation="not equal">nobody</unix:username>
+    <unix:username datatype="string" operation="pattern match">.*</unix:username>
     <filter action="include">state_accounts_users_home_files_groupownership_interactive_gids</filter>
+    <filter action="exclude">state_accounts_users_home_files_groupownership_user_list</filter>
   </unix:password_object>
 
   <unix:password_state id="state_accounts_users_home_files_groupownership_interactive_gids" version="1">
     <unix:user_id datatype="int" operation="greater than or equal">{{{ gid_min }}}</unix:user_id>
   </unix:password_state>
 
+  <unix:password_state id="state_accounts_users_home_files_groupownership_user_list" version="1">
+    <unix:username datatype="string" operation="pattern match">^{{{ user_list }}}$</unix:username>
+  </unix:password_state>
+
   <local_variable id="var_accounts_users_home_files_groupownership_dirs" datatype="string" version="1"
                   comment="Variable including all home dirs from interactive users">
     <object_component item_field="home_dir"

linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml

@@ -8,14 +8,19 @@
   </definition>
 
   <unix:password_object id="object_accounts_users_home_files_ownership_objects" version="1">
-    <unix:username datatype="string" operation="not equal">nobody</unix:username>
+    <unix:username datatype="string" operation="pattern match">.*</unix:username>
     <filter action="include">state_accounts_users_home_files_ownership_interactive_uids</filter>
+    <filter action="exclude">state_accounts_users_home_files_ownership_user_list</filter>
   </unix:password_object>
 
   <unix:password_state id="state_accounts_users_home_files_ownership_interactive_uids" version="1">
     <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
   </unix:password_state>
 
+  <unix:password_state id="state_accounts_users_home_files_ownership_user_list" version="1">
+    <unix:username datatype="string" operation="pattern match">^{{{ user_list }}}$</unix:username>
+  </unix:password_state>
+
   <local_variable id="var_accounts_users_home_files_ownership_dirs" datatype="string" version="1"
                   comment="Variable including all home dirs from interactive users">
     <object_component item_field="home_dir"

linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml

@@ -10,14 +10,19 @@
   <!-- For detailed comments about logic used in this OVAL, check the
        "file_ownership_home_directories" rule. -->
   <unix:password_object id="object_accounts_users_home_files_permissions_objects" version="1">
-    <unix:username datatype="string" operation="not equal">nobody</unix:username>
+    <unix:username datatype="string" operation="pattern match">.*</unix:username>
     <filter action="include">state_accounts_users_home_files_permissions_interactive_uids</filter>
+    <filter action="exclude">state_accounts_users_home_files_permissions_user_list</filter>
   </unix:password_object>
 
   <unix:password_state id="state_accounts_users_home_files_permissions_interactive_uids" version="1">
     <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
   </unix:password_state>
 
+  <unix:password_state id="state_accounts_users_home_files_permissions_user_list" version="1">
+    <unix:username datatype="string" operation="pattern match">^{{{ user_list }}}$</unix:username>
+  </unix:password_state>
+
   <!-- #### prepare for test_file_permissions_home_directories #### -->
   <local_variable id="var_accounts_users_home_files_permissions_dirs" datatype="string" version="1"
                   comment="Variable including all home dirs from interactive users">

linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml

@@ -12,14 +12,19 @@
   <!-- For detailed comments about logic used in this OVAL, check the
        "file_ownership_home_directories" rule. -->
   <unix:password_object id="object_file_groupownership_home_directories_objects" version="1">
-    <unix:username datatype="string" operation="not equal">nobody</unix:username>
+    <unix:username datatype="string" operation="pattern match">.*</unix:username>
     <filter action="include">state_file_groupownership_home_directories_interactive_gids</filter>
+    <filter action="exclude">state_file_permissions_groupownership_user_list</filter>
   </unix:password_object>
 
   <unix:password_state id="state_file_groupownership_home_directories_interactive_gids" version="1">
     <unix:group_id datatype="int" operation="greater than or equal">{{{ gid_min }}}</unix:group_id>
   </unix:password_state>
 
+  <unix:password_state id="state_file_permissions_groupownership_user_list" version="1">
+    <unix:username datatype="string" operation="pattern match">^{{{ user_list }}}$</unix:username>
+  </unix:password_state>
+
   <!-- #### prepare for test_file_groupownership_home_directories #### -->
   <local_variable id="var_file_groupownership_home_directories_dirs" datatype="string" version="1"
                   comment="Variable including all home dirs from primary interactive groups">

linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml

@@ -21,8 +21,9 @@
     create local variables composed by UIDs e Home Dirs.
   -->
   <unix:password_object id="object_file_ownership_home_directories_objects" version="1">
-    <unix:username datatype="string" operation="not equal">nobody</unix:username>
+    <unix:username datatype="string" operation="pattern match">.*</unix:username>
     <filter action="include">state_file_ownership_home_directories_interactive_uids</filter>
+    <filter action="exclude">state_file_ownership_home_directories_user_list</filter>
   </unix:password_object>
 
   <!--
@@ -34,6 +35,10 @@
     <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
   </unix:password_state>
 
+  <unix:password_state id="state_file_ownership_home_directories_user_list" version="1">
+    <unix:username datatype="string" operation="pattern match">^{{{ user_list }}}$</unix:username>
+  </unix:password_state>
+
   <!-- 
     #### prepare for test_file_groupownership_home_directories ####
     From the list of interactive users objects we create a local variable composed of their home dirs.

linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/oval/shared.xml

@@ -10,14 +10,19 @@
   <!-- For detailed comments about logic used in this OVAL, check the
        "file_ownership_home_directories" rule. -->
   <unix:password_object id="object_file_permissions_home_directories_objects" version="1">
-    <unix:username datatype="string" operation="not equal">nobody</unix:username>
+    <unix:username datatype="string" operation="pattern match">.*</unix:username>
     <filter action="include">state_file_permissions_home_directories_interactive_uids</filter>
+    <filter action="exclude">state_file_permissions_home_files_permissions_user_list</filter>
   </unix:password_object>
 
   <unix:password_state id="state_file_permissions_home_directories_interactive_uids" version="1">
     <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
   </unix:password_state>
 
+  <unix:password_state id="state_file_permissions_home_files_permissions_user_list" version="1">
+    <unix:username datatype="string" operation="pattern match">^{{{ user_list }}}$</unix:username>
+  </unix:password_state>
+
   <!-- #### prepare for test_file_permissions_home_directories #### -->
   <local_variable id="var_file_permissions_home_directories_dirs" datatype="string" version="1"
                   comment="Variable including all home dirs from interactive users">

linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml

@@ -69,5 +69,6 @@ template:
             - /lib64/
             - /usr/lib/
             - /usr/lib64/
+        recursive: 'true'
         file_regex: ^.*$
         fileuid: '0'

linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh

@@ -0,0 +1,9 @@
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
+
+useradd user_test
+
+TESTDIR="/usr/lib/dir/"
+
+mkdir $TESTDIR
+touch $TESTDIR/test_me
+chown user_test $TESTDIR/test_me

linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.pass.sh

@@ -0,0 +1,9 @@
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
+
+useradd user_test
+
+TESTDIR="/usr/lib/"
+
+# The check ignores this symlink and results in pass
+ln -s $TESTDIR/mising_test_file $TESTDIR/faulty_symlink
+chown -h user_test $TESTDIR/faulty_symlink

linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml

@@ -70,5 +70,6 @@ template:
             - /lib64/
             - /usr/lib/
             - /usr/lib64/
+        recursive: 'true'
         file_regex: ^.*$
         filemode: '0755'

linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh

@@ -2,6 +2,5 @@
 
 DIRS="/lib /lib64 /usr/lib /usr/lib64"
 for dirPath in $DIRS; do
-    find "$dirPath" -type d -exec chmod go-w '{}' \;
     find "$dirPath" -type f -exec chmod go+w '{}' \;
 done

linux_os/guide/system/software/system-tools/package_libreport-plugin-logger_removed/rule.yml

@@ -0,0 +1,30 @@
+documentation_complete: true
+
+prodtype: fedora,ol7,ol8,rhel7,rhel8
+
+title: 'Uninstall libreport-plugin-logger Package'
+
+description: |-
+    {{{ describe_package_remove(package="libreport-plugin-logger") }}}
+
+rationale: |-
+    <tt>libreport-plugin-logger</tt> is a ABRT plugin to report bugs into the
+    Red Hat Support system.
+
+severity: low
+
+identifiers:
+    cce@rhel8: CCE-89201-8
+
+references:
+    disa: CCI-000381
+    srg: SRG-OS-000095-GPOS-00049
+    stigid@ol8: OL08-00-040001
+    stigid@rhel8: RHEL-08-040001
+
+{{{ complete_ocil_entry_package(package="libreport-plugin-logger") }}}
+
+template:
+    name: package_removed
+    vars:
+        pkgname: libreport-plugin-logger

linux_os/guide/system/software/system-tools/package_libreport-plugin-rhtsupport_removed/rule.yml

@@ -0,0 +1,30 @@
+documentation_complete: true
+
+prodtype: fedora,ol7,ol8,rhel7,rhel8
+
+title: 'Uninstall libreport-plugin-rhtsupport Package'
+
+description: |-
+    {{{ describe_package_remove(package="libreport-plugin-rhtsupport") }}}
+
+rationale: |-
+    <tt>libreport-plugin-rhtsupport</tt> is a ABRT plugin to report bugs into the
+    Red Hat Support system.
+
+severity: low
+
+identifiers:
+    cce@rhel8: CCE-88955-0
+
+references:
+    disa: CCI-000381
+    srg: SRG-OS-000095-GPOS-00049
+    stigid@ol8: OL08-00-040001
+    stigid@rhel8: RHEL-08-040001
+
+{{{ complete_ocil_entry_package(package="libreport-plugin-rhtsupport") }}}
+
+template:
+    name: package_removed
+    vars:
+        pkgname: libreport-plugin-rhtsupport

products/ol8/profiles/ospp.profile

@@ -199,10 +199,12 @@ selections:
     - package_nfs-utils_removed
     - package_krb5-workstation_removed
     - package_abrt-addon-kerneloops_removed
-    - package_abrt-addon-python_removed
+    - package_python3-abrt-addon_removed
     - package_abrt-addon-ccpp_removed
     - package_abrt-plugin-sosreport_removed
     - package_abrt-cli_removed
+    - package_libreport-plugin-rhtsupport_removed
+    - package_libreport-plugin-logger_removed
     - package_abrt_removed
 
     ### Login

products/rhel8/profiles/ospp.profile

@@ -210,6 +210,8 @@ selections:
     - package_abrt-addon-ccpp_removed
     - package_abrt-plugin-sosreport_removed
     - package_abrt-cli_removed
+    - package_libreport-plugin-rhtsupport_removed
+    - package_libreport-plugin-logger_removed
     - package_abrt_removed
 
     ### Login

products/rhel8/profiles/stig.profile

@@ -931,6 +931,8 @@ selections:
     - package_python3-abrt-addon_removed
     - package_abrt-cli_removed
     - package_abrt-plugin-sosreport_removed
+    - package_libreport-plugin-rhtsupport_removed
+    - package_libreport-plugin-logger_removed
 
     # RHEL-08-040002
     - package_sendmail_removed

products/rhel9/product.yml

@@ -22,11 +22,11 @@ dconf_gdm_dir: "distro.d"
 # The fingerprints below are retrieved from https://access.redhat.com/security/team/key
 pkg_release: "4ae0493b"
 pkg_version: "fd431d51"
-aux_pkg_release: "5b32db75"
-aux_pkg_version: "d4082792"
+aux_pkg_release: "6229229e"
+aux_pkg_version: "5a6340b3"
 
 release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
-auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
+auxiliary_key_fingerprint: "7E4624258C406535D56D6F135054E4A45A6340B3"
 oval_feed_url: "https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2"
 
 cpes_root: "../../shared/applicability"

shared/macros-oval.jinja

@@ -902,3 +902,12 @@
   {{%- endif %}}
 </def-group>
 {{%- endmacro %}}
+
+{{#
+  User list in form of regex that are excluded when checking user home directory permissions and ownerships.
+#}}
+{{%- if product in ["rhel7", "ol7"] %}}
+  {{%- set user_list="(nobody|nfsnobody)" %}}
+{{%- else %}}
+  {{%- set user_list="nobody" %}}
+{{%- endif %}}

shared/references/cce-redhat-avail.txt

@@ -2854,7 +2854,6 @@ CCE-88951-9
 CCE-88952-7
 CCE-88953-5
 CCE-88954-3
-CCE-88955-0
 CCE-88956-8
 CCE-88957-6
 CCE-88958-4
@@ -3085,7 +3084,6 @@ CCE-89197-8
 CCE-89198-6
 CCE-89199-4
 CCE-89200-0
-CCE-89201-8
 CCE-89202-6
 CCE-89203-4
 CCE-89204-2

shared/templates/file_groupowner/ansible.template

@@ -5,32 +5,42 @@
 # disruption = low
 
 {{% for path in FILEPATH %}}
-{{% if IS_DIRECTORY and FILE_REGEX %}}
+{{% if IS_DIRECTORY %}}
+{{% if FILE_REGEX %}}
+
+- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}{{% if RECURSIVE %}} recursively{{% endif %}}
 
-- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
   find:
     paths: "{{{ path }}}"
     patterns: {{{ FILE_REGEX[loop.index0] }}}
     use_regex: yes
+{{% if RECURSIVE %}}
+    recurse: yes
+{{% endif %}}
     hidden: yes
   register: files_found
 
 - name: Ensure group owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
   file:
     path: "{{ item.path }}"
     group: "{{{ FILEGID }}}"
+    state: file
+  when: item.gid != {{{ FILEGID }}}
   with_items:
     - "{{ files_found.files }}"
 
-{{% elif IS_DIRECTORY and RECURSIVE %}}
+{{% else %}}
 
-- name: Ensure group owner on {{{ path }}} recursively
+- name: Ensure group owner on {{{ path }}}{{% if RECURSIVE %}} recursively{{% endif %}}
   file:
     path: "{{{ path }}}"
     state: directory
+{{% if RECURSIVE %}}
     recurse: yes
+{{% endif %}}
     group: "{{{ FILEGID }}}"
 
+{{% endif %}}
 {{% else %}}
 
 - name: Test for existence {{{ path }}}