Fix oval failure in case of locked users#14397
Merged
jan-cerny merged 4 commits intoComplianceAsCode:masterfrom Feb 23, 2026
Merged
Fix oval failure in case of locked users#14397jan-cerny merged 4 commits intoComplianceAsCode:masterfrom
jan-cerny merged 4 commits intoComplianceAsCode:masterfrom
Conversation
teacup-on-rockingchair
added
the
OVAL
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
Mab879
previously requested changes
Feb 17, 2026
Member
Mab879
left a comment
Mab879
left a comment
There was a problem hiding this comment.
Please add a test for this change.
jan-cerny
requested changes
Feb 18, 2026
| </criteria> | ||
| </definition> | ||
| <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="test that there are no accounts with UID 0 except root in the /etc/passwd file" id="test_accounts_no_uid_except_root" version="1"> | ||
|
|
Collaborator
There was a problem hiding this comment.
The test scenario other_user_uid_0.fail.sh fails for me. Can you take a look?
jcerny@fedora:~/work/git/scap-security-guide (pr/14397)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 accounts_no_uid_except_zero
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2026-02-18-0933/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
INFO - Script only_root.pass.sh using profile (all) OK
ERROR - Script other_user_uid_0.fail.sh using profile (all) found issue:
ERROR - Rule evaluation resulted in pass, instead of expected fail during initial stage
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero'.
| <def-group> | ||
| <definition class="compliance" id="accounts_no_uid_except_zero" version="1"> | ||
| {{{ oval_metadata("Only the root account should be assigned a user id of 0.", rule_title=rule_title) }}} | ||
| {{{ oval_metadata("Only the root account should be assigned a user id of 0, or the account must be locked.", rule_title=rule_title) }}} |
Collaborator
There was a problem hiding this comment.
Please update the rule.yml in a similar notion.
Contributor
Author
There was a problem hiding this comment.
👍 Updated descriptions in rule.yml in f1bb719
teacup-on-rockingchair
requested review from
matusmarhefka and
vojtapolasek
as code owners
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
@@ -6,12 +6,12 @@
The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount within GNOME3, add or set
-automount to false in /etc/dconf/db/gdm.d/00-security-settings.
+automount to false in /etc/dconf/db/local.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling]
automount=false
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/automount
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount' differs.
--- ocil:ssg-dconf_gnome_disable_automount_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_disable_automount_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.media-handling automount
If properly configured, the output for automount should be false.
To ensure that users cannot enable automount in GNOME3, run the following:
-$ grep 'automount' /etc/dconf/db/gdm.d/locks/*
+$ grep 'automount' /etc/dconf/db/local.d/locks/*
If properly configured, the output for automount should be /org/gnome/desktop/media-handling/automount
Is it the case that GNOME automounting is not disabled?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
@@ -2,6 +2,7 @@
if rpm --quiet -q gdm; then
# apply fix for enable_dconf_user_profile, OVAL checks it
+
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
@@ -6,12 +6,12 @@
The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount-open within GNOME3, add or set
-automount-open to false in /etc/dconf/db/gdm.d/00-security-settings.
+automount-open to false in /etc/dconf/db/local.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling]
automount-open=false
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/automount-open
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open' differs.
--- ocil:ssg-dconf_gnome_disable_automount_open_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_disable_automount_open_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.media-handling automount-open
If properly configured, the output for automount-openshould be false.
To ensure that users cannot enable automount opening in GNOME3, run the following:
-$ grep 'automount-open' /etc/dconf/db/gdm.d/locks/*
+$ grep 'automount-open' /etc/dconf/db/local.d/locks/*
If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/automount-open
Is it the case that GNOME automounting is not disabled?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
@@ -2,6 +2,7 @@
if rpm --quiet -q gdm; then
# apply fix for enable_dconf_user_profile, OVAL checks it
+
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun
@@ -6,12 +6,12 @@
The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable autorun-never within GNOME3, add or set
-autorun-never to true in /etc/dconf/db/gdm.d/00-security-settings.
+autorun-never to true in /etc/dconf/db/local.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling]
autorun-never=true
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/autorun-never
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun' differs.
--- ocil:ssg-dconf_gnome_disable_autorun_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_disable_autorun_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.media-handling autorun-never
If properly configured, the output for autorun-nevershould be true.
To ensure that users cannot enable autorun in GNOME3, run the following:
-$ grep 'autorun-never' /etc/dconf/db/gdm.d/locks/*
+$ grep 'autorun-never' /etc/dconf/db/local.d/locks/*
If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never
Is it the case that GNOME autorun is not disabled?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt
@@ -6,12 +6,12 @@
By default, GNOME does not require credentials when using Vino for
remote access. To configure the system to require remote credentials, add or set
authentication-methods to ['vnc'] in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/Vino]
authentication-methods=['vnc']
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt' differs.
--- ocil:ssg-dconf_gnome_remote_access_credential_prompt_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_remote_access_credential_prompt_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.Vino authentication-methods
If properly configured, the output should be false.
To ensure that users cannot disable credentials for remote access, run the following:
-$ grep authentication-methods /etc/dconf/db/gdm.d/locks/*
+$ grep authentication-methods /etc/dconf/db/local.d/locks/*
If properly configured, the output should be
/org/gnome/Vino/authentication-methods
Is it the case that wireless network notification is enabled and not disabled?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption
@@ -6,12 +6,12 @@
By default, GNOME requires encryption when using Vino for remote access.
To prevent remote access encryption from being disabled, add or set
require-encryption to true in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/Vino]
require-encryption=true
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/Vino/require-encryption
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption' differs.
--- ocil:ssg-dconf_gnome_remote_access_encryption_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_remote_access_encryption_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.Vino require-encrpytion
If properly configured, the output should be true.
To ensure that users cannot disable encrypted remote connections, run the following:
-$ grep require-encryption /etc/dconf/db/gdm.d/locks/*
+$ grep require-encryption /etc/dconf/db/local.d/locks/*
If properly configured, the output should be
/org/gnome/Vino/require-encryption
Is it the case that remote access connections are not encrypted?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled
@@ -5,11 +5,11 @@
[description]:
To activate the screensaver in the GNOME3 desktop after a period of inactivity,
add or set idle-activation-enabled to true in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
idle-activation-enabled=true
Once the setting has been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/idle-activation-enabled
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled' differs.
--- ocil:ssg-dconf_gnome_screensaver_idle_activation_enabled_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_idle_activation_enabled_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.screensaver idle-activation-enabled
If properly configured, the output should be true.
To ensure that users cannot disable the screensaver idle inactivity setting, run the following:
-$ grep idle-activation-enabled /etc/dconf/db/gdm.d/locks/*
+$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled
Is it the case that idle-activation-enabled is not enabled or configured?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
@@ -4,12 +4,12 @@
[description]:
The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
-setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/gdm.d directory
-and locked in /etc/dconf/db/gdm.d/locks directory to prevent user modification.
+setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory
+and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
For example, to configure the system for a 15 minute delay, add the following to
-/etc/dconf/db/gdm.d/00-security-settings:
+/etc/dconf/db/local.d/00-security-settings:
[org/gnome/desktop/session]
idle-delay=uint32 900
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay' differs.
--- ocil:ssg-dconf_gnome_screensaver_idle_delay_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_idle_delay_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.session idle-delay
If properly configured, the output should be 'uint32 '.
To ensure that users cannot change the screensaver inactivity timeout setting, run the following:
-$ grep idle-delay /etc/dconf/db/gdm.d/locks/*
+$ grep idle-delay /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/session/idle-delay
Is it the case that idle-delay is set to 0 or a value greater than <sub idref="inactivity_timeout_value" />?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
@@ -2,7 +2,6 @@
if rpm --quiet -q gdm; then
inactivity_timeout_value=''
-
# Check for setting in any of the DConf db directories
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
@@ -6,7 +6,7 @@
To activate the locking delay of the screensaver in the GNOME3 desktop when
the screensaver is activated, add or set lock-delay to uint32 'xccdf_org.ssgproject.content_value_var_screensaver_lock_delay'
in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-delay=uint32 'xccdf_org.ssgproject.content_value_var_screensaver_lock_delay'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
@@ -1,8 +1,10 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm; then
+# apply fix for enable_dconf_user_profile, OVAL checks it
+
+
var_screensaver_lock_delay=''
-
# Check for setting in any of the DConf db directories
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
@@ -5,12 +5,12 @@
[description]:
To activate locking of the screensaver in the GNOME3 desktop when it is activated,
add or set lock-enabled to true in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-enabled=true
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled' differs.
--- ocil:ssg-dconf_gnome_screensaver_lock_enabled_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_lock_enabled_ocil:questionnaire:1
@@ -3,7 +3,7 @@
$ gsettings get org.gnome.desktop.screensaver lock-enabled
If properly configured, the output should be true.
To ensure that users cannot change how long until the screensaver locks, run the following:
-$ grep lock-enabled /etc/dconf/db/gdm.d/locks/*
+$ grep lock-enabled /etc/dconf/db/local.d/locks/*
If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled
Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly?
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
@@ -76,7 +76,7 @@
- name: Enable GNOME3 Screensaver Lock After Idle Period - Enable GNOME3 Screensaver
Lock After Idle Period
community.general.ini_file:
- dest: /etc/dconf/db/gdm.d/00-security-settings
+ dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/desktop/lockdown
option: disable-lock-screen
value: 'false'
@@ -105,7 +105,7 @@
- name: Enable GNOME3 Screensaver Lock After Idle Period - Prevent user modification
of GNOME disable-lock-screen
ansible.builtin.lineinfile:
- path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock
+ path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/lockdown/disable-lock-screen$
line: /org/gnome/desktop/lockdown/disable-lock-screen
create: true
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank
@@ -5,12 +5,12 @@
[description]:
To set the screensaver mode in the GNOME3 desktop to a blank screen,
add or set picture-uri to string '' in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
picture-uri=string ''
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/picture-uri
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank' differs.
--- ocil:ssg-dconf_gnome_screensaver_mode_blank_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_mode_blank_ocil:questionnaire:1
@@ -3,7 +3,7 @@
If properly configured, the output should be ''.
To ensure that users cannot set the screensaver background, run the following:
-$ grep picture-uri /etc/dconf/db/gdm.d/locks/*
+$ grep picture-uri /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uri
Is it the case that it is not set or configured properly?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
@@ -5,7 +5,7 @@
[description]:
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
by adding /org/gnome/desktop/screensaver/lock-delay
-to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-delay
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks' differs.
--- ocil:ssg-dconf_gnome_screensaver_user_locks_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_user_locks_ocil:questionnaire:1
@@ -1,5 +1,5 @@
To ensure that users cannot change session idle and lock settings, run the following:
-$ grep 'lock-delay' /etc/dconf/db/gdm.d/locks/*
+$ grep 'lock-delay' /etc/dconf/db/local.d/locks/*
If properly configured, the output should return:
/org/gnome/desktop/screensaver/lock-delay
Is it the case that GNOME3 session settings are not locked or configured properly?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks
@@ -5,7 +5,7 @@
[description]:
If not already configured, ensure that users cannot change GNOME3 session idle settings
by adding /org/gnome/desktop/session/idle-delay
-to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks' differs.
--- ocil:ssg-dconf_gnome_session_idle_user_locks_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_session_idle_user_locks_ocil:questionnaire:1
@@ -1,5 +1,5 @@
To ensure that users cannot change session idle and lock settings, run the following:
-$ grep 'idle-delay' /etc/dconf/db/gdm.d/locks/*
+$ grep 'idle-delay' /etc/dconf/db/local.d/locks/*
If properly configured, the output should return:
/org/gnome/desktop/session/idle-delay
Is it the case that idle-delay is not locked?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow' differs.
--- xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow
+++ xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core; then
-readarray -t users_with_empty_pass < <(awk -F: '!$2 {print $1}' /etc/shadow)
+readarray -t users_with_empty_pass < <(sudo awk -F: '!$2 {print $1}' /etc/shadow)
for user_with_empty_pass in "${users_with_empty_pass[@]}"
do
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero'.
--- xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
+++ xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
@@ -4,8 +4,8 @@
[description]:
If any account other than root has a UID of 0, this misconfiguration should
-be investigated and the accounts other than root should be removed or have
-their UID changed.
+be investigated and the accounts other than root should be removed, locked
+or have their UID changed.
If the account is associated with system commands or applications the UID
should be changed to one greater than "0" but less than "1000."
OCIL for rule 'xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero' differs.
--- ocil:ssg-accounts_no_uid_except_zero_ocil:questionnaire:1
+++ ocil:ssg-accounts_no_uid_except_zero_ocil:questionnaire:1
@@ -2,5 +2,7 @@
following command:
$ awk -F: '$3 == 0 {print $1}' /etc/passwd
root
+Also make sure that if non-root account with UID "0" exist, it is locked:
+$ grep -E '^[^:]+:[!*][^:]*:.*$' /etc/shadow
Is it the case that any accounts other than "root" have a UID of "0"?
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero' differs.
--- xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
+++ xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
@@ -44,7 +44,7 @@
- name: Lock the password of the user accounts other than root with uid 0
ansible.builtin.command: passwd -l {{ item.key }}
- loop: '{{ getent_passwd | dict2items | rejectattr(''key'', ''search'', ''root'')
+ loop: '{{ getent_passwd | dict2items | rejectattr(''key'', ''equalto'', ''root'')
| list }}'
when:
- '"kernel-core" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
@@ -8,7 +8,9 @@
for ARCH in "${RULE_ARCHS[@]}"
do
ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+
OTHER_FILTERS="-C uid!=euid -F euid=0"
+
AUID_FILTERS=""
SYSCALL="execve"
@@ -326,7 +328,9 @@
for ARCH in "${RULE_ARCHS[@]}"
do
ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+
OTHER_FILTERS="-C gid!=egid -F egid=0"
+
AUID_FILTERS=""
SYSCALL="execve"
|
Contributor
Author
thanks 🙇 should be handled in f9e0fdd |
Collaborator
|
/packit build |
jan-cerny
requested changes
Feb 19, 2026
|
|
||
| useradd --non-unique --uid 0 rootlocked | ||
| # configure password, otherwise user is locked | ||
| echo "rootlocked:password" | chpasswd |
Collaborator
There was a problem hiding this comment.
This test has revealed a bug in the Ansible remediation.
The Ansible code uses rejectattr('key', 'search', 'root') which performs a regex search, matching any username that contains "root" anywhere, e.g., rootclocked. These users would be silently skipped even if they had UID 0. I think it should use equalto for exact matching.
Please fix it, you can do it the following way:
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/ansible/shared.yml
@@ -11,5 +11,5 @@
- name: Lock the password of the user accounts other than root with uid 0
ansible.builtin.command: passwd -l {{ item.key }}
- loop: "{{ getent_passwd | dict2items | rejectattr('key', 'search', 'root') | list }}"
+ loop: "{{ getent_passwd | dict2items | rejectattr('key', 'equalto', 'root') | list }}"
when: item.value.1 == '0'
Collaborator
|
Please rebase the PR on the top of the latest upstream master branch. That will solve all the red testing farm jobs. |
Big thanks to @jan-cerny for catching possible vulnerability 🙇
teacup-on-rockingchair
force-pushed
the
accounts_no_uid_except_zero
branch
from
7b52985 to
f9e0fdd
Compare
jan-cerny
approved these changes
Feb 23, 2026
Collaborator
jan-cerny
left a comment
jan-cerny
left a comment
There was a problem hiding this comment.
I have run the test scenarios locally and they pass.
jcerny@fedora:~/work/git/scap-security-guide (pr/14397)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible accounts_no_uid_except_zero
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2026-02-23-0944/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
INFO - Script only_root.pass.sh using profile (all) OK
INFO - Script locked_user_uid_0.pass.sh using profile (all) OK
INFO - Script other_user_uid_0.fail.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/14397)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 accounts_no_uid_except_zero
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2026-02-23-0946/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
INFO - Script only_root.pass.sh using profile (all) OK
INFO - Script locked_user_uid_0.pass.sh using profile (all) OK
INFO - Script other_user_uid_0.fail.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/14397)$
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Rationale: