-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
rhel-10.0
-
None
-
Minor
-
Customer Reported
-
sst_pt_pcp
-
ssg_platform_tools
-
1
-
Dev ack
-
False
-
-
Red Hat Enterprise Linux
-
-
All
What were you trying to do that didn't work?
A customer has pcp-testsuite installed on his systems for some reason. This leads to having a pcpqa user be automatically created as a system user (UID < 1000) but with a /bin/bash shell, due to having the following RPM scriptlet:
echo u pcpqa - \"PCP Quality Assurance\" /var/lib/pcp/testsuite /bin/bash | \ systemd-sysusers --replace=/usr/lib/sysusers.d/pcp-testsuite.conf -
This is problematic when CIS hardening is performed, because system users must have a nologin shell: rule xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts ("Ensure that System Accounts Do Not Run a Shell Upon Login"):
Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. Should an attacker be able to log into these accounts, they should not be granted access to a shell. The login shell for each local account is stored in the last field of each line in /etc/passwd. System accounts are those user accounts with a user ID less than 1000. The user ID is stored in the third field. If any system account other than root has a login shell, disable it with the command: $ sudo usermod -s /sbin/nologin account
Please provide the package NVR for which bug is seen:
pcp-testsuite-6.2.0-2.el9_4
How reproducible:
N/A