Skip to content

no_invalid_shell_accounts_unlocked: fix OVAL check to catch valid and invalid shell accounts#14792

Open
vojtapolasek wants to merge 1 commit into
ComplianceAsCode:masterfrom
vojtapolasek:fix_invalid_shells
Open

no_invalid_shell_accounts_unlocked: fix OVAL check to catch valid and invalid shell accounts#14792
vojtapolasek wants to merge 1 commit into
ComplianceAsCode:masterfrom
vojtapolasek:fix_invalid_shells

Conversation

@vojtapolasek

@vojtapolasek vojtapolasek commented Jun 11, 2026

Copy link
Copy Markdown
Collaborator

Description:

  • Fix the OVAL check for the no_invalid_shell_accounts_unlocked rule so it correctly detects systems with a mix of unlocked users having valid and invalid shells. Previously, the check used check="all" which could miss the failure case when both valid-shell and invalid-shell unlocked accounts coexisted. Changed to check="at least one" so the check properly triggers a finding.
  • Add a new test scenario (mixed_valid_invalid_shells.fail.sh) that covers this mixed-user case with one unlocked user having a valid shell (/bin/bash) and another having an invalid shell (/bin/invalid_shell).

Rationale:

  • The OVAL check logic did not correctly evaluate systems where unlocked accounts had a mixture of valid and invalid shells, leading to false negatives. This fix ensures compliance scanners properly flag such configurations.

Fixes: #14752

Review Hints:

  • Affected products: rhel8, rhel9, rhel10, sle15 (the OVAL is in oval/shared.xml)
  • Build any affected product to verify: 
    ./build_product --datastream-only rhel9
  • Test with Automatus: 
    ./tests/automatus.py rule --libvirt qemu:///session <vm_name> --datastream build/ssg-rhel9-ds.xml no_invalid_shell_accounts_unlocked
  • Key files to review:
    • linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_invalid_shell_accounts_unlocked/oval/shared.xml — the OVAL fix (check="all"check="at least one")
    • linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_invalid_shell_accounts_unlocked/tests/mixed_valid_invalid_shells.fail.sh — new test scenario

@vojtapolasek
modify the oval of the rule so that the checks triggers in case there…
3e5e0a9 
… are mixed users with valid and invalid shells

add also test
@vojtapolasek vojtapolasek added this to the 0.1.82 milestone Jun 11, 2026
@vojtapolasek vojtapolasek added bugfix Fixes to reported bugs. RHEL Red Hat Enterprise Linux product related. OVAL OVAL update. Related to the systems assessments. labels Jun 11, 2026
@openshift-ci

openshift-ci Bot commented Jun 11, 2026

Copy link
Copy Markdown

@vojtapolasek: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/4.21-images 3e5e0a9 link true /test 4.21-images
ci/prow/4.20-images 3e5e0a9 link true /test 4.20-images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@Mab879 Mab879 Awaiting requested review from Mab879 Mab879 is a code owner

@jan-cerny jan-cerny Awaiting requested review from jan-cerny jan-cerny is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

bugfix Fixes to reported bugs. OVAL OVAL update. Related to the systems assessments. RHEL Red Hat Enterprise Linux product related.

Projects

None yet

Milestone

0.1.82

Development

Successfully merging this pull request may close these issues.

Rule no_invalid_shell_accounts_unlocked succeeds when there is a mix of unlocked users with valid and invalid shells

1 participant

@vojtapolasek