From ae2b4f93e067d9cbe622718387838f4db844d0cb Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Fri, 13 Dec 2024 11:02:48 +0100
Subject: [PATCH 1/3] Implement rule file_permission_user_bash_history

Rule checks that all interactive users have correct
permissions on .bash_history (0600).

Satisfies part of Ubuntu 24.04 CIS v1 7.2.10.
---
 components/pam.yml                            |  1 +
 .../bash/shared.sh                            | 20 ++++++++
 .../oval/shared.xml                           | 46 +++++++++++++++++++
 .../rule.yml                                  | 29 ++++++++++++
 .../tests/all_permissions.fail.sh             |  5 ++
 .../tests/common.sh                           | 14 ++++++
 .../tests/correct_permissions.pass.sh         |  3 ++
 ...different_home_correct_permissions.pass.sh |  8 ++++
 .../different_home_wrong_permissions.fail.sh  |  8 ++++
 .../tests/lenient_permissions.fail.sh         |  5 ++
 .../tests/lenient_permissions2.fail.sh        |  5 ++
 .../tests/stricter_permissions.pass.sh        |  5 ++
 12 files changed, 149 insertions(+)
 create mode 100644 linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/bash/shared.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/oval/shared.xml
 create mode 100644 linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/rule.yml
 create mode 100644 linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/all_permissions.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/common.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/correct_permissions.pass.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/different_home_correct_permissions.pass.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/different_home_wrong_permissions.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/lenient_permissions.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/lenient_permissions2.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/stricter_permissions.pass.sh

diff --git a/components/pam.yml b/components/pam.yml
index 577d57e6682..0590e268d07 100644
--- a/components/pam.yml
+++ b/components/pam.yml
@@ -150,6 +150,7 @@ rules:
 - file_owner_etc_motd
 - file_ownership_home_directories
 - file_ownership_lastlog
+- file_permission_user_bash_history
 - file_permission_user_init_files
 - file_permission_user_init_files_root
 - file_permissions_etc_issue
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/bash/shared.sh
new file mode 100644
index 00000000000..448ecd869a3
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/bash/shared.sh
@@ -0,0 +1,20 @@
+# platform = multi_platform_ubuntu
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+readarray -t interactive_users < <(awk -F: '$3>={{{ uid_min }}}   {print $1}' /etc/passwd)
+readarray -t interactive_users_home < <(awk -F: '$3>={{{ uid_min }}}   {print $6}' /etc/passwd)
+readarray -t interactive_users_shell < <(awk -F: '$3>={{{ uid_min }}}   {print $7}' /etc/passwd)
+
+USERS_IGNORED_REGEX='nobody|nfsnobody'
+
+for (( i=0; i<"${#interactive_users[@]}"; i++ )); do
+    if ! grep -qP "$USERS_IGNORED_REGEX" <<< "${interactive_users[$i]}" && \
+        [ "${interactive_users_shell[$i]}" != "/sbin/nologin" ]; then
+        
+        chmod u-sx,go= "${interactive_users_home[$i]}/.bash_history"
+    fi
+done
+
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/oval/shared.xml
new file mode 100644
index 00000000000..f8c4df47cf0
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/oval/shared.xml
@@ -0,0 +1,46 @@
+<def-group>
+    <definition class="compliance" id="{{{ rule_id }}}" version="1">
+        {{{ oval_metadata("User Bash History File Has Correct Permissions") }}}
+        <criteria>
+            <criterion comment="User Bash History File Has Correct Permissions"
+                test_ref="test_{{{ rule_id }}}" />
+        </criteria>
+    </definition>
+
+    <unix:file_test id="test_{{{ rule_id }}}" check="all"
+                    check_existence="any_exist" version="1"
+          comment="User Bash History File Has Correct Permissions">
+        <unix:object object_ref="object_{{{ rule_id }}}"/>
+        <unix:state state_ref="state_{{{ rule_id }}}"/>
+    </unix:file_test>
+
+    <unix:file_object id="object_{{{ rule_id }}}" version="1">
+        <unix:path var_ref="var_{{{ rule_id }}}_home_dirs" var_check="at least one"/>
+        <unix:filename operation="equals">.bash_history</unix:filename>
+    </unix:file_object>
+
+
+    <unix:file_state id="state_{{{ rule_id }}}" operator="AND" version="1">
+        <unix:suid datatype="boolean">false</unix:suid>
+        <unix:sgid datatype="boolean">false</unix:sgid>
+        <unix:sticky datatype="boolean">false</unix:sticky>
+        <unix:uexec datatype="boolean">false</unix:uexec>
+        <unix:gread datatype="boolean">false</unix:gread>
+        <unix:gwrite datatype="boolean">false</unix:gwrite>
+        <unix:gexec datatype="boolean">false</unix:gexec>
+        <unix:oread datatype="boolean">false</unix:oread>
+        <unix:owrite datatype="boolean">false</unix:owrite>
+        <unix:oexec datatype="boolean">false</unix:oexec>
+    </unix:file_state>
+
+
+    {{%- set interactive_users_object = "object_" ~ rule_id ~ "_objects" -%}}
+    {{{ create_interactive_users_list_object(interactive_users_object) }}}
+
+    <local_variable id="var_{{{ rule_id }}}_home_dirs" datatype="string" version="1"
+                    comment="Variable including all home dirs from interactive users">
+        <object_component item_field="home_dir"
+                        object_ref="{{{ interactive_users_object }}}"/>
+    </local_variable>
+    
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/rule.yml
new file mode 100644
index 00000000000..058802dccee
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+title: 'Ensure User Bash History File Has Correct Permissions'
+
+description: |-
+    Set the mode of the bash history file to <tt>0600</tt> with the
+    following command:
+    <pre>$ sudo chmod 0600 /home/<i>USER</i>/.bash_history</pre>
+
+rationale: |-
+    Incorrect permissions may enable malicious users to recover
+    other users' command history.
+
+severity: medium
+
+ocil_clause: 'file is not 0600 or more permissive'
+
+ocil: |-
+    To verify that .bash_history has a mode of <tt>0600</tt> or
+    less permissive, run the following command:
+    <pre>$ sudo find /home -type f -name '\.bash_history' -perm /0177</pre>
+    There should be no output.
+
+fixtext: |-
+    Set the mode of the bash history file to "0600" with the following command:
+
+    Note: The example will be for the smithj user, who has a home directory of "/home/smithj".
+
+    $ sudo chmod 0600 /home/smithj/.bash_history
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/all_permissions.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/all_permissions.fail.sh
new file mode 100644
index 00000000000..34feb0dd2be
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/all_permissions.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+source common.sh
+
+chmod 7777 /home/dummy/.bash_history
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/common.sh b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/common.sh
new file mode 100644
index 00000000000..068d874ec3a
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/common.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+for username in $(awk -F: '($3>={{{ uid_min }}} && $3!=65534) {print $1}' /etc/passwd)
+do
+    userdel -fr $username
+done
+
+useradd -m dummy
+
+touch /home/dummy/.bash_history
+chmod 0600 /home/dummy/.bash_history
+
+touch /home/dummy/.ignored_file
+chmod 0777 /home/dummy/.ignored_file
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/correct_permissions.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/correct_permissions.pass.sh
new file mode 100644
index 00000000000..995227f244c
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/correct_permissions.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+source common.sh
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/different_home_correct_permissions.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/different_home_correct_permissions.pass.sh
new file mode 100644
index 00000000000..645cff42e12
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/different_home_correct_permissions.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+source common.sh
+
+useradd -m -d /var/dummy2 dummy2
+
+touch /var/dummy2/.bash_history
+chmod 0600 /var/dummy2/.bash_history
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/different_home_wrong_permissions.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/different_home_wrong_permissions.fail.sh
new file mode 100644
index 00000000000..ef15244ac3d
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/different_home_wrong_permissions.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+source common.sh
+
+useradd -m -d /var/dummy2 dummy2
+
+touch /var/dummy2/.bash_history
+chmod 0750 /var/dummy2/.bash_history
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/lenient_permissions.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/lenient_permissions.fail.sh
new file mode 100644
index 00000000000..f9016805e79
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/lenient_permissions.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+source common.sh
+
+chmod 0604 /home/dummy/.bash_history
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/lenient_permissions2.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/lenient_permissions2.fail.sh
new file mode 100644
index 00000000000..8bcaabed6af
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/lenient_permissions2.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+source common.sh
+
+chmod 0640 /home/dummy/.bash_history
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/stricter_permissions.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/stricter_permissions.pass.sh
new file mode 100644
index 00000000000..12e03ba889a
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/tests/stricter_permissions.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+source common.sh
+
+chmod 0400 /home/dummy/.bash_history

From 598b44ecb439914e30bffe9d86899475da68fe97 Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Fri, 13 Dec 2024 11:27:10 +0100
Subject: [PATCH 2/3] Fix tests for file_permission_user_init_files

`useradd -d` does not automatically create a home
directory in the Ubuntu 24.04 podman container
---
 .../tests/different_home_correct_permissions.pass.sh            | 2 +-
 .../tests/different_home_wrong_permissions.fail.sh              | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/tests/different_home_correct_permissions.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/tests/different_home_correct_permissions.pass.sh
index 097f71cd355..24c5eb5570d 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/tests/different_home_correct_permissions.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/tests/different_home_correct_permissions.pass.sh
@@ -4,7 +4,7 @@
 
 source common.sh
 
-useradd -d /var/dummy2 dummy2
+useradd -m -d /var/dummy2 dummy2
 
 touch /var/dummy2/.init
 chmod 0740 /var/dummy2/.init
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/tests/different_home_wrong_permissions.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/tests/different_home_wrong_permissions.fail.sh
index ac2414c3bf0..924be85e440 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/tests/different_home_wrong_permissions.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/tests/different_home_wrong_permissions.fail.sh
@@ -4,7 +4,7 @@
 
 source common.sh
 
-useradd -d /var/dummy2 dummy2
+useradd -m -d /var/dummy2 dummy2
 
 touch /var/dummy2/.init
 chmod 0750 /var/dummy2/.init

From 2bc7ec4329574d6bb348661d8377af335f29f1e6 Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Fri, 13 Dec 2024 11:29:09 +0100
Subject: [PATCH 3/3] Add rules to ubuntu2404 CIS control 7.2.10

---
 controls/cis_ubuntu2404.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
index 74a2cee01e6..d5a679627b9 100644
--- a/controls/cis_ubuntu2404.yml
+++ b/controls/cis_ubuntu2404.yml
@@ -3069,12 +3069,12 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    related_rules:
+    rules:
       - no_rsh_trust_files
       - no_forward_files
       - no_netrc_files
-      - accounts_user_dot_group_ownership
-      - accounts_user_dot_no_world_writable_programs
       - accounts_user_dot_user_ownership
-    status: planned
-    notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/6.2.14,6.2.15,6.2.17,6.2.16.
+      - accounts_user_dot_group_ownership
+      - file_permission_user_init_files
+      - file_permission_user_bash_history
+    status: automated