RFE: Use numeric comparison in jinja macro create_local_interactive_users_object

[jan-cerny]

Description of problem:

Jinja macro create_local_interactive_users_object which generates OVAL objects related to local interactive users needs to be enhanced for better readability and for better customization abilities.

At this moment, the macro relies on the fact that local interactive users have UIDs greater than or equal 1000 and that smaller UIDs are non-interactive. Moreover, the regular expression used there requires that the UID field consists of at least 4 digits. Therefore, it won't match users with UID consisting of 3 digits, ie less than or equal 999.

It's been done this way because in OVAL textfilecontet54_object you can't have multiple different subexpression capturing groups in the regex, and I already need to capture the user name field in a subexpression. I think that to have a proper comparison with 1000 in the OVAL I would have to create one more layer of objects and variables.

This problem has been pointed out by @vojtapolasek during review of https://github.com/ComplianceAsCode/content/pull/10825. We decided to report the problem as an upstream RFE.

SCAP Security Guide Version:

A branch with https://github.com/ComplianceAsCode/content/pull/10825 merged in.

Operating System Version:

all

Steps to Reproduce:

1. review create_local_interactive_users_object and the regexes used there

Actual Results:

Regular expression is used to determine interactive users.

Expected Results:

Numeric comparison of actual values of UIDs is used to determine interactive users.

Additional Information/Debugging Steps:

No.

[mpurg]

Hey @jan-cerny , good work with the original fix which solves the main issue of not enumerating non-local accounts. I expanded it a bit to also work on Ubuntu in #11589 but I agree that there is still room for improvement. According to CIS (I checked only Ubuntu 20.04, Ubuntu 22.04 and RHEL8), the UID is not used to determine whether or not the user is interactive, so we might want to drop it altogether. Instead we could use the shells listed in /etc/shells as a qualifier for an interactive user, as suggested by CIS. Does that sound plausible?