Add rule accounts_user_interactive_home_directory_on_separate_partition

[vojtapolasek]

Description:

• Add new rule accounts_user_interactive_home_directory_on_separate_partition that checks whether all interactive user home directories reside on a file system partition separate from the root (/) partition. The rule has medium severity, targets rhel8 (CCE-86459-5), and includes a custom OVAL check. No remediation is provided (check-only rule). The rule is added to the operating-system component and applies to the machine platform.
• The OVAL check identifies interactive users (UID >= 1000, login shell, excluding nobody/nfsnobody) from /etc/passwd and verifies each home directory matches a non-root mount point.
• Includes 4 test scenarios: home on root partition (fail), home on separate partition (pass), mixed users with one on root (fail), and no interactive users (pass).
• LLM was used during creation of this rule

Rationale:

• Ensuring interactive user home directories are on a separate partition from root prevents users from filling the root partition, which could cause system instability or denial of service. This also enables administrators to apply restrictive mount options (noexec, nosuid, nodev) to the user home partition.
• Required by SRG-OS-000480-GPOS-00227.

Review Hints:

• This is a single-commit PR that can be reviewed as a whole.
• The rule is non-templated with a custom OVAL check — review the regex in oval/shared.xml carefully, particularly the /etc/passwd pattern match and the mount point regex construction.
• Two of the test scenarios use # remediation = none since this is a check-only rule with no automated fix.
• Build with: ./build_product --datastream-only rhel8
• Test with:

  ./tests/automatus.py rule --libvirt qemu:///system rhel8 --datastream build/ssg-rhel8-ds.xml accounts_user_interactive_home_directory_on_separate_partition
  

• Key files to review:
  • linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/rule.yml
  • linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/oval/shared.xml
  • Test scenarios in tests/ subdirectory

[Mab879]

Can you provide the STIG ref that you using for this?

I will note that this PR doesn't seem to add this rule to any profiles. While this might be intentional, the reason why I am bring this up is the review instructions seem to assume that this PR added it.

[Mab879]

Should we include /usr/bin/false?

\d{3,} is doing some assuming of the min uid. This might be fine, but something to think about.

[Mab879]

Should this use bash_remove_interactive_users_from_passwd_by_uid()?

[vojtapolasek]

/packit retest-failed

[vojtapolasek]

Regarding the STIG ref, I did not include it here because after merging this PR, I wanted to add the new control into the PR #14375 . The PR updates the STIG references. I think that if I would add the STIG control in the PR which adds the rule, it would cause tests to fail.

[vojtapolasek]

I updated the OVAL to skip users which have '.nologin.' as a shell. I also use macro in test scenarios now.

[Mab879]

/packit build

[Mab879]

/retest-required

[Mab879]

/retest-required

[vojtapolasek]

/packit retest-all

[Mab879]

Something is off, 9babdbf shouldn't be on this PR.

[vojtapolasek]

/packit retest-failed

[Mab879]

Please review the commits on this branch.