Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Clone implementation of file_permissions_library_dirs to dir_permissions_library_dirs
- Loading branch information
1 parent
3db029f
commit 25576d5
Showing
9 changed files
with
147 additions
and
0 deletions.
There are no files selected for viewing
18 changes: 18 additions & 0 deletions
18
...s/files/permissions_within_important_dirs/dir_permissions_library_dirs/ansible/shared.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
# platform = SUSE Linux Enterprise 15 | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = high | ||
# disruption = medium | ||
- name: "Read list of world and group writable subdirectories in libraries directories" | ||
command: "find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d" | ||
register: world_writable_library_dirs | ||
changed_when: False | ||
failed_when: False | ||
check_mode: no | ||
|
||
- name: "Disable world/group writability to library files" | ||
file: | ||
path: "{{ item }}" | ||
mode: "go-w" | ||
with_items: "{{ world_writable_library_dirs.stdout_lines }}" | ||
when: world_writable_library_dirs.stdout_lines | length > 0 |
5 changes: 5 additions & 0 deletions
5
...sions/files/permissions_within_important_dirs/dir_permissions_library_dirs/bash/shared.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# platform = SUSE Linux Enterprise 15 | ||
DIRS="/lib /lib64 /usr/lib /usr/lib64" | ||
for dirPath in $DIRS; do | ||
find "$dirPath" -perm /022 -type d -exec chmod go-w '{}' \; | ||
done |
46 changes: 46 additions & 0 deletions
46
...ions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
<def-group> | ||
<definition class="compliance" id="dir_permissions_library_dirs" version="1"> | ||
{{{ oval_metadata(" | ||
Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and | ||
objects therein, are not group-writable or world-writable. | ||
") }}} | ||
<criteria operator="AND"> | ||
<criterion test_ref="dir_test_perms_lib_dir" /> | ||
<criterion test_ref="dir_test_perms_lib_files" /> | ||
</criteria> | ||
</definition> | ||
|
||
<unix:file_test check="all" check_existence="none_exist" comment="library directories go-w" id="dir_test_perms_lib_dir" version="1"> | ||
<unix:object object_ref="dir_object_file_permissions_lib_dir" /> | ||
</unix:file_test> | ||
|
||
<unix:file_test check="all" check_existence="none_exist" comment="library files go-w" id="dir_test_perms_lib_files" version="1"> | ||
<unix:object object_ref="dir_object_file_permissions_lib_files" /> | ||
</unix:file_test> | ||
|
||
<unix:file_object comment="library directories" id="dir_object_file_permissions_lib_dir" version="1"> | ||
<!-- Check that /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) --> | ||
<unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path> | ||
<unix:filename xsi:nil="true" /> | ||
<filter action="include">dir_state_perms_nogroupwrite_noworldwrite</filter> | ||
<filter action="exclude">dir_perms_state_symlink</filter> | ||
</unix:file_object> | ||
|
||
<unix:file_object comment="library files" id="dir_object_file_permissions_lib_files" version="1"> | ||
<!-- Check the files within /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) --> | ||
<unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path> | ||
<unix:filename operation="pattern match">^.*$</unix:filename> | ||
<filter action="include">dir_state_perms_nogroupwrite_noworldwrite</filter> | ||
<filter action="exclude">dir_perms_state_symlink</filter> | ||
</unix:file_object> | ||
|
||
<unix:file_state id="dir_state_perms_nogroupwrite_noworldwrite" version="1" operator="OR"> | ||
<unix:gwrite datatype="boolean">true</unix:gwrite> | ||
<unix:owrite datatype="boolean">true</unix:owrite> | ||
</unix:file_state> | ||
|
||
<unix:file_state id="dir_perms_state_symlink" version="1"> | ||
<unix:type operation="equals">symbolic link</unix:type> | ||
</unix:file_state> | ||
|
||
</def-group> |
57 changes: 57 additions & 0 deletions
57
...permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
documentation_complete: true | ||
|
||
title: |- | ||
{{% if product in ["sle15"] %}} | ||
The SUSE operating system library directories must have mode 0755 or less permissive. | ||
{{% else %}} | ||
Verify that Shared Library Directories Have Restrictive Permissions | ||
{{% endif %}} | ||
|
||
description: |- | ||
System-wide shared library directories, which contain are linked to executables | ||
during process load time or run time, are stored in the following directories | ||
by default: | ||
<pre>/lib | ||
/lib64 | ||
/usr/lib | ||
/usr/lib64 | ||
</pre> | ||
Kernel modules, which can be added to the kernel during runtime, are | ||
stored in <tt>/lib/modules</tt>. All sub-directories in these directories | ||
should not be group-writable or world-writable. If any file in these | ||
directories is found to be group-writable or world-writable, correct | ||
its permission with the following command: | ||
<pre>$ sudo chmod go-w <i>DIR</i></pre> | ||
rationale: |- | ||
If the SUSE operating system were to allow any user to make changes to software libraries, | ||
then those changes might be implemented without undergoing the appropriate testing | ||
and approvals that are part of a robust change management process. | ||
This requirement applies to SUSE operating systems with software libraries that are accessible | ||
and configurable, as in the case of interpreted languages. Software libraries also include | ||
privileged programs which execute with escalated privileges. Only qualified and authorized | ||
individuals must be allowed to obtain access to information system components for purposes | ||
of initiating changes, including upgrades and modifications. | ||
identifiers: | ||
cce@sle15: CCE-85753-2 | ||
|
||
severity: medium | ||
|
||
references: | ||
cci@sle15: CCI-001499 | ||
stigid@sle15: SLES-15-010352 | ||
|
||
ocil_clause: 'any of these files are group-writable or world-writable' | ||
|
||
ocil: |- | ||
Shared libraries are stored in the following directories: | ||
<pre>/lib | ||
/lib64 | ||
/usr/lib | ||
/usr/lib64 | ||
</pre> | ||
To find shared libraries that are group-writable or world-writable, | ||
run the following command for each directory <i>DIR</i> which contains shared libraries: | ||
<pre>$ sudo find -L <i>DIR</i> -perm /022 -type d</pre> |
5 changes: 5 additions & 0 deletions
5
.../permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# platform = SUSE Linux Enterprise 15 | ||
DIRS="/lib /lib64 /usr/lib /usr/lib64" | ||
for dirPath in $DIRS; do | ||
find "$dirPath" -perm /022 -type d -exec chmod go-w '{}' \; | ||
done |
5 changes: 5 additions & 0 deletions
5
...sions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# platform = SUSE Linux Enterprise 15 | ||
DIRS="/lib /lib64 /usr/lib /usr/lib64" | ||
for dirPath in $DIRS; do | ||
mkdir -p "$dirPath/testme" && chmod 700 "$dirPath/testme" | ||
done |
5 changes: 5 additions & 0 deletions
5
...ons_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# platform = SUSE Linux Enterprise 15 | ||
DIRS="/lib /lib64" | ||
for dirPath in $DIRS; do | ||
mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/testme" | ||
done |
5 changes: 5 additions & 0 deletions
5
...within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# platform = SUSE Linux Enterprise 15 | ||
DIRS="/usr/lib /usr/lib64" | ||
for dirPath in $DIRS; do | ||
mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/test" | ||
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters