bugfix: dir_perms_world_writable_root_owned: do not modify files under /proc

[maage]

Description:

At least under containerized env (podman) /proc can have files that are not modifiable even with root. This makes test or bash remediate fail.

Rationale:

This issue would be kernel regression and should be handled in another way.

Review Hints:

Probably should see how bash remediation survives.

[openshift-ci]

Hi @maage. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned' differs.
--- xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned
+++ xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned
@@ -1,2 +1,4 @@
 
-find / -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -not -fstype fuse.sshfs -type d -perm -0002 -uid +0 -exec chown root {} \;
+# At least under containerized env /proc can have files w/o possilibity to
+# modify even as root. And touching /proc is not good idea anyways.
+find / -path /proc -prune -o -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -not -fstype fuse.sshfs -type d -perm -0002 -uid +0 -exec chown root {} \;

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned' differs.
--- xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned
+++ xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned
@@ -32,7 +32,8 @@
 
 - name: Create empty list of excluded paths
 set_fact:
- excluded_paths: []
+ excluded_paths:
+ - /proc
 tags:
 - CCE-83375-6
 - DISA-STIG-RHEL-08-010700

[maage]

This fail is because containers do not have capability to load kernel modules, here knfsd and start nfs-server. Unrelated issue, see #10387

ERROR - Rule 'dir_perms_world_writable_root_owned' test setup script 'world_writable_dir_on_nonlocal_fs.fail.sh' failed with exit code 32

[marcusburghardt]

Could you also update the Ansible remediation to be aligned to the Bash, please?

[maage]

Could you also update the Ansible remediation to be aligned to the Bash, please?

Updated, but ansible remediation needs to be checked. My ansible remediation test in now broken due to unrelated changes.

Maybe I'm understanding something wrong, but in my view excludes: excluded_paths should be excludes: "{{{ excluded_paths }}}", these module fields are not like when and variants where format is jinja, here format is either str or list. And remediation checks should have failed, so I guess something is wrong with tests too.

Edit: added missing not

[codeclimate]

Code Climate has analyzed commit d7e90dc and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 52.4% (0.0% change).

View more on Code Climate.

[Mab879]

@maage I'm looking into Ansible remediation. There is also issue with it on master.

[marcusburghardt]

Could you also update the Ansible remediation to be aligned to the Bash, please?

Updated, but ansible remediation needs to be checked. My ansible remediation test in now broken due to unrelated changes.

Maybe I'm understanding something wrong, but in my view excludes: excluded_paths should be excludes: "{{{ excluded_paths }}}", these module fields are not like when and variants where format is jinja, here format is either str or list. And remediation checks should have failed, so I guess something is wrong with tests too.

Edit: added missing not

The issue is that excludes option in the find module considers the basename only so it won't match /proc. I also found opportunities to improve performance in this Ansible Playbook and I would be happy to work on it.
@maage , could you remove the Ansible changes in this PR, please? Then we can merge it and I send a PR for the Ansible remediation write after the merge. Thanks.

[marcusburghardt]

There are some issues with the Ansible remediation but they are not related to the changes in this PR. In fact, the changes in this PR helped us to find the issues. The Ansible remediation needs to be refactored and I will propose a PR for this right after merging this.