Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BugFix] [RHEL/6, RHEL/7, Fedora] Fix & simplify accounts_root_path_dirs_no_write OVAL check. Make it shared. #339

Merged
merged 1 commit into from
Nov 19, 2014
Merged

[BugFix] [RHEL/6, RHEL/7, Fedora] Fix & simplify accounts_root_path_dirs_no_write OVAL check. Make it shared. #339

merged 1 commit into from
Nov 19, 2014

Conversation

iankko
Copy link

@iankko iankko commented Nov 19, 2014

The current version of accounts_root_path_dirs_no_write OVAL check:
https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/input/checks/accounts_root_path_dirs_no_write.xml

creates / generates a false-positive on a completely safe RHEL-6 system (when none of root's path directories has group or other write permission). The problem is use of any_exist check_existence clause:

Use of any_exist clause will return true for 0, 1, or more objects of such feature being present on the system. Since tests result is subsequently OR-ed, and negated at the end yet:
https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/input/checks/accounts_root_path_dirs_no_write.xml#L13

this means that this check will everytime return fail as a result.

Example #1 - consider completely safe system (none of root's path directories has write permission set for group or other) =>

  • test_accounts_root_path_dirs_no_write_group will return true (since zero such objects are present)
  • test_accounts_root_path_dirs_no_write_other will return also true (since due to any_exist again zero objects would meet the success)

OR-in true and true gives true again. And finally negating true returns false (the check will return failure on completely safe system).

Besides that:

  • that check is overly complex (two tests OR-ed & negated at the end are used where just one test could be enough) => this PR simplifies the implementation (OR-s the permissions state & requires none such object to exist on the system),
  • is RHEL-6 specific => this PR makes it to be shared & usable from RHEL/7 & Fedora too.

Testing report:

The proposed change has been tested on all three of RHEL/6, RHEL/7 & Fedora & works fine (returns pass, when pass is expected, returns failure when some of the directories has write permissions either for group or other [or both]).

Please review.

Thanks, Jan.

@iankko iankko added RHEL6 RHEL Red Hat Enterprise Linux product related. Fedora Fedora product related. bugfix Fixes to reported bugs. enhancement General enhancements to the project. labels Nov 19, 2014
@iankko iankko added this to the 0.1.20 milestone Nov 19, 2014
redhatrises added a commit that referenced this pull request Nov 19, 2014
@redhatrises
Merge pull request #339 from iankko/accounts_root_path_dirs_no_write_fix
26b31da 
[BugFix] [RHEL/6, RHEL/7, Fedora] Fix & simplify accounts_root_path_dirs_no_write OVAL check. Make it shared.
@redhatrises redhatrises merged commit 26b31da into ComplianceAsCode:master Nov 19, 2014
@redhatrises
Copy link
Contributor

LGTM. Ack. Thanks!

@iankko
Copy link
Author

iankko commented Nov 20, 2014

Thank you.

@iankko iankko deleted the accounts_root_path_dirs_no_write_fix branch November 21, 2014 15:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bugfix Fixes to reported bugs. enhancement General enhancements to the project. Fedora Fedora product related. RHEL Red Hat Enterprise Linux product related.
Projects
None yet
Milestone
Version 0.1.20: USGCB profile remedia...
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@iankko @redhatrises