[BugFix] [RHEL/6, RHEL/7, Fedora] Fix & simplify accounts_root_path_dirs_no_write OVAL check. Make it shared. #339
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The current version of
accounts_root_path_dirs_no_write
OVAL check:https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/input/checks/accounts_root_path_dirs_no_write.xml
creates / generates a false-positive on a completely safe RHEL-6 system (when none of root's path directories has group or other write permission). The problem is use of
any_exist
check_existence clause:Use of
any_exist
clause will return true for0, 1, or more
objects of such feature being present on the system. Since tests result is subsequently OR-ed, and negated at the end yet:https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/input/checks/accounts_root_path_dirs_no_write.xml#L13
this means that this check will everytime return
fail
as a result.Example #1 - consider completely safe system (none of root's path directories has write permission set for group or other) =>
test_accounts_root_path_dirs_no_write_group
will return true (since zero such objects are present)test_accounts_root_path_dirs_no_write_other
will return also true (since due to any_exist again zero objects would meet the success)OR-in true and true gives true again. And finally negating true returns false (the check will return failure on completely safe system).
Besides that:
Testing report:
The proposed change has been tested on all three of RHEL/6, RHEL/7 & Fedora & works fine (returns pass, when pass is expected, returns failure when some of the directories has write permissions either for group or other [or both]).
Please review.
Thanks, Jan.