New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SLES-15-10352 rule #6822
SLES-15-10352 rule #6822
Conversation
Can one of the admins verify this patch? |
1 similar comment
Can one of the admins verify this patch? |
Hi @teacup-on-rockingchair. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See inline comments
@@ -0,0 +1,18 @@ | |||
# platform = SUSE Linux Enterprise 15 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs to be multi_platform_sle not "SUSE Linux Enterprise 15"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the comment - should be ok in 86173c7
documentation_complete: true | ||
|
||
title: |- | ||
{{% if product in ["sle15"] %}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think that the title should ever vary by distro.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks - removed that in 4e4ea53
<pre>$ sudo chmod go-w <i>DIR</i></pre> | ||
|
||
rationale: |- | ||
If the SUSE operating system were to allow any user to make changes to software libraries, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't think this should be SUSE specific.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks - removed that in 4e4ea53
<unix:filename operation="pattern match">^.*$</unix:filename> | ||
<filter action="include">dir_state_perms_nogroupwrite_noworldwrite</filter> | ||
<filter action="exclude">dir_perms_state_symlink</filter> | ||
</unix:file_object> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like the dir_object_file_permissions_lib_files and dir_object_file_permissions_lib_dir are doing the same thing. Am I missing something here? I guess from test name that one is for dirs and files, but test look there are the same and the rule is for dir's only so. I feel uncomfortable if the oval does something different than what is in the rule file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It probably needs to replace the unix:filename
with <unix:filename xsi:nil="true" />
. See how it's done in the file_permissions template
@@ -147,6 +147,7 @@ selections: | |||
- dconf_db_up_to_date | |||
- dconf_gnome_banner_enabled | |||
- dconf_gnome_login_banner_text | |||
- dir_permissions_library_dirs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a conflict on this file that should be addressed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rebased the branch so conflict should be resolved now in 07143f3
25576d5
to
86173c7
Compare
@openscap-ci ok to test |
Changes identified: Show detailsRule dir_permissions_library_dirs: Recommended tests to execute: |
<unix:file_object comment="library files" id="dir_object_file_permissions_lib_files" version="1"> | ||
<!-- Check the files within /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) --> | ||
<unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path> | ||
<unix:filename operation="pattern match">^.*$</unix:filename> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
<unix:filename operation="pattern match">^.*$</unix:filename> | |
<unix:filename xsi:nil="true" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The idea of the rule dir_object_file_permissions_lib_files
was to match all files in the directories, as far as I understood <unix:filename xsi:nil="true" />
will match only the directories, which should have been done in dir_object_file_permissions_lib_dir
, so my point here is to match all files with dir_object_file_permissions_lib_files
and dirs and subdirs with dir_object_file_permissions_lib_dir
object. I guess once you are suggested changes I misunderstood something in the syntax. When I implemented it I had in mind the file_object description in the oval spec (https://oval.mitre.org/language/version5.11/ovaldefinition/documentation/unix-definitions-schema.html), where it is stated that:
...
For example, one would set xsi:nil to true if the desire was to test the attributes or permissions associated with a directory. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every file under a given path.
This was my motivation but as far as I understand from your feedback it was wrong so you would suggest to change both rules <unix:filename xsi:nil="true" />
, but then I will not need both objects but only one would be enough - am I right
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have probably misread the comment from brett. If the idea is to check for all files in the directories then it is probably fine. I'm will go through the PR once again soon, please bear with me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Based on text from SLES-15-010351
, I understand that no files should be checked within this rule, I think that was my original concern.
The library files test should be covered by this rule already:
https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml#L43
My question is, do we really want to have the test dir_object_file_permissions_lib_files
in this rule?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ggbecker @teacup-on-rockingchair SLES-15-010352 the STIG for this PR is explicit in covering directories only "-type d", SLES-15-010351 is explicit in covering files "-type f" So, in this case the oval should only be handling directories. So, if I understand this correctly <unix:filename xsi:nil="true" /> is what is needed here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @brett060102 and @ggbecker , it seems I was totally confused on this one. Dropped completely the rule for files so now(252fa36) only dirs are checked by this one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
test cases need to end in either .fail.sh or .pass.sh so for example:
rename:
linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.sh
to
linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
same for owner_only_writable_dir.sh, world_writable_dir_on_lib.sh, world_writable_dir_on_lib.sh, world_writable_dir_on_usr_lib.sh
# platform = multi_platform_sle | ||
DIRS="/usr/lib /usr/lib64" | ||
for dirPath in $DIRS; do | ||
mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/test" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"$dirPath/test needs to be "$dirPath/testme
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thx should be ok in 8851e58
Unfortunately, there is a conflict with the stig.profile file, can you resolve it? |
Clone implementation of file_permissions_library_dirs to dir_permissions_library_dirs
Thanks to @brett060102 for the feedback
Thanks to @brett060102 for pointing it out
Remove the dir_object_file_permissions_lib_files from dir_permissions_library_dirs, since this check is covered in separate rule. Thanks to @ggbecker and @brett060102 for the help on this 🙇
ed07741
to
421f33a
Compare
...em/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
Outdated
Show resolved
Hide resolved
…ortant_dirs/dir_permissions_library_dirs/rule.yml Thanx to @ggbecker for pointing this one Co-authored-by: Gabriel Becker <ggasparb@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks for addressing all the requests. The next step is to remove the dirs checking from this rule: https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml#L21
Description:
Rationale: