SLES-15-10352 rule #6822
SLES-15-10352 rule #6822
Conversation
|
Can one of the admins verify this patch? |
1 similar comment
|
Can one of the admins verify this patch? |
|
Hi @teacup-on-rockingchair. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
| @@ -0,0 +1,18 @@ | |||
| # platform = SUSE Linux Enterprise 15 | |||
There was a problem hiding this comment.
Needs to be multi_platform_sle not "SUSE Linux Enterprise 15"
There was a problem hiding this comment.
Thanks for the comment - should be ok in 86173c7
| documentation_complete: true | ||
|
|
||
| title: |- | ||
| {{% if product in ["sle15"] %}} |
There was a problem hiding this comment.
I don't think that the title should ever vary by distro.
There was a problem hiding this comment.
thanks - removed that in 4e4ea53
| <pre>$ sudo chmod go-w <i>DIR</i></pre> | ||
|
|
||
| rationale: |- | ||
| If the SUSE operating system were to allow any user to make changes to software libraries, |
There was a problem hiding this comment.
Don't think this should be SUSE specific.
There was a problem hiding this comment.
thanks - removed that in 4e4ea53
| <unix:filename operation="pattern match">^.*$</unix:filename> | ||
| <filter action="include">dir_state_perms_nogroupwrite_noworldwrite</filter> | ||
| <filter action="exclude">dir_perms_state_symlink</filter> | ||
| </unix:file_object> |
There was a problem hiding this comment.
It looks like the dir_object_file_permissions_lib_files and dir_object_file_permissions_lib_dir are doing the same thing. Am I missing something here? I guess from test name that one is for dirs and files, but test look there are the same and the rule is for dir's only so. I feel uncomfortable if the oval does something different than what is in the rule file.
There was a problem hiding this comment.
It probably needs to replace the unix:filename with <unix:filename xsi:nil="true" />. See how it's done in the file_permissions template
| @@ -147,6 +147,7 @@ selections: | |||
| - dconf_db_up_to_date | |||
| - dconf_gnome_banner_enabled | |||
| - dconf_gnome_login_banner_text | |||
| - dir_permissions_library_dirs | |||
There was a problem hiding this comment.
There is a conflict on this file that should be addressed.
There was a problem hiding this comment.
rebased the branch so conflict should be resolved now in 07143f3
teacup-on-rockingchair
force-pushed
the
suse_SLES-15-010352
branch
from
25576d5
to
86173c7
Compare
|
@openscap-ci ok to test |
|
Changes identified: Show detailsRule dir_permissions_library_dirs: Recommended tests to execute: |
| <unix:file_object comment="library files" id="dir_object_file_permissions_lib_files" version="1"> | ||
| <!-- Check the files within /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) --> | ||
| <unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path> | ||
| <unix:filename operation="pattern match">^.*$</unix:filename> |
There was a problem hiding this comment.
| <unix:filename operation="pattern match">^.*$</unix:filename> | |
| <unix:filename xsi:nil="true" /> |
There was a problem hiding this comment.
The idea of the rule dir_object_file_permissions_lib_files was to match all files in the directories, as far as I understood <unix:filename xsi:nil="true" /> will match only the directories, which should have been done in dir_object_file_permissions_lib_dir, so my point here is to match all files with dir_object_file_permissions_lib_files and dirs and subdirs with dir_object_file_permissions_lib_dir object. I guess once you are suggested changes I misunderstood something in the syntax. When I implemented it I had in mind the file_object description in the oval spec (https://oval.mitre.org/language/version5.11/ovaldefinition/documentation/unix-definitions-schema.html), where it is stated that:
...
For example, one would set xsi:nil to true if the desire was to test the attributes or permissions associated with a directory. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every file under a given path.
This was my motivation but as far as I understand from your feedback it was wrong so you would suggest to change both rules <unix:filename xsi:nil="true" />, but then I will not need both objects but only one would be enough - am I right
There was a problem hiding this comment.
I have probably misread the comment from brett. If the idea is to check for all files in the directories then it is probably fine. I'm will go through the PR once again soon, please bear with me.
There was a problem hiding this comment.
Based on text from SLES-15-010351, I understand that no files should be checked within this rule, I think that was my original concern.
The library files test should be covered by this rule already:
https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml#L43
My question is, do we really want to have the test dir_object_file_permissions_lib_files in this rule?
There was a problem hiding this comment.
@ggbecker @teacup-on-rockingchair SLES-15-010352 the STIG for this PR is explicit in covering directories only "-type d", SLES-15-010351 is explicit in covering files "-type f" So, in this case the oval should only be handling directories. So, if I understand this correctly <unix:filename xsi:nil="true" /> is what is needed here.
There was a problem hiding this comment.
Thanks @brett060102 and @ggbecker , it seems I was totally confused on this one. Dropped completely the rule for files so now(252fa36) only dirs are checked by this one.
There was a problem hiding this comment.
test cases need to end in either .fail.sh or .pass.sh so for example:
rename:
linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.sh
to
linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
same for owner_only_writable_dir.sh, world_writable_dir_on_lib.sh, world_writable_dir_on_lib.sh, world_writable_dir_on_usr_lib.sh
| # platform = multi_platform_sle | ||
| DIRS="/usr/lib /usr/lib64" | ||
| for dirPath in $DIRS; do | ||
| mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/test" |
There was a problem hiding this comment.
"$dirPath/test needs to be "$dirPath/testme
There was a problem hiding this comment.
Thx should be ok in 8851e58
|
Unfortunately, there is a conflict with the stig.profile file, can you resolve it? |
Clone implementation of file_permissions_library_dirs to dir_permissions_library_dirs
Thanks to @brett060102 for the feedback
Thanks to @brett060102 for pointing it out
Remove the dir_object_file_permissions_lib_files from dir_permissions_library_dirs, since this check is covered in separate rule. Thanks to @ggbecker and @brett060102 for the help on this 🙇
teacup-on-rockingchair
force-pushed
the
suse_SLES-15-010352
branch
from
ed07741
to
421f33a
Compare
...em/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
Outdated
Show resolved
Hide resolved
…ortant_dirs/dir_permissions_library_dirs/rule.yml Thanx to @ggbecker for pointing this one Co-authored-by: Gabriel Becker <ggasparb@redhat.com>
There was a problem hiding this comment.
LGTM. Thanks for addressing all the requests. The next step is to remove the dirs checking from this rule: https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml#L21
Description:
Rationale: