-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
System commands dir root or system account #9258
System commands dir root or system account #9258
Conversation
The rule shall accept GIDs < 1000 as compliant.
Update rule file_groupownership_system_commands_dirs to fail if any system command has GID equal to or greater than 1000.
Code Climate has analyzed commit 8def53e and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 42.7% (0.0% change). View more on Code Climate. |
@yuumasato: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
<unix:file_state id="state_groupowner_system_commands_dirs_not_root" version="1"> | ||
<unix:group_id datatype="int" operation="not equal">0</unix:group_id> | ||
<unix:file_state id="state_groupowner_system_commands_dirs_not_root_or_system_account" version="1"> | ||
<unix:group_id datatype="int" operation="greater than or equal">1000</unix:group_id> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should use the gid_min
, like in this rule:
https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml#L21
Description:
Rationale: