Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

System commands dir root or system account #9258

Merged
merged 2 commits into from
Jul 28, 2022
Merged

System commands dir root or system account #9258

merged 2 commits into from
Jul 28, 2022

Conversation

yuumasato
Copy link
Member

Description:

  • Update OVAL check to fail if a file with GIDs greater than or equal to 1000 is found.
    • System accounts can group own files in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin and /usr/local/sbin.

Rationale:

@yuumasato
Add system account owned file test scenario
7dff24d 
The rule shall accept GIDs < 1000 as compliant.
@yuumasato
Update rule to accept binaries with GID > 1000
8def53e 
Update rule file_groupownership_system_commands_dirs to fail if any system
command has GID  equal to or greater than 1000.
@yuumasato yuumasato added Update Rule Issues or pull requests related to Rules updates. RHEL8 Red Hat Enterprise Linux 8 product related. STIG STIG Benchmark related. labels Jul 28, 2022
@yuumasato yuumasato requested a review from Mab879 July 28, 2022 15:19
@yuumasato yuumasato mentioned this pull request Jul 28, 2022
Merged
@yuumasato yuumasato added this to the 0.1.63 milestone Jul 28, 2022
@Mab879 Mab879 self-assigned this Jul 28, 2022
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@codeclimate
Copy link

codeclimate bot commented Jul 28, 2022

Code Climate has analyzed commit 8def53e and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 42.7% (0.0% change).

View more on Code Climate.

@openshift-ci
Copy link

openshift-ci bot commented Jul 28, 2022

@yuumasato: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-rhcos4-high 8def53e link true /test e2e-aws-rhcos4-high
ci/prow/e2e-aws-rhcos4-moderate 8def53e link true /test e2e-aws-rhcos4-moderate

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@Mab879 Mab879 merged commit d16aad1 into ComplianceAsCode:master Jul 28, 2022
@yuumasato yuumasato deleted the system_commands_dir_root_or_system_account branch July 28, 2022 20:02
marcusburghardt
marcusburghardt reviewed Jul 29, 2022
View reviewed changes
...s/permissions_within_important_dirs/file_groupownership_system_commands_dirs/oval/shared.xml
<unix:file_state id="state_groupowner_system_commands_dirs_not_root" version="1">
<unix:group_id datatype="int" operation="not equal">0</unix:group_id>
<unix:file_state id="state_groupowner_system_commands_dirs_not_root_or_system_account" version="1">
<unix:group_id datatype="int" operation="greater than or equal">1000</unix:group_id>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should use the gid_min, like in this rule:
https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml#L21

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcusburghardt marcusburghardt marcusburghardt left review comments

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
RHEL8 Red Hat Enterprise Linux 8 product related. STIG STIG Benchmark related. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.63
Development

Successfully merging this pull request may close these issues.

Rule file_groupownership_system_commands_dirs fails when postfix is installed
3 participants
@yuumasato @Mab879 @marcusburghardt