Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add new templated rules for System.map files #11640

Merged
merged 8 commits into from
Mar 6, 2024

Conversation

marcusburghardt
Copy link
Member

Description:

There was the file_permissions_systemmap rule but it didn't have remediation or test scenarios.
Following the standard for other similar files, it was ensured three specific templated rules to deal with files permissions, ownership and group-ownership:

  • file_groupowner_systemmap
  • file_owner_systemmap
  • file_permissions_systemmap

These three rules also allow us to change the status of ANSSI R29 from partial to automated.

Rationale:

More granular rules for System.map files
Better alignment with ANSSI.

Review Hints:

Since these are templated rules, automatus tests should be enough.

Updated rule description and used the file_permissions template.
The file_permissions_systemmap rule is using the file_permissions
template, which can't safely manage test scenarios with regex.
Rules related to System.map files are now complete.
The file_permissions_systemmap rule was also removed from the "default"
profile for RHEL products since it is now included in ANSSI control file.
@marcusburghardt marcusburghardt added New Rule Issues or pull requests related to new Rules. ANSSI ANSSI Benchmark related. labels Mar 1, 2024
@marcusburghardt marcusburghardt added this to the 0.1.73 milestone Mar 1, 2024
@marcusburghardt marcusburghardt requested a review from a team as a code owner March 1, 2024 13:02
Copy link

github-actions bot commented Mar 1, 2024

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

Copy link

github-actions bot commented Mar 1, 2024

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_systemmap'.
--- xccdf_org.ssgproject.content_rule_file_permissions_systemmap
+++ xccdf_org.ssgproject.content_rule_file_permissions_systemmap
@@ -1,17 +1,23 @@
 
 [title]:
-Verify that local System.map file (if exists) is readable only by root
+Verify Permissions on System.map Files
 
 [description]:
-Files containing sensitive informations should be protected by restrictive
-  permissions. Most of the time, there is no need that these files need to be read by any non-root user
+The System.map files are symbol map files generated during the compilation of the Linux
+kernel. They contain the mapping between kernel symbols and their corresponding memory
+addresses. In general, there is no need for non-root users to read these files.
 
-To properly set the permissions of /boot/System.map-*, run the command:
-$ sudo chmod 0600 /boot/System.map-*
+
+To properly set the permissions of /boot/System.map*, run the command:
+$ sudo chmod 0600 /boot/System.map*
+
+[reference]:
+R29
 
 [rationale]:
-The System.map file contains information about kernel symbols and
-  can give some hints to generate local exploitation.
+The purpose of System.map files is primarily for debugging and profiling the kernel.
+Unrestricted access to these files might disclose information useful to attackers and
+malicious software leading to more sophisticated exploitation.
 
 [ident]:
 CCE-82892-1

OVAL for rule 'xccdf_org.ssgproject.content_rule_file_permissions_systemmap' differs.
--- oval:ssg-file_permissions_systemmap:def:1
+++ oval:ssg-file_permissions_systemmap:def:1
@@ -1,2 +1,2 @@
 criteria AND
-criterion oval:ssg-test_permissions_systemmap_files:tst:1
+criterion oval:ssg-test_file_permissions_systemmap_0:tst:1

OCIL for rule 'xccdf_org.ssgproject.content_rule_file_permissions_systemmap' differs.
--- ocil:ssg-file_permissions_systemmap_ocil:questionnaire:1
+++ ocil:ssg-file_permissions_systemmap_ocil:questionnaire:1
@@ -1,7 +1,7 @@
-To check the permissions of /boot/Sysem.map-*,
+To check the permissions of /boot/System.map*,
 run the command:
-$ ls -l /boot/Sysem.map-*
+$ ls -l /boot/System.map*
 If properly configured, the output should indicate the following permissions:
 -rw-------
-      Is it the case that ?
+      Is it the case that /boot/System.map* does not have unix mode -rw-------?
       
New data stream adds bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_systemmap'.
New data stream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_systemmap'.

Copy link

github-actions bot commented Mar 1, 2024

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11640

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11640

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11640 make deploy-local

@marcusburghardt
Copy link
Member Author

I observed that there is no /boot directory in CS8 container. This is likely the reason Automatus CS8 test is failing. I believe it can be waived here.

@jan-cerny jan-cerny self-assigned this Mar 1, 2024
Copy link
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have run them locally and they have passed. Also, I have reviewed the code.

jcerny@fedora:~/work/git/scap-security-guide (pr/11640)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 file_groupowner_systemmap file_owner_systemmap file_permissions_systemmap
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-03-01-1604/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_file_permissions_systemmap
INFO - Script correct_multiple_files.pass.sh using profile (all) OK
INFO - Script correct_permissions.pass.sh using profile (all) OK
INFO - Script lenient_multiple_files.fail.sh using profile (all) OK
INFO - Script lenient_permissions.fail.sh using profile (all) OK
INFO - Script missing_file_test.pass.sh using profile (all) OK
INFO - Script stricter_permisions.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_file_groupowner_systemmap
INFO - Script correct_groupowner.pass.sh using profile (all) OK
INFO - Script correct_groupowner_multiple_files.pass.sh using profile (all) OK
INFO - Script incorrect_groupowner.fail.sh using profile (all) OK
INFO - Script incorrect_groupowner_multiple_files.fail.sh using profile (all) OK
INFO - Script missing_file_test.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_file_owner_systemmap
INFO - Script correct_owner.pass.sh using profile (all) OK
INFO - Script correct_owner_multiple_files.pass.sh using profile (all) OK
INFO - Script incorrect_owner.fail.sh using profile (all) OK
INFO - Script incorrect_owner_multiple_files.fail.sh using profile (all) OK
INFO - Script missing_file_test.pass.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/11640)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible file_groupowner_systemmap file_owner_systemmap file_permissions_systemmap
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-03-01-1609/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_file_permissions_systemmap
INFO - Script correct_multiple_files.pass.sh using profile (all) OK
INFO - Script correct_permissions.pass.sh using profile (all) OK
INFO - Script lenient_multiple_files.fail.sh using profile (all) OK
INFO - Script lenient_permissions.fail.sh using profile (all) OK
INFO - Script missing_file_test.pass.sh using profile (all) OK
INFO - Script stricter_permisions.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_file_groupowner_systemmap
INFO - Script correct_groupowner.pass.sh using profile (all) OK
INFO - Script correct_groupowner_multiple_files.pass.sh using profile (all) OK
INFO - Script incorrect_groupowner.fail.sh using profile (all) OK
INFO - Script incorrect_groupowner_multiple_files.fail.sh using profile (all) OK
INFO - Script missing_file_test.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_file_owner_systemmap
INFO - Script correct_owner.pass.sh using profile (all) OK
INFO - Script correct_owner_multiple_files.pass.sh using profile (all) OK
INFO - Script incorrect_owner.fail.sh using profile (all) OK
INFO - Script incorrect_owner_multiple_files.fail.sh using profile (all) OK
INFO - Script missing_file_test.pass.sh using profile (all) OK

Co-authored-by: Jan Černý <jcerny@redhat.com>
Copy link

codeclimate bot commented Mar 1, 2024

Code Climate has analyzed commit 87e45d2 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.8% (0.0% change).

View more on Code Climate.

@jan-cerny
Copy link
Collaborator

/retest

@jan-cerny jan-cerny merged commit d08e8ce into ComplianceAsCode:master Mar 6, 2024
43 of 44 checks passed
@marcusburghardt marcusburghardt deleted the systemmap_files branch March 6, 2024 13:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ANSSI ANSSI Benchmark related. New Rule Issues or pull requests related to new Rules.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants