-
Notifications
You must be signed in to change notification settings - Fork 684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new rule dir_perms_world_writable_system_owned_group. #6421
Add new rule dir_perms_world_writable_system_owned_group. #6421
Conversation
Changes identified: Show detailsRule dir_perms_world_writable_system_owned: Recommended tests to execute: |
@openscap-ci test this please |
CCE needs to be updated. |
Change old STIG reference ID from dir_perms_world_writable_system_owned because this rule actually checks for UID and not the GID as it was expected.
e1e3a79
to
c113117
Compare
Done by force pushing |
@openscap-ci test this please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me.
@ggbecker I'll leave it up to you consider my nitpick or not, :)
<unix:filename xsi:nil="true" /> | ||
<filter action="include">state_gid_is_user_and_world_writable</filter> | ||
</unix:file_object> | ||
<unix:file_state comment="gid greater than or equal to {{{ auid }}} and world writable" id="state_gid_is_user_and_world_writable" version="1"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick: auid
should probably be uid_min
.
At the moment, by default, auid
is set to uid_min
when not explicitly defined.
If one would want to customize the starging range audited users (auid
), this rule would change behavior too (I admit I haven't heard o such use case).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure exactly what to decide.
Do you think that the same applies for? https://github.com/ComplianceAsCode/content/pull/6421/files/c11311736558613b13ae051a2908c31eee0b6a43#diff-a840b889a179d9be9756693119366b0e213700be3da9341baa6b5644905f1eccR18
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes.
<unix:object object_ref="all_local_directories" /> | ||
<unix:state state_ref="state_gid_is_user_and_world_writable" /> | ||
<unix:object object_ref="all_local_directories_uid" /> | ||
<unix:state state_ref="state_uid_is_user_and_world_writable" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another good finding! :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
;)
Description:
Add new rule
dir_perms_world_writable_system_owned_group
.Change old STIG reference ID from dir_perms_world_writable_system_owned
because this rule actually checks for UID and not the GID as it was
expected.
Rationale:
There is a new requirement and I believe there was a confusion before in our rule that was supposed to check the group owner (gid) but was checking the user owner (uid). This pull request addresses this confusion as well.
Group owner: https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2020-09-03/finding/V-204487
User owner: https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2020-09-03/finding/V-228563