Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new rule dir_perms_world_writable_system_owned_group. #6421

Merged
merged 1 commit into from
Dec 1, 2020
Merged

Add new rule dir_perms_world_writable_system_owned_group. #6421

merged 1 commit into from
Dec 1, 2020

Conversation

ggbecker
Copy link
Member

Description:

  • Add new rule dir_perms_world_writable_system_owned_group.

  • Change old STIG reference ID from dir_perms_world_writable_system_owned
    because this rule actually checks for UID and not the GID as it was
    expected.

Rationale:

@ggbecker ggbecker added this to the 0.1.54 milestone Nov 25, 2020
@openscap-ci
Copy link
Collaborator

openscap-ci commented Nov 25, 2020
edited
Loading

Changes identified:
Rules:
 dir_perms_world_writable_system_owned
 dir_perms_world_writable_system_owned_group
Profiles:
 stig on rhel7

Show details

Rule dir_perms_world_writable_system_owned:
 Attribute value changed in OVAL check.
 Text changed in OVAL check.
Rule dir_perms_world_writable_system_owned_group:
 OVAL check is newly added.
Profile stig on rhel7:
 Rule dir_perms_world_writable_system_owned_group added to stig profile.

Recommended tests to execute:
 build_product rhel7
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using bash --datastream build/ssg-rhel7-ds.xml dir_perms_world_writable_system_owned
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using bash --datastream build/ssg-rhel7-ds.xml dir_perms_world_writable_system_owned_group
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhel7-ds.xml stig

@redhatrises
Copy link
Contributor

@openscap-ci test this please

@redhatrises
Copy link
Contributor

CCE needs to be updated.

@ggbecker
Add new rule dir_perms_world_writable_system_owned_group.
c113117 
Change old STIG reference ID from dir_perms_world_writable_system_owned
because this rule actually checks for UID and not the GID as it was
expected.
@ggbecker ggbecker force-pushed the add-dir_perms_world_writable_system_owned_group branch from e1e3a79 to c113117 Compare November 26, 2020 17:11
@ggbecker
Copy link
Member Author

CCE needs to be updated.

Done by force pushing

@ggbecker
Copy link
Member Author

@openscap-ci test this please

@yuumasato yuumasato self-assigned this Nov 27, 2020
yuumasato
yuumasato approved these changes Nov 27, 2020
View reviewed changes
Copy link
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.
@ggbecker I'll leave it up to you consider my nitpick or not, :)

...s/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/oval/shared.xml
<unix:filename xsi:nil="true" />
<filter action="include">state_gid_is_user_and_world_writable</filter>
</unix:file_object>
<unix:file_state comment="gid greater than or equal to {{{ auid }}} and world writable" id="state_gid_is_user_and_world_writable" version="1">
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nitpick: auid should probably be uid_min.

At the moment, by default, auid is set to uid_min when not explicitly defined.
If one would want to customize the starging range audited users (auid), this rule would change behavior too (I admit I haven't heard o such use case).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure exactly what to decide.

Do you think that the same applies for? https://github.com/ComplianceAsCode/content/pull/6421/files/c11311736558613b13ae051a2908c31eee0b6a43#diff-a840b889a179d9be9756693119366b0e213700be3da9341baa6b5644905f1eccR18

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes.

linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml
<unix:object object_ref="all_local_directories" />
<unix:state state_ref="state_gid_is_user_and_world_writable" />
<unix:object object_ref="all_local_directories_uid" />
<unix:state state_ref="state_uid_is_user_and_world_writable" />
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another good finding! :)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

;)

@redhatrises redhatrises merged commit a1d4167 into ComplianceAsCode:master Dec 1, 2020
@ggbecker ggbecker mentioned this pull request Dec 3, 2020
Closed
@marcusburghardt marcusburghardt added RHEL7 Red Hat Enterprise Linux 7 product related. STIG STIG Benchmark related. labels Jun 23, 2022
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuumasato yuumasato yuumasato approved these changes

@redhatrises redhatrises Awaiting requested review from redhatrises

Assignees

@yuumasato yuumasato

Labels
RHEL7 Red Hat Enterprise Linux 7 product related. STIG STIG Benchmark related.
Projects
None yet
Milestone
0.1.54
Development

Successfully merging this pull request may close these issues.
5 participants
@ggbecker @openscap-ci @redhatrises @yuumasato @marcusburghardt