Create new rules for ANSSI R39 #6495
Conversation
openshift-ci-robot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
The new rules are created in ComplianceAsCode#6495
|
Changes identified: Show detailsRule enable_pam_namespace: |
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
There was a problem hiding this comment.
The rules look good and the test scenarios pass, but I think you forgot to enable the SELinux boolean polyinstantiation_enabled=1.
Without it the polyinstantiation didn't work, and no other user than root was able to login.
Nitick: please ensure the files have a newline at the end.
|
I'm confused why create the inst directory in /var/tmp under /var/tmp while you create the inst directory for /tmp under / (which may be a different partition) ? |
|
That's a good point. I guess it would be safer (in terms of partition capacity) to have the instance in |
|
I'm guessing because /tmp is wiped on reboot (whereas /var/tmp is not) this can cause an issue as the inst directory would have to be recreated on restart. |
|
@jan-cerny: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
| @@ -4,6 +4,7 @@ | |||
| <criteria operator="AND" comment="Check Polyinstantiation of /tmp Directories"> | |||
| <criterion comment="Check that /tmp-inst exists and has mode 000" test_ref="test_tmp_inst" /> | |||
| <criterion comment="Check configuration of /tmp in /etc/security/namespace.conf file" test_ref="test_tmp_in_namespace_conf" /> | |||
| <criterion comment="Check SELinux boolean polyinstantiation_enabled is enabled" test_ref="test_accounts_polyinstantiated_tmp_sebool" /> | |||
There was a problem hiding this comment.
Should the check and remediation for sebool polyinstantiation_enabled be present in multiple rules?
It makes more sense embed it on enable_pam_namespace.
It could also become a rule of its own.
There was a problem hiding this comment.
Yes, but we already have a rule for this selinux boolean, it's a templated rule, its ID is sebool_polyinstantiation_enabled https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml. But we're adding this rule to the profile.
I like the idea about embedding the enable_pam_namespace, but I would even go firther and merge the check from enable_pam_namespace into accounts_polyinstantiated_tmp and accounts_polyinstantiated_var_tmp.
What is your advise?
There was a problem hiding this comment.
Oh, I missed that a rule for sebool polyinstantiaion_enabled already existed, and it uses an XCCDF Value for the value.
In this case, just selecting it in the profile with the appropriate value should do, right?
There was a problem hiding this comment.
Sorry for the confusion and extra work.
There was a problem hiding this comment.
It should be enough when the profile selects all 4 rules.
@jan-cerny What do you think of the suggestion to create the instance dir in |
The new rules are created in ComplianceAsCode#6495
The new rules are created in ComplianceAsCode#6495
The new rules are created in ComplianceAsCode#6495
|
@jan-cerny: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Description:
ANSSI R39: Temporary directories dedicated to each account
Each user or service account must have its own temporary directory and dispose of it exclusively.
We can satisfy this requirement by setting up the temporary directories as polyinstantiated, according to https://access.redhat.com/blogs/766093/posts/3169121.
This PR adds new rules that check for the configuration changes.