-
Notifications
You must be signed in to change notification settings - Fork 684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create new rules for ANSSI R39 #6495
Conversation
Skipping CI for Draft Pull Request. |
The new rules are created in ComplianceAsCode#6495
Changes identified: Show detailsRule enable_pam_namespace: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The rules look good and the test scenarios pass, but I think you forgot to enable the SELinux boolean polyinstantiation_enabled=1
.
Without it the polyinstantiation didn't work, and no other user than root
was able to login.
Nitick: please ensure the files have a newline at the end.
I'm confused why create the inst directory in /var/tmp under /var/tmp while you create the inst directory for /tmp under / (which may be a different partition) ? |
That's a good point. I guess it would be safer (in terms of partition capacity) to have the instance in |
I'm guessing because /tmp is wiped on reboot (whereas /var/tmp is not) this can cause an issue as the inst directory would have to be recreated on restart. |
@jan-cerny: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@@ -4,6 +4,7 @@ | |||
<criteria operator="AND" comment="Check Polyinstantiation of /tmp Directories"> | |||
<criterion comment="Check that /tmp-inst exists and has mode 000" test_ref="test_tmp_inst" /> | |||
<criterion comment="Check configuration of /tmp in /etc/security/namespace.conf file" test_ref="test_tmp_in_namespace_conf" /> | |||
<criterion comment="Check SELinux boolean polyinstantiation_enabled is enabled" test_ref="test_accounts_polyinstantiated_tmp_sebool" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should the check and remediation for sebool polyinstantiation_enabled
be present in multiple rules?
It makes more sense embed it on enable_pam_namespace
.
It could also become a rule of its own.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, but we already have a rule for this selinux boolean, it's a templated rule, its ID is sebool_polyinstantiation_enabled https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml. But we're adding this rule to the profile.
I like the idea about embedding the enable_pam_namespace, but I would even go firther and merge the check from enable_pam_namespace into accounts_polyinstantiated_tmp and accounts_polyinstantiated_var_tmp.
What is your advise?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, I missed that a rule for sebool polyinstantiaion_enabled
already existed, and it uses an XCCDF Value for the value.
In this case, just selecting it in the profile with the appropriate value should do, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the confusion and extra work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should be enough when the profile selects all 4 rules.
@jan-cerny What do you think of the suggestion to create the instance dir in |
The new rules are created in ComplianceAsCode#6495
The new rules are created in ComplianceAsCode#6495
The new rules are created in ComplianceAsCode#6495
@jan-cerny: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thank you, @jan-cerny :)
Description:
ANSSI R39: Temporary directories dedicated to each account
Each user or service account must have its own temporary directory and dispose of it exclusively.
We can satisfy this requirement by setting up the temporary directories as polyinstantiated, according to https://access.redhat.com/blogs/766093/posts/3169121.
This PR adds new rules that check for the configuration changes.