From a8961759c89d6ac29ba80e73fa105271d0af63c8 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 22 Mar 2022 14:31:57 +0100 Subject: [PATCH 01/12] Prevent breaking file names if they have spaces --- shared/templates/file_groupowner/bash.template | 2 +- shared/templates/file_owner/bash.template | 2 +- shared/templates/file_permissions/bash.template | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/shared/templates/file_groupowner/bash.template b/shared/templates/file_groupowner/bash.template index 982d2f3c6a61..3f6b22b625c3 100644 --- a/shared/templates/file_groupowner/bash.template +++ b/shared/templates/file_groupowner/bash.template @@ -9,7 +9,7 @@ readarray -t files < <(find {{{ path }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then - chgrp {{{ FILEGID }}} $file + chgrp {{{ FILEGID }}} "$file" fi done {{% elif IS_DIRECTORY and RECURSIVE %}} diff --git a/shared/templates/file_owner/bash.template b/shared/templates/file_owner/bash.template index 27b5a2addbf7..6f859d1f34ac 100644 --- a/shared/templates/file_owner/bash.template +++ b/shared/templates/file_owner/bash.template @@ -9,7 +9,7 @@ readarray -t files < <(find {{{ path }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then - chown {{{ FILEUID }}} $file + chown {{{ FILEUID }}} "$file" fi done {{% elif IS_DIRECTORY and RECURSIVE %}} diff --git a/shared/templates/file_permissions/bash.template b/shared/templates/file_permissions/bash.template index e0d8fe95c4f0..5a6929163b1a 100644 --- a/shared/templates/file_permissions/bash.template +++ b/shared/templates/file_permissions/bash.template @@ -9,7 +9,7 @@ readarray -t files < <(find {{{ path }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then - chmod {{{ FILEMODE }}} $file + chmod {{{ FILEMODE }}} "$file" fi done {{% elif IS_DIRECTORY and RECURSIVE %}} From 5af298b1b44ac3fa2b1485cbf3966350959ee2a0 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 22 Mar 2022 18:37:32 +0100 Subject: [PATCH 02/12] Add test to check file permissions within dirs Add test to check if OVAL is verifying ownership of files in directories deeper into the library dirs tree. --- .../tests/incorrect_owner_within_dir.fail.sh | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh new file mode 100644 index 000000000000..b6f1634368cd --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh @@ -0,0 +1,9 @@ +# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu + +useradd user_test + +TESTDIR="/usr/lib/dir/" + +mkdir $TESTDIR +touch $TESTDIR/test_me +chown user_test $TESTDIR/test_me From 21ef824369b12e555907f54d2fb5cd2a6c5addbb Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 22 Mar 2022 19:08:41 +0100 Subject: [PATCH 03/12] Improve template checks to recurse and regex file names In file_owner, file_groupowner and file_permissions template, 'recursive' and 'file_regex' should not be mutually exclusive. The template as it was could not recurse in the specified 'filepath' and match the file againt 'file_regex'. --- .../file_ownership_library_dirs/rule.yml | 1 + .../file_permissions_library_dirs/rule.yml | 1 + shared/templates/file_groupowner/oval.template | 10 +++++----- shared/templates/file_owner/oval.template | 10 +++++----- shared/templates/file_permissions/oval.template | 10 +++++----- 5 files changed, 17 insertions(+), 15 deletions(-) diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml index b6bc18e8310f..c22f6f8b0a4e 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml @@ -69,5 +69,6 @@ template: - /lib64/ - /usr/lib/ - /usr/lib64/ + recursive: 'true' file_regex: ^.*$ fileuid: '0' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml index 5a708cf78c33..8535a3f10fe3 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml @@ -70,5 +70,6 @@ template: - /lib64/ - /usr/lib/ - /usr/lib64/ + recursive: 'true' file_regex: ^.*$ filemode: '0755' diff --git a/shared/templates/file_groupowner/oval.template b/shared/templates/file_groupowner/oval.template index 64a494471a88..d54019822893 100644 --- a/shared/templates/file_groupowner/oval.template +++ b/shared/templates/file_groupowner/oval.template @@ -32,14 +32,14 @@ {{%- if IS_DIRECTORY -%}} - {{%- if FILE_REGEX %}} - {{{ filepath[:-1] }}} - {{{ FILE_REGEX[loop.index0] }}} - {{%- elif RECURSIVE %}} + {{%- if RECURSIVE %}} {{{ filepath[:-1] }}} - {{%- else %}} {{{ filepath[:-1] }}} + {{%- endif %}} + {{%- if FILE_REGEX %}} + {{{ FILE_REGEX[loop.index0] }}} + {{%- else %}} {{%- endif %}} {{%- else %}} diff --git a/shared/templates/file_owner/oval.template b/shared/templates/file_owner/oval.template index 777831d790d2..84025fadcb24 100644 --- a/shared/templates/file_owner/oval.template +++ b/shared/templates/file_owner/oval.template @@ -31,14 +31,14 @@ {{%- if IS_DIRECTORY -%}} - {{%- if FILE_REGEX %}} - {{{ filepath[:-1] }}} - {{{ FILE_REGEX[loop.index0] }}} - {{%- elif RECURSIVE %}} + {{%- if RECURSIVE %}} {{{ filepath[:-1] }}} - {{%- else %}} {{{ filepath[:-1] }}} + {{%- endif %}} + {{%- if FILE_REGEX %}} + {{{ FILE_REGEX[loop.index0] }}} + {{%- else %}} {{%- endif %}} {{%- else %}} diff --git a/shared/templates/file_permissions/oval.template b/shared/templates/file_permissions/oval.template index 6b3616a7f428..2a80fb8a5954 100644 --- a/shared/templates/file_permissions/oval.template +++ b/shared/templates/file_permissions/oval.template @@ -45,14 +45,14 @@ {{%- if IS_DIRECTORY %}} - {{%- if FILE_REGEX %}} - {{{ filepath[:-1] }}} - {{{ FILE_REGEX[loop.index0] }}} - {{%- elif RECURSIVE %}} + {{%- if RECURSIVE %}} {{{ filepath[:-1] }}} - {{%- else %}} {{{ filepath[:-1] }}} + {{%- endif %}} + {{%- if FILE_REGEX %}} + {{{ FILE_REGEX[loop.index0] }}} + {{%- else %}} {{%- endif %}} {{%- else %}} From bdc59897f25e4541d9e9bd2db5eb13ef11702252 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 22 Mar 2022 19:38:19 +0100 Subject: [PATCH 04/12] Fix the ownership of the symlink The remediation performs a 'find' followed by a 'chwon' While 'find' doesn't follow symlinks by default, 'chown' does follow, so 'chown' will try to change owner of a non existent file while 'find' pointed out that the symlink has wrong owner. While this doesn't affect the result of the evaluation, this avoids messages like these in the HTML report: chown: cannot dereference '/lib/faulty_symlink': No such file or directory chown: cannot dereference '/usr/lib/faulty_symlink': No such file or directory --- .../tests/incorrect_symlink.fail.sh | 16 ++++++++++++++++ shared/templates/file_groupowner/bash.template | 2 +- shared/templates/file_owner/bash.template | 2 +- 3 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.fail.sh diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.fail.sh new file mode 100644 index 000000000000..174a855fae84 --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.fail.sh @@ -0,0 +1,16 @@ +# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu + +useradd user_test + +TESTDIR="/usr/lib/" + +# The remediation performs a 'find' followed by a 'chwon' +# While 'find' doesn't follow symlinks by default, 'chown' does follow, +# so 'chown' will try to change owner of a non existent file while 'find' +# pointed out that the symlink has wrong owner. +ln -s $TESTDIR/mising_test_file $TESTDIR/faulty_symlink +chown -h user_test $TESTDIR/faulty_symlink + +# The Check ignores symlink, so we need to put a reason to run the remediations +touch $TESTDIR/test_me +chown user_test $TESTDIR/test_me diff --git a/shared/templates/file_groupowner/bash.template b/shared/templates/file_groupowner/bash.template index 3f6b22b625c3..5da78fb98e2e 100644 --- a/shared/templates/file_groupowner/bash.template +++ b/shared/templates/file_groupowner/bash.template @@ -9,7 +9,7 @@ readarray -t files < <(find {{{ path }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then - chgrp {{{ FILEGID }}} "$file" + chgrp -h {{{ FILEGID }}} "$file" fi done {{% elif IS_DIRECTORY and RECURSIVE %}} diff --git a/shared/templates/file_owner/bash.template b/shared/templates/file_owner/bash.template index 6f859d1f34ac..4a8fa92ca889 100644 --- a/shared/templates/file_owner/bash.template +++ b/shared/templates/file_owner/bash.template @@ -9,7 +9,7 @@ readarray -t files < <(find {{{ path }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then - chown {{{ FILEUID }}} "$file" + chown -h {{{ FILEUID }}} "$file" fi done {{% elif IS_DIRECTORY and RECURSIVE %}} From 0e837f63b67be3b4c8c25e4feb9b3a1b369faf76 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 22 Mar 2022 19:45:52 +0100 Subject: [PATCH 05/12] Bash: Only change ownership of incompliant files This changes the remediation to only apply the chwon command on files that are not compliant, this optimizes the remediation a bit. --- shared/templates/file_groupowner/bash.template | 2 +- shared/templates/file_owner/bash.template | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/templates/file_groupowner/bash.template b/shared/templates/file_groupowner/bash.template index 5da78fb98e2e..292985b437bd 100644 --- a/shared/templates/file_groupowner/bash.template +++ b/shared/templates/file_groupowner/bash.template @@ -6,7 +6,7 @@ {{% for path in FILEPATH %}} {{% if IS_DIRECTORY and FILE_REGEX %}} -readarray -t files < <(find {{{ path }}}) +readarray -t files < <(find {{{ path }}} ! -gid {{{ FILEGID }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then chgrp -h {{{ FILEGID }}} "$file" diff --git a/shared/templates/file_owner/bash.template b/shared/templates/file_owner/bash.template index 4a8fa92ca889..998773dea376 100644 --- a/shared/templates/file_owner/bash.template +++ b/shared/templates/file_owner/bash.template @@ -6,7 +6,7 @@ {{% for path in FILEPATH %}} {{% if IS_DIRECTORY and FILE_REGEX %}} -readarray -t files < <(find {{{ path }}}) +readarray -t files < <(find {{{ path }}} ! -uid {{{ FILEUID }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then chown -h {{{ FILEUID }}} "$file" From 4c71f7e0f0ec5faa32d280a3d9ee56abf0d5aec4 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 23 Mar 2022 14:59:41 +0100 Subject: [PATCH 06/12] Ansible: Make file_regex and recurse independent in template Make Ansible remediation the follwing templates handle 'file_regex' and 'recurse' independently: - file_owner - file_groupowner - file_permissions The template deals with files when 'file_regex' is set, otherwise it deals with directories. When 'recurse' is true, the check and remediation will travel down the directory tree, otherwise only the first level is checked. --- .../templates/file_groupowner/ansible.template | 16 ++++++++++++---- shared/templates/file_owner/ansible.template | 18 +++++++++++++----- .../file_permissions/ansible.template | 16 ++++++++++++---- 3 files changed, 37 insertions(+), 13 deletions(-) diff --git a/shared/templates/file_groupowner/ansible.template b/shared/templates/file_groupowner/ansible.template index 0b4ab594155c..84a49e157586 100644 --- a/shared/templates/file_groupowner/ansible.template +++ b/shared/templates/file_groupowner/ansible.template @@ -5,13 +5,18 @@ # disruption = low {{% for path in FILEPATH %}} -{{% if IS_DIRECTORY and FILE_REGEX %}} +{{% if IS_DIRECTORY %}} +{{% if FILE_REGEX %}} + +- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}{{% if RECURSIVE %}} recursively{{% endif %}} -- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}} find: paths: "{{{ path }}}" patterns: {{{ FILE_REGEX[loop.index0] }}} use_regex: yes +{{% if RECURSIVE %}} + recurse: yes +{{% endif %}} hidden: yes register: files_found @@ -22,15 +27,18 @@ with_items: - "{{ files_found.files }}" -{{% elif IS_DIRECTORY and RECURSIVE %}} +{{% else %}} -- name: Ensure group owner on {{{ path }}} recursively +- name: Ensure group owner on {{{ path }}}{{% if RECURSIVE %}} recursively{{% endif %}} file: path: "{{{ path }}}" state: directory +{{% if RECURSIVE %}} recurse: yes +{{% endif %}} group: "{{{ FILEGID }}}" +{{% endif %}} {{% else %}} - name: Test for existence {{{ path }}} diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template index dba9e65a2774..1a5dd5d9215f 100644 --- a/shared/templates/file_owner/ansible.template +++ b/shared/templates/file_owner/ansible.template @@ -5,32 +5,40 @@ # disruption = low {{% for path in FILEPATH %}} -{{% if IS_DIRECTORY and FILE_REGEX %}} +{{% if IS_DIRECTORY %}} +{{% if FILE_REGEX %}} + +- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}{{% if RECURSIVE %}} recursively{{% endif %}} -- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}} find: paths: "{{{ path }}}" patterns: {{{ FILE_REGEX[loop.index0] }}} use_regex: yes +{{% if RECURSIVE %}} + recurse: yes +{{% endif %}} hidden: yes register: files_found -- name: Ensure group owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}} +- name: Ensure owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}} file: path: "{{ item.path }}" owner: "{{{ FILEUID }}}" with_items: - "{{ files_found.files }}" -{{% elif IS_DIRECTORY and RECURSIVE %}} +{{% else %}} -- name: Ensure owner on {{{ path }}} recursively +- name: Ensure owner on directory {{{ path }}}{{% if RECURSIVE %}} recursively{{% endif %}} file: path: "{{{ path }}}" state: directory +{{% if RECURSIVE %}} recurse: yes +{{% endif %}} owner: "{{{ FILEUID }}}" +{{% endif %}} {{% else %}} - name: Test for existence {{{ path }}} diff --git a/shared/templates/file_permissions/ansible.template b/shared/templates/file_permissions/ansible.template index 6d4dedcee511..6d529058bee8 100644 --- a/shared/templates/file_permissions/ansible.template +++ b/shared/templates/file_permissions/ansible.template @@ -5,13 +5,18 @@ # disruption = low {{% for path in FILEPATH %}} -{{% if IS_DIRECTORY and FILE_REGEX %}} +{{% if IS_DIRECTORY %}} +{{% if FILE_REGEX %}} + +- name: Find {{{ path }}} file(s){{% if RECURSIVE %}} recursively{{% endif %}} -- name: Find {{{ path }}} file(s) find: paths: "{{{ path }}}" patterns: {{{ FILE_REGEX[loop.index0] }}} use_regex: yes +{{% if RECURSIVE %}} + recurse: yes +{{% endif %}} hidden: yes register: files_found @@ -22,15 +27,18 @@ with_items: - "{{ files_found.files }}" -{{% elif IS_DIRECTORY and RECURSIVE %}} +{{% else %}} -- name: Set permissions for {{{ path }}} recursively +- name: Set permissions for {{{ path }}}{{% if RECURSIVE %}} recursively{{% endif %}} file: path: "{{{ path }}}" state: directory +{{% if RECURSIVE %}} recurse: yes +{{% endif %}} mode: "{{{ FILEMODE }}}" +{{% endif %}} {{% else %}} - name: Test for existence {{{ path }}} From f3d94f8b7a2779c87ba7c0ebb6cbf6aa59476ab1 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 23 Mar 2022 15:04:30 +0100 Subject: [PATCH 07/12] Ansible: Only change files when they are incompliant This not only speeds up the Ansible remediation but also ensures that we only touch files that should be modified. --- shared/templates/file_groupowner/ansible.template | 1 + shared/templates/file_owner/ansible.template | 1 + shared/templates/file_permissions/ansible.template | 1 + 3 files changed, 3 insertions(+) diff --git a/shared/templates/file_groupowner/ansible.template b/shared/templates/file_groupowner/ansible.template index 84a49e157586..8e8bbde440c0 100644 --- a/shared/templates/file_groupowner/ansible.template +++ b/shared/templates/file_groupowner/ansible.template @@ -24,6 +24,7 @@ file: path: "{{ item.path }}" group: "{{{ FILEGID }}}" + when: item.gid != {{{ FILEGID }}} with_items: - "{{ files_found.files }}" diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template index 1a5dd5d9215f..a0d6c51c6139 100644 --- a/shared/templates/file_owner/ansible.template +++ b/shared/templates/file_owner/ansible.template @@ -24,6 +24,7 @@ file: path: "{{ item.path }}" owner: "{{{ FILEUID }}}" + when: item.uid != {{{ FILEUID }}} with_items: - "{{ files_found.files }}" diff --git a/shared/templates/file_permissions/ansible.template b/shared/templates/file_permissions/ansible.template index 6d529058bee8..1d892fce5a31 100644 --- a/shared/templates/file_permissions/ansible.template +++ b/shared/templates/file_permissions/ansible.template @@ -24,6 +24,7 @@ file: path: "{{ item.path }}" mode: "{{{ FILEMODE }}}" + when: item.mode != {{{ FILEMODE}}} with_items: - "{{ files_found.files }}" From 39d19f75d5aa2271ec8caca4ad3b2fc8e54d13d1 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 23 Mar 2022 15:26:26 +0100 Subject: [PATCH 08/12] Bash: Make file_regex and recurse independent Make Bash remediation of the following templates handle 'file_regex' and 'recurse' independently: -file_owner -file_groupowner -file_permissions --- .../templates/file_groupowner/bash.template | 18 ++++++++++++----- shared/templates/file_owner/bash.template | 20 +++++++++++++------ .../templates/file_permissions/bash.template | 20 +++++++++++++------ 3 files changed, 41 insertions(+), 17 deletions(-) diff --git a/shared/templates/file_groupowner/bash.template b/shared/templates/file_groupowner/bash.template index 292985b437bd..f27d098e3ec2 100644 --- a/shared/templates/file_groupowner/bash.template +++ b/shared/templates/file_groupowner/bash.template @@ -4,17 +4,25 @@ # complexity = low # disruption = low +{{%- if RECURSIVE %}} +{{% set FIND_RECURSE_ARGS="" %}} +{{%- else %}} +{{% set FIND_RECURSE_ARGS="-maxdepth 1" %}} +{{%- endif %}} + {{% for path in FILEPATH %}} -{{% if IS_DIRECTORY and FILE_REGEX %}} -readarray -t files < <(find {{{ path }}} ! -gid {{{ FILEGID }}}) +{{%- if IS_DIRECTORY %}} +{{%- if FILE_REGEX %}} +readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} ! -gid {{{ FILEGID }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then chgrp -h {{{ FILEGID }}} "$file" fi done -{{% elif IS_DIRECTORY and RECURSIVE %}} -find -L {{{ path }}} -type d -exec chgrp {{{ FILEGID }}} {} \; {{% else %}} +find -L {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type d -exec chgrp {{{ FILEGID }}} {} \; +{{%- endif %}} +{{%- else %}} chgrp {{{ FILEGID }}} {{{ path }}} -{{% endif %}} +{{%- endif %}} {{% endfor %}} diff --git a/shared/templates/file_owner/bash.template b/shared/templates/file_owner/bash.template index 998773dea376..07dc5f66997b 100644 --- a/shared/templates/file_owner/bash.template +++ b/shared/templates/file_owner/bash.template @@ -4,17 +4,25 @@ # complexity = low # disruption = low +{{%- if RECURSIVE %}} +{{% set FIND_RECURSE_ARGS="" %}} +{{%- else %}} +{{% set FIND_RECURSE_ARGS="-maxdepth 1" %}} +{{%- endif %}} + {{% for path in FILEPATH %}} -{{% if IS_DIRECTORY and FILE_REGEX %}} -readarray -t files < <(find {{{ path }}} ! -uid {{{ FILEUID }}}) +{{%- if IS_DIRECTORY %}} +{{%- if FILE_REGEX %}} +readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} ! -uid {{{ FILEUID }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then chown -h {{{ FILEUID }}} "$file" fi done -{{% elif IS_DIRECTORY and RECURSIVE %}} -find -L {{{ path }}} -type d -exec chown {{{ FILEUID }}} {} \; -{{% else %}} +{{%- else %}} +find -L {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type d -exec chown {{{ FILEUID }}} {} \; +{{%- endif %}} +{{%- else %}} chown {{{ FILEUID }}} {{{ path }}} -{{% endif %}} +{{%- endif %}} {{% endfor %}} diff --git a/shared/templates/file_permissions/bash.template b/shared/templates/file_permissions/bash.template index 5a6929163b1a..78e8a4557c3a 100644 --- a/shared/templates/file_permissions/bash.template +++ b/shared/templates/file_permissions/bash.template @@ -4,17 +4,25 @@ # complexity = low # disruption = low +{{%- if RECURSIVE %}} +{{% set FIND_RECURSE_ARGS="" %}} +{{%- else %}} +{{% set FIND_RECURSE_ARGS="-maxdepth 1" %}} +{{%- endif %}} + {{% for path in FILEPATH %}} -{{% if IS_DIRECTORY and FILE_REGEX %}} -readarray -t files < <(find {{{ path }}}) +{{%- if IS_DIRECTORY %}} +{{%- if FILE_REGEX %}} +readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then chmod {{{ FILEMODE }}} "$file" fi done -{{% elif IS_DIRECTORY and RECURSIVE %}} -find -L {{{ path }}} -type d -exec chmod {{{ FILEMODE }}} {} \; -{{% else %}} +{{%- else %}} +find -L {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type d -exec chmod {{{ FILEMODE }}} {} \; +{{%- endif %}} +{{%- else %}} chmod {{{ FILEMODE }}} {{{ path }}} -{{% endif %}} +{{%- endif %}} {{% endfor %}} From c8de6f2702c761a0a87ecf693911a6fc8a63b13a Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 23 Mar 2022 15:46:31 +0100 Subject: [PATCH 09/12] Document file only and directory only behavior The following templates act only on files or on directories under the specified filepath. --- docs/templates/template_reference.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md index d0ee43fb1b74..1de4f43b4966 100644 --- a/docs/templates/template_reference.md +++ b/docs/templates/template_reference.md @@ -259,6 +259,8 @@ - **filepath** - File path to be checked. If the file path ends with `/` it describes a directory. Can also be a list of paths. + If **file_regex** is not specified, the rule will only check + and remediate directories. - **filepath_is_regex** - If set to `"true"` the OVAL will consider the value of **filepath** as a regular expression. @@ -294,6 +296,8 @@ they must be of the same length. - **filepath** - File path to be checked. If the file path ends with `/` it describes a directory. Can also be a list of paths. + If **file_regex** is not specified, the rule will only check + and remediate directories. - **filepath_is_regex** - If set to `"true"` the OVAL will consider the value of **filepath** as a regular expression. @@ -329,6 +333,8 @@ they must be of the same length. - **filepath** - File path to be checked. If the file path ends with `/` it describes a directory. Can also be a list of paths. + If **file_regex** is not specified, the rule will only check + and remediate directories. - **filepath_is_regex** - If set to `"true"` the OVAL will consider the value of **filepath** as a regular expression. From 141f72cbee9b3e428eebb5606d841e35683c4ba7 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 23 Mar 2022 16:53:17 +0100 Subject: [PATCH 10/12] Make sure that path pattern_match is achored Add beginning of string anchor to optimize regular expression matching. --- shared/templates/file_groupowner/oval.template | 2 +- shared/templates/file_owner/oval.template | 2 +- shared/templates/file_permissions/oval.template | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/shared/templates/file_groupowner/oval.template b/shared/templates/file_groupowner/oval.template index d54019822893..276965ad77ca 100644 --- a/shared/templates/file_groupowner/oval.template +++ b/shared/templates/file_groupowner/oval.template @@ -33,7 +33,7 @@ {{%- if IS_DIRECTORY -%}} {{%- if RECURSIVE %}} - {{{ filepath[:-1] }}} + ^{{{ filepath[:-1] }}} {{%- else %}} {{{ filepath[:-1] }}} {{%- endif %}} diff --git a/shared/templates/file_owner/oval.template b/shared/templates/file_owner/oval.template index 84025fadcb24..090ea49863a6 100644 --- a/shared/templates/file_owner/oval.template +++ b/shared/templates/file_owner/oval.template @@ -32,7 +32,7 @@ {{%- if IS_DIRECTORY -%}} {{%- if RECURSIVE %}} - {{{ filepath[:-1] }}} + ^{{{ filepath[:-1] }}} {{%- else %}} {{{ filepath[:-1] }}} {{%- endif %}} diff --git a/shared/templates/file_permissions/oval.template b/shared/templates/file_permissions/oval.template index 2a80fb8a5954..a22bb1046877 100644 --- a/shared/templates/file_permissions/oval.template +++ b/shared/templates/file_permissions/oval.template @@ -46,7 +46,7 @@ {{%- if IS_DIRECTORY %}} {{%- if RECURSIVE %}} - {{{ filepath[:-1] }}} + ^{{{ filepath[:-1] }}} {{%- else %}} {{{ filepath[:-1] }}} {{%- endif %}} From 0e235b994e0556ea07a1e2406dd4a3df18a6e34d Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 23 Mar 2022 20:21:30 +0100 Subject: [PATCH 11/12] Update test to reflect current rule behaviour After templates file_owner, file_groupowner and file_permissions was updated to handle simultaneous use of `recurse` and `file_regex` in commit 4c71f7e0f0ec5faa32d280a3d9ee56abf0d5aec4 and 4c71f7e0f0ec5faa32d280a3d9ee56abf0d5aec4, the rule changed to file_permissions_library_dirs only handle only file permissions, not directory permissions (which is kind of expected). The rule for directorires is dir_permissions_library_dirs --- .../tests/lenient_permissions.fail.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh index 913e75e7b178..7b0320fce482 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh @@ -2,6 +2,5 @@ DIRS="/lib /lib64 /usr/lib /usr/lib64" for dirPath in $DIRS; do - find "$dirPath" -type d -exec chmod go-w '{}' \; find "$dirPath" -type f -exec chmod go+w '{}' \; done From 98c28210ceef846a0df82ecfc6094ed7e70b93ff Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 24 Mar 2022 00:33:39 +0100 Subject: [PATCH 12/12] The mode should be interpreted as string Surround mode with quotes so it is interpreted as string --- shared/templates/file_permissions/ansible.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/templates/file_permissions/ansible.template b/shared/templates/file_permissions/ansible.template index 1d892fce5a31..4570ace9471d 100644 --- a/shared/templates/file_permissions/ansible.template +++ b/shared/templates/file_permissions/ansible.template @@ -24,7 +24,7 @@ file: path: "{{ item.path }}" mode: "{{{ FILEMODE }}}" - when: item.mode != {{{ FILEMODE}}} + when: item.mode != '{{{ FILEMODE}}}' with_items: - "{{ files_found.files }}"