From c45916e030257ce66a0d3642e6b0fedd75453c9d Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 21 Mar 2022 19:26:53 +0100 Subject: [PATCH 01/23] Exclude user nfsnobody who is equivalent to nobody Although we already exclude the user with username 'nobody', in some systems (at least RHEL7) the user 'nobody' has uid 99, and the user 'nfsnobody' has uid 65534. This patch excludes the user with name nfsnobody from the check on RHEL7 systems. --- .../oval/shared.xml | 9 +++++++++ .../accounts_users_home_files_ownership/oval/shared.xml | 9 +++++++++ .../oval/shared.xml | 9 +++++++++ 3 files changed, 27 insertions(+) diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml index 1fd016a87e12..eb4774983738 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml @@ -10,12 +10,21 @@ nobody state_accounts_users_home_files_groupownership_interactive_gids +{{%- if product == 'rhel7' %}} + state_accounts_users_home_files_groupownership_nfsnobody +{{%- endif %}} {{{ gid_min }}} +{{%- if product == 'rhel7' %}} + + nfsnobody + +{{%- endif %}} + nobody state_accounts_users_home_files_ownership_interactive_uids +{{%- if product == 'rhel7' %}} + state_accounts_users_home_files_ownership_nfsnobody +{{%- endif %}} {{{ uid_min }}} +{{%- if product == 'rhel7' %}} + + nfsnobody + +{{%- endif %}} + nobody state_accounts_users_home_files_permissions_interactive_uids +{{%- if product == 'rhel7' %}} + state_accounts_users_home_files_permissions_nfsnobody +{{%- endif %}} {{{ uid_min }}} +{{%- if product == 'rhel7' %}} + + nfsnobody + +{{%- endif %}} + From 95abf134af036dad1f31c94afc6e87d843c796f8 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Tue, 22 Mar 2022 10:49:07 +0100 Subject: [PATCH 02/23] Introduce new abrt related rules to replace obsolete packages. --- .../rule.yml | 30 +++++++++++++++++++ .../rule.yml | 30 +++++++++++++++++++ products/ol8/profiles/ospp.profile | 4 ++- products/ol8/profiles/stig.profile | 4 ++- products/rhel8/profiles/ospp.profile | 2 ++ products/rhel8/profiles/stig.profile | 2 ++ shared/references/cce-redhat-avail.txt | 2 -- .../data/profile_stability/rhel8/ospp.profile | 2 ++ .../data/profile_stability/rhel8/stig.profile | 2 ++ .../profile_stability/rhel8/stig_gui.profile | 2 ++ 10 files changed, 76 insertions(+), 4 deletions(-) create mode 100644 linux_os/guide/system/software/system-tools/package_libreport-plugin-logger_removed/rule.yml create mode 100644 linux_os/guide/system/software/system-tools/package_libreport-plugin-rhtsupport_removed/rule.yml diff --git a/linux_os/guide/system/software/system-tools/package_libreport-plugin-logger_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_libreport-plugin-logger_removed/rule.yml new file mode 100644 index 000000000000..94428d19dc0e --- /dev/null +++ b/linux_os/guide/system/software/system-tools/package_libreport-plugin-logger_removed/rule.yml @@ -0,0 +1,30 @@ +documentation_complete: true + +prodtype: fedora,ol7,ol8,rhel7,rhel8 + +title: 'Uninstall libreport-plugin-logger Package' + +description: |- + {{{ describe_package_remove(package="libreport-plugin-logger") }}} + +rationale: |- + libreport-plugin-logger is a ABRT plugin to report bugs into the + Red Hat Support system. + +severity: low + +identifiers: + cce@rhel8: CCE-89201-8 + +references: + disa: CCI-000381 + srg: SRG-OS-000095-GPOS-00049 + stigid@ol8: OL08-00-040001 + stigid@rhel8: RHEL-08-040001 + +{{{ complete_ocil_entry_package(package="libreport-plugin-logger") }}} + +template: + name: package_removed + vars: + pkgname: libreport-plugin-logger diff --git a/linux_os/guide/system/software/system-tools/package_libreport-plugin-rhtsupport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_libreport-plugin-rhtsupport_removed/rule.yml new file mode 100644 index 000000000000..8ca0488c7956 --- /dev/null +++ b/linux_os/guide/system/software/system-tools/package_libreport-plugin-rhtsupport_removed/rule.yml @@ -0,0 +1,30 @@ +documentation_complete: true + +prodtype: fedora,ol7,ol8,rhel7,rhel8 + +title: 'Uninstall libreport-plugin-rhtsupport Package' + +description: |- + {{{ describe_package_remove(package="libreport-plugin-rhtsupport") }}} + +rationale: |- + libreport-plugin-rhtsupport is a ABRT plugin to report bugs into the + Red Hat Support system. + +severity: low + +identifiers: + cce@rhel8: CCE-88955-0 + +references: + disa: CCI-000381 + srg: SRG-OS-000095-GPOS-00049 + stigid@ol8: OL08-00-040001 + stigid@rhel8: RHEL-08-040001 + +{{{ complete_ocil_entry_package(package="libreport-plugin-rhtsupport") }}} + +template: + name: package_removed + vars: + pkgname: libreport-plugin-rhtsupport diff --git a/products/ol8/profiles/ospp.profile b/products/ol8/profiles/ospp.profile index b6fcfbf28d6e..0a4958dcdc2c 100644 --- a/products/ol8/profiles/ospp.profile +++ b/products/ol8/profiles/ospp.profile @@ -199,10 +199,12 @@ selections: - package_nfs-utils_removed - package_krb5-workstation_removed - package_abrt-addon-kerneloops_removed - - package_abrt-addon-python_removed + - package_python3-abrt-addon_removed - package_abrt-addon-ccpp_removed - package_abrt-plugin-sosreport_removed - package_abrt-cli_removed + - package_libreport-plugin-rhtsupport_removed + - package_libreport-plugin-logger_removed - package_abrt_removed ### Login diff --git a/products/ol8/profiles/stig.profile b/products/ol8/profiles/stig.profile index 039d54af22ca..184e656984d7 100644 --- a/products/ol8/profiles/stig.profile +++ b/products/ol8/profiles/stig.profile @@ -935,9 +935,11 @@ selections: - package_abrt_removed - package_abrt-addon-ccpp_removed - package_abrt-addon-kerneloops_removed - - package_abrt-addon-python_removed + - package_python3-abrt-addon_removed - package_abrt-cli_removed - package_abrt-plugin-sosreport_removed + - package_libreport-plugin-rhtsupport_removed + - package_libreport-plugin-logger_removed # OL08-00-040002 - package_sendmail_removed diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile index 4e033856b3d9..c20e1574ffc4 100644 --- a/products/rhel8/profiles/ospp.profile +++ b/products/rhel8/profiles/ospp.profile @@ -210,6 +210,8 @@ selections: - package_abrt-addon-ccpp_removed - package_abrt-plugin-sosreport_removed - package_abrt-cli_removed + - package_libreport-plugin-rhtsupport_removed + - package_libreport-plugin-logger_removed - package_abrt_removed ### Login diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 35be32dbf16c..82ef3d2425eb 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -931,6 +931,8 @@ selections: - package_python3-abrt-addon_removed - package_abrt-cli_removed - package_abrt-plugin-sosreport_removed + - package_libreport-plugin-rhtsupport_removed + - package_libreport-plugin-logger_removed # RHEL-08-040002 - package_sendmail_removed diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 2432cc874542..e9ec9e6354a1 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -2854,7 +2854,6 @@ CCE-88951-9 CCE-88952-7 CCE-88953-5 CCE-88954-3 -CCE-88955-0 CCE-88956-8 CCE-88957-6 CCE-88958-4 @@ -3085,7 +3084,6 @@ CCE-89197-8 CCE-89198-6 CCE-89199-4 CCE-89200-0 -CCE-89201-8 CCE-89202-6 CCE-89203-4 CCE-89204-2 diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile index 0e12daa8326e..96a7088712f8 100644 --- a/tests/data/profile_stability/rhel8/ospp.profile +++ b/tests/data/profile_stability/rhel8/ospp.profile @@ -147,6 +147,8 @@ selections: - package_gssproxy_removed - package_iprutils_removed - package_krb5-workstation_removed +- package_libreport-plugin-logger_removed +- package_libreport-plugin-rhtsupport_removed - package_nfs-utils_removed - package_openscap-scanner_installed - package_openssh-clients_installed diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 7ca3d7559600..ce84291fb4c9 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -292,6 +292,8 @@ selections: - package_gssproxy_removed - package_iprutils_removed - package_krb5-workstation_removed +- package_libreport-plugin-logger_removed +- package_libreport-plugin-rhtsupport_removed - package_mcafeetp_installed - package_opensc_installed - package_openssh-server_installed diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 8fe977ab51c7..1a1364042029 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -303,6 +303,8 @@ selections: - package_gssproxy_removed - package_iprutils_removed - package_krb5-workstation_removed +- package_libreport-plugin-logger_removed +- package_libreport-plugin-rhtsupport_removed - package_mcafeetp_installed - package_opensc_installed - package_openssh-server_installed From a8961759c89d6ac29ba80e73fa105271d0af63c8 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 22 Mar 2022 14:31:57 +0100 Subject: [PATCH 03/23] Prevent breaking file names if they have spaces --- shared/templates/file_groupowner/bash.template | 2 +- shared/templates/file_owner/bash.template | 2 +- shared/templates/file_permissions/bash.template | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/shared/templates/file_groupowner/bash.template b/shared/templates/file_groupowner/bash.template index 982d2f3c6a61..3f6b22b625c3 100644 --- a/shared/templates/file_groupowner/bash.template +++ b/shared/templates/file_groupowner/bash.template @@ -9,7 +9,7 @@ readarray -t files < <(find {{{ path }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then - chgrp {{{ FILEGID }}} $file + chgrp {{{ FILEGID }}} "$file" fi done {{% elif IS_DIRECTORY and RECURSIVE %}} diff --git a/shared/templates/file_owner/bash.template b/shared/templates/file_owner/bash.template index 27b5a2addbf7..6f859d1f34ac 100644 --- a/shared/templates/file_owner/bash.template +++ b/shared/templates/file_owner/bash.template @@ -9,7 +9,7 @@ readarray -t files < <(find {{{ path }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then - chown {{{ FILEUID }}} $file + chown {{{ FILEUID }}} "$file" fi done {{% elif IS_DIRECTORY and RECURSIVE %}} diff --git a/shared/templates/file_permissions/bash.template b/shared/templates/file_permissions/bash.template index e0d8fe95c4f0..5a6929163b1a 100644 --- a/shared/templates/file_permissions/bash.template +++ b/shared/templates/file_permissions/bash.template @@ -9,7 +9,7 @@ readarray -t files < <(find {{{ path }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then - chmod {{{ FILEMODE }}} $file + chmod {{{ FILEMODE }}} "$file" fi done {{% elif IS_DIRECTORY and RECURSIVE %}} From 9afa33f09534613936f6c075df131361d1d41568 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 23 Mar 2022 09:13:26 +0100 Subject: [PATCH 04/23] explicit rule ordering for sshd_set_keepalive* and sshd_set_idle_timeout --- ssg/build_yaml.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py index c1de1059a804..3522077955bf 100644 --- a/ssg/build_yaml.py +++ b/ssg/build_yaml.py @@ -1127,9 +1127,12 @@ def to_xml_element(self, env_yaml=None): rules_in_group = list(self.rules.keys()) regex = (r'(package_.*_(installed|removed))|' + r'(service_.*_(enabled|disabled))|' + - r'install_smartcard_packages$') + r'install_smartcard_packages|' + + r'sshd_set_keepalive(_0)?|' + + r'sshd_set_idle_timeout$') priority_order = ["installed", "install_smartcard_packages", "removed", - "enabled", "disabled"] + "enabled", "disabled", "sshd_set_keepalive_0", + "sshd_set_keepalive", "sshd_set_idle_timeout"] rules_in_group = reorder_according_to_ordering(rules_in_group, priority_order, regex) # Add rules in priority order, first all packages installed, then removed, From 26ea4a0c3b31677ac3d4dc466fd9a917f526f129 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Wed, 23 Mar 2022 09:56:48 +0100 Subject: [PATCH 05/23] Update RHEL9 auxiliary gpg key to auxiliary key 3. Key fingerprint: DA7F68E3872D6E7BDCE05225E7EB5F3ACDD9699F --- products/rhel9/product.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml index ce86b172b700..6771ae5f6a82 100644 --- a/products/rhel9/product.yml +++ b/products/rhel9/product.yml @@ -22,11 +22,11 @@ dconf_gdm_dir: "distro.d" # The fingerprints below are retrieved from https://access.redhat.com/security/team/key pkg_release: "4ae0493b" pkg_version: "fd431d51" -aux_pkg_release: "5b32db75" -aux_pkg_version: "d4082792" +aux_pkg_release: "6229229e" +aux_pkg_version: "5a6340b3" release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51" -auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792" +auxiliary_key_fingerprint: "7E4624258C406535D56D6F135054E4A45A6340B3" oval_feed_url: "https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2" cpes_root: "../../shared/applicability" From 5af298b1b44ac3fa2b1485cbf3966350959ee2a0 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 22 Mar 2022 18:37:32 +0100 Subject: [PATCH 06/23] Add test to check file permissions within dirs Add test to check if OVAL is verifying ownership of files in directories deeper into the library dirs tree. --- .../tests/incorrect_owner_within_dir.fail.sh | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh new file mode 100644 index 000000000000..b6f1634368cd --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh @@ -0,0 +1,9 @@ +# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu + +useradd user_test + +TESTDIR="/usr/lib/dir/" + +mkdir $TESTDIR +touch $TESTDIR/test_me +chown user_test $TESTDIR/test_me From 21ef824369b12e555907f54d2fb5cd2a6c5addbb Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 22 Mar 2022 19:08:41 +0100 Subject: [PATCH 07/23] Improve template checks to recurse and regex file names In file_owner, file_groupowner and file_permissions template, 'recursive' and 'file_regex' should not be mutually exclusive. The template as it was could not recurse in the specified 'filepath' and match the file againt 'file_regex'. --- .../file_ownership_library_dirs/rule.yml | 1 + .../file_permissions_library_dirs/rule.yml | 1 + shared/templates/file_groupowner/oval.template | 10 +++++----- shared/templates/file_owner/oval.template | 10 +++++----- shared/templates/file_permissions/oval.template | 10 +++++----- 5 files changed, 17 insertions(+), 15 deletions(-) diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml index b6bc18e8310f..c22f6f8b0a4e 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml @@ -69,5 +69,6 @@ template: - /lib64/ - /usr/lib/ - /usr/lib64/ + recursive: 'true' file_regex: ^.*$ fileuid: '0' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml index 5a708cf78c33..8535a3f10fe3 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml @@ -70,5 +70,6 @@ template: - /lib64/ - /usr/lib/ - /usr/lib64/ + recursive: 'true' file_regex: ^.*$ filemode: '0755' diff --git a/shared/templates/file_groupowner/oval.template b/shared/templates/file_groupowner/oval.template index 64a494471a88..d54019822893 100644 --- a/shared/templates/file_groupowner/oval.template +++ b/shared/templates/file_groupowner/oval.template @@ -32,14 +32,14 @@ {{%- if IS_DIRECTORY -%}} - {{%- if FILE_REGEX %}} - {{{ filepath[:-1] }}} - {{{ FILE_REGEX[loop.index0] }}} - {{%- elif RECURSIVE %}} + {{%- if RECURSIVE %}} {{{ filepath[:-1] }}} - {{%- else %}} {{{ filepath[:-1] }}} + {{%- endif %}} + {{%- if FILE_REGEX %}} + {{{ FILE_REGEX[loop.index0] }}} + {{%- else %}} {{%- endif %}} {{%- else %}} diff --git a/shared/templates/file_owner/oval.template b/shared/templates/file_owner/oval.template index 777831d790d2..84025fadcb24 100644 --- a/shared/templates/file_owner/oval.template +++ b/shared/templates/file_owner/oval.template @@ -31,14 +31,14 @@ {{%- if IS_DIRECTORY -%}} - {{%- if FILE_REGEX %}} - {{{ filepath[:-1] }}} - {{{ FILE_REGEX[loop.index0] }}} - {{%- elif RECURSIVE %}} + {{%- if RECURSIVE %}} {{{ filepath[:-1] }}} - {{%- else %}} {{{ filepath[:-1] }}} + {{%- endif %}} + {{%- if FILE_REGEX %}} + {{{ FILE_REGEX[loop.index0] }}} + {{%- else %}} {{%- endif %}} {{%- else %}} diff --git a/shared/templates/file_permissions/oval.template b/shared/templates/file_permissions/oval.template index 6b3616a7f428..2a80fb8a5954 100644 --- a/shared/templates/file_permissions/oval.template +++ b/shared/templates/file_permissions/oval.template @@ -45,14 +45,14 @@ {{%- if IS_DIRECTORY %}} - {{%- if FILE_REGEX %}} - {{{ filepath[:-1] }}} - {{{ FILE_REGEX[loop.index0] }}} - {{%- elif RECURSIVE %}} + {{%- if RECURSIVE %}} {{{ filepath[:-1] }}} - {{%- else %}} {{{ filepath[:-1] }}} + {{%- endif %}} + {{%- if FILE_REGEX %}} + {{{ FILE_REGEX[loop.index0] }}} + {{%- else %}} {{%- endif %}} {{%- else %}} From bdc59897f25e4541d9e9bd2db5eb13ef11702252 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 22 Mar 2022 19:38:19 +0100 Subject: [PATCH 08/23] Fix the ownership of the symlink The remediation performs a 'find' followed by a 'chwon' While 'find' doesn't follow symlinks by default, 'chown' does follow, so 'chown' will try to change owner of a non existent file while 'find' pointed out that the symlink has wrong owner. While this doesn't affect the result of the evaluation, this avoids messages like these in the HTML report: chown: cannot dereference '/lib/faulty_symlink': No such file or directory chown: cannot dereference '/usr/lib/faulty_symlink': No such file or directory --- .../tests/incorrect_symlink.fail.sh | 16 ++++++++++++++++ shared/templates/file_groupowner/bash.template | 2 +- shared/templates/file_owner/bash.template | 2 +- 3 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.fail.sh diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.fail.sh new file mode 100644 index 000000000000..174a855fae84 --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.fail.sh @@ -0,0 +1,16 @@ +# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu + +useradd user_test + +TESTDIR="/usr/lib/" + +# The remediation performs a 'find' followed by a 'chwon' +# While 'find' doesn't follow symlinks by default, 'chown' does follow, +# so 'chown' will try to change owner of a non existent file while 'find' +# pointed out that the symlink has wrong owner. +ln -s $TESTDIR/mising_test_file $TESTDIR/faulty_symlink +chown -h user_test $TESTDIR/faulty_symlink + +# The Check ignores symlink, so we need to put a reason to run the remediations +touch $TESTDIR/test_me +chown user_test $TESTDIR/test_me diff --git a/shared/templates/file_groupowner/bash.template b/shared/templates/file_groupowner/bash.template index 3f6b22b625c3..5da78fb98e2e 100644 --- a/shared/templates/file_groupowner/bash.template +++ b/shared/templates/file_groupowner/bash.template @@ -9,7 +9,7 @@ readarray -t files < <(find {{{ path }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then - chgrp {{{ FILEGID }}} "$file" + chgrp -h {{{ FILEGID }}} "$file" fi done {{% elif IS_DIRECTORY and RECURSIVE %}} diff --git a/shared/templates/file_owner/bash.template b/shared/templates/file_owner/bash.template index 6f859d1f34ac..4a8fa92ca889 100644 --- a/shared/templates/file_owner/bash.template +++ b/shared/templates/file_owner/bash.template @@ -9,7 +9,7 @@ readarray -t files < <(find {{{ path }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then - chown {{{ FILEUID }}} "$file" + chown -h {{{ FILEUID }}} "$file" fi done {{% elif IS_DIRECTORY and RECURSIVE %}} From 0e837f63b67be3b4c8c25e4feb9b3a1b369faf76 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 22 Mar 2022 19:45:52 +0100 Subject: [PATCH 09/23] Bash: Only change ownership of incompliant files This changes the remediation to only apply the chwon command on files that are not compliant, this optimizes the remediation a bit. --- shared/templates/file_groupowner/bash.template | 2 +- shared/templates/file_owner/bash.template | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/templates/file_groupowner/bash.template b/shared/templates/file_groupowner/bash.template index 5da78fb98e2e..292985b437bd 100644 --- a/shared/templates/file_groupowner/bash.template +++ b/shared/templates/file_groupowner/bash.template @@ -6,7 +6,7 @@ {{% for path in FILEPATH %}} {{% if IS_DIRECTORY and FILE_REGEX %}} -readarray -t files < <(find {{{ path }}}) +readarray -t files < <(find {{{ path }}} ! -gid {{{ FILEGID }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then chgrp -h {{{ FILEGID }}} "$file" diff --git a/shared/templates/file_owner/bash.template b/shared/templates/file_owner/bash.template index 4a8fa92ca889..998773dea376 100644 --- a/shared/templates/file_owner/bash.template +++ b/shared/templates/file_owner/bash.template @@ -6,7 +6,7 @@ {{% for path in FILEPATH %}} {{% if IS_DIRECTORY and FILE_REGEX %}} -readarray -t files < <(find {{{ path }}}) +readarray -t files < <(find {{{ path }}} ! -uid {{{ FILEUID }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then chown -h {{{ FILEUID }}} "$file" From 4c71f7e0f0ec5faa32d280a3d9ee56abf0d5aec4 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 23 Mar 2022 14:59:41 +0100 Subject: [PATCH 10/23] Ansible: Make file_regex and recurse independent in template Make Ansible remediation the follwing templates handle 'file_regex' and 'recurse' independently: - file_owner - file_groupowner - file_permissions The template deals with files when 'file_regex' is set, otherwise it deals with directories. When 'recurse' is true, the check and remediation will travel down the directory tree, otherwise only the first level is checked. --- .../templates/file_groupowner/ansible.template | 16 ++++++++++++---- shared/templates/file_owner/ansible.template | 18 +++++++++++++----- .../file_permissions/ansible.template | 16 ++++++++++++---- 3 files changed, 37 insertions(+), 13 deletions(-) diff --git a/shared/templates/file_groupowner/ansible.template b/shared/templates/file_groupowner/ansible.template index 0b4ab594155c..84a49e157586 100644 --- a/shared/templates/file_groupowner/ansible.template +++ b/shared/templates/file_groupowner/ansible.template @@ -5,13 +5,18 @@ # disruption = low {{% for path in FILEPATH %}} -{{% if IS_DIRECTORY and FILE_REGEX %}} +{{% if IS_DIRECTORY %}} +{{% if FILE_REGEX %}} + +- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}{{% if RECURSIVE %}} recursively{{% endif %}} -- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}} find: paths: "{{{ path }}}" patterns: {{{ FILE_REGEX[loop.index0] }}} use_regex: yes +{{% if RECURSIVE %}} + recurse: yes +{{% endif %}} hidden: yes register: files_found @@ -22,15 +27,18 @@ with_items: - "{{ files_found.files }}" -{{% elif IS_DIRECTORY and RECURSIVE %}} +{{% else %}} -- name: Ensure group owner on {{{ path }}} recursively +- name: Ensure group owner on {{{ path }}}{{% if RECURSIVE %}} recursively{{% endif %}} file: path: "{{{ path }}}" state: directory +{{% if RECURSIVE %}} recurse: yes +{{% endif %}} group: "{{{ FILEGID }}}" +{{% endif %}} {{% else %}} - name: Test for existence {{{ path }}} diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template index dba9e65a2774..1a5dd5d9215f 100644 --- a/shared/templates/file_owner/ansible.template +++ b/shared/templates/file_owner/ansible.template @@ -5,32 +5,40 @@ # disruption = low {{% for path in FILEPATH %}} -{{% if IS_DIRECTORY and FILE_REGEX %}} +{{% if IS_DIRECTORY %}} +{{% if FILE_REGEX %}} + +- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}{{% if RECURSIVE %}} recursively{{% endif %}} -- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}} find: paths: "{{{ path }}}" patterns: {{{ FILE_REGEX[loop.index0] }}} use_regex: yes +{{% if RECURSIVE %}} + recurse: yes +{{% endif %}} hidden: yes register: files_found -- name: Ensure group owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}} +- name: Ensure owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}} file: path: "{{ item.path }}" owner: "{{{ FILEUID }}}" with_items: - "{{ files_found.files }}" -{{% elif IS_DIRECTORY and RECURSIVE %}} +{{% else %}} -- name: Ensure owner on {{{ path }}} recursively +- name: Ensure owner on directory {{{ path }}}{{% if RECURSIVE %}} recursively{{% endif %}} file: path: "{{{ path }}}" state: directory +{{% if RECURSIVE %}} recurse: yes +{{% endif %}} owner: "{{{ FILEUID }}}" +{{% endif %}} {{% else %}} - name: Test for existence {{{ path }}} diff --git a/shared/templates/file_permissions/ansible.template b/shared/templates/file_permissions/ansible.template index 6d4dedcee511..6d529058bee8 100644 --- a/shared/templates/file_permissions/ansible.template +++ b/shared/templates/file_permissions/ansible.template @@ -5,13 +5,18 @@ # disruption = low {{% for path in FILEPATH %}} -{{% if IS_DIRECTORY and FILE_REGEX %}} +{{% if IS_DIRECTORY %}} +{{% if FILE_REGEX %}} + +- name: Find {{{ path }}} file(s){{% if RECURSIVE %}} recursively{{% endif %}} -- name: Find {{{ path }}} file(s) find: paths: "{{{ path }}}" patterns: {{{ FILE_REGEX[loop.index0] }}} use_regex: yes +{{% if RECURSIVE %}} + recurse: yes +{{% endif %}} hidden: yes register: files_found @@ -22,15 +27,18 @@ with_items: - "{{ files_found.files }}" -{{% elif IS_DIRECTORY and RECURSIVE %}} +{{% else %}} -- name: Set permissions for {{{ path }}} recursively +- name: Set permissions for {{{ path }}}{{% if RECURSIVE %}} recursively{{% endif %}} file: path: "{{{ path }}}" state: directory +{{% if RECURSIVE %}} recurse: yes +{{% endif %}} mode: "{{{ FILEMODE }}}" +{{% endif %}} {{% else %}} - name: Test for existence {{{ path }}} From f3d94f8b7a2779c87ba7c0ebb6cbf6aa59476ab1 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 23 Mar 2022 15:04:30 +0100 Subject: [PATCH 11/23] Ansible: Only change files when they are incompliant This not only speeds up the Ansible remediation but also ensures that we only touch files that should be modified. --- shared/templates/file_groupowner/ansible.template | 1 + shared/templates/file_owner/ansible.template | 1 + shared/templates/file_permissions/ansible.template | 1 + 3 files changed, 3 insertions(+) diff --git a/shared/templates/file_groupowner/ansible.template b/shared/templates/file_groupowner/ansible.template index 84a49e157586..8e8bbde440c0 100644 --- a/shared/templates/file_groupowner/ansible.template +++ b/shared/templates/file_groupowner/ansible.template @@ -24,6 +24,7 @@ file: path: "{{ item.path }}" group: "{{{ FILEGID }}}" + when: item.gid != {{{ FILEGID }}} with_items: - "{{ files_found.files }}" diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template index 1a5dd5d9215f..a0d6c51c6139 100644 --- a/shared/templates/file_owner/ansible.template +++ b/shared/templates/file_owner/ansible.template @@ -24,6 +24,7 @@ file: path: "{{ item.path }}" owner: "{{{ FILEUID }}}" + when: item.uid != {{{ FILEUID }}} with_items: - "{{ files_found.files }}" diff --git a/shared/templates/file_permissions/ansible.template b/shared/templates/file_permissions/ansible.template index 6d529058bee8..1d892fce5a31 100644 --- a/shared/templates/file_permissions/ansible.template +++ b/shared/templates/file_permissions/ansible.template @@ -24,6 +24,7 @@ file: path: "{{ item.path }}" mode: "{{{ FILEMODE }}}" + when: item.mode != {{{ FILEMODE}}} with_items: - "{{ files_found.files }}" From 39d19f75d5aa2271ec8caca4ad3b2fc8e54d13d1 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 23 Mar 2022 15:26:26 +0100 Subject: [PATCH 12/23] Bash: Make file_regex and recurse independent Make Bash remediation of the following templates handle 'file_regex' and 'recurse' independently: -file_owner -file_groupowner -file_permissions --- .../templates/file_groupowner/bash.template | 18 ++++++++++++----- shared/templates/file_owner/bash.template | 20 +++++++++++++------ .../templates/file_permissions/bash.template | 20 +++++++++++++------ 3 files changed, 41 insertions(+), 17 deletions(-) diff --git a/shared/templates/file_groupowner/bash.template b/shared/templates/file_groupowner/bash.template index 292985b437bd..f27d098e3ec2 100644 --- a/shared/templates/file_groupowner/bash.template +++ b/shared/templates/file_groupowner/bash.template @@ -4,17 +4,25 @@ # complexity = low # disruption = low +{{%- if RECURSIVE %}} +{{% set FIND_RECURSE_ARGS="" %}} +{{%- else %}} +{{% set FIND_RECURSE_ARGS="-maxdepth 1" %}} +{{%- endif %}} + {{% for path in FILEPATH %}} -{{% if IS_DIRECTORY and FILE_REGEX %}} -readarray -t files < <(find {{{ path }}} ! -gid {{{ FILEGID }}}) +{{%- if IS_DIRECTORY %}} +{{%- if FILE_REGEX %}} +readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} ! -gid {{{ FILEGID }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then chgrp -h {{{ FILEGID }}} "$file" fi done -{{% elif IS_DIRECTORY and RECURSIVE %}} -find -L {{{ path }}} -type d -exec chgrp {{{ FILEGID }}} {} \; {{% else %}} +find -L {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type d -exec chgrp {{{ FILEGID }}} {} \; +{{%- endif %}} +{{%- else %}} chgrp {{{ FILEGID }}} {{{ path }}} -{{% endif %}} +{{%- endif %}} {{% endfor %}} diff --git a/shared/templates/file_owner/bash.template b/shared/templates/file_owner/bash.template index 998773dea376..07dc5f66997b 100644 --- a/shared/templates/file_owner/bash.template +++ b/shared/templates/file_owner/bash.template @@ -4,17 +4,25 @@ # complexity = low # disruption = low +{{%- if RECURSIVE %}} +{{% set FIND_RECURSE_ARGS="" %}} +{{%- else %}} +{{% set FIND_RECURSE_ARGS="-maxdepth 1" %}} +{{%- endif %}} + {{% for path in FILEPATH %}} -{{% if IS_DIRECTORY and FILE_REGEX %}} -readarray -t files < <(find {{{ path }}} ! -uid {{{ FILEUID }}}) +{{%- if IS_DIRECTORY %}} +{{%- if FILE_REGEX %}} +readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} ! -uid {{{ FILEUID }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then chown -h {{{ FILEUID }}} "$file" fi done -{{% elif IS_DIRECTORY and RECURSIVE %}} -find -L {{{ path }}} -type d -exec chown {{{ FILEUID }}} {} \; -{{% else %}} +{{%- else %}} +find -L {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type d -exec chown {{{ FILEUID }}} {} \; +{{%- endif %}} +{{%- else %}} chown {{{ FILEUID }}} {{{ path }}} -{{% endif %}} +{{%- endif %}} {{% endfor %}} diff --git a/shared/templates/file_permissions/bash.template b/shared/templates/file_permissions/bash.template index 5a6929163b1a..78e8a4557c3a 100644 --- a/shared/templates/file_permissions/bash.template +++ b/shared/templates/file_permissions/bash.template @@ -4,17 +4,25 @@ # complexity = low # disruption = low +{{%- if RECURSIVE %}} +{{% set FIND_RECURSE_ARGS="" %}} +{{%- else %}} +{{% set FIND_RECURSE_ARGS="-maxdepth 1" %}} +{{%- endif %}} + {{% for path in FILEPATH %}} -{{% if IS_DIRECTORY and FILE_REGEX %}} -readarray -t files < <(find {{{ path }}}) +{{%- if IS_DIRECTORY %}} +{{%- if FILE_REGEX %}} +readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then chmod {{{ FILEMODE }}} "$file" fi done -{{% elif IS_DIRECTORY and RECURSIVE %}} -find -L {{{ path }}} -type d -exec chmod {{{ FILEMODE }}} {} \; -{{% else %}} +{{%- else %}} +find -L {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type d -exec chmod {{{ FILEMODE }}} {} \; +{{%- endif %}} +{{%- else %}} chmod {{{ FILEMODE }}} {{{ path }}} -{{% endif %}} +{{%- endif %}} {{% endfor %}} From c8de6f2702c761a0a87ecf693911a6fc8a63b13a Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 23 Mar 2022 15:46:31 +0100 Subject: [PATCH 13/23] Document file only and directory only behavior The following templates act only on files or on directories under the specified filepath. --- docs/templates/template_reference.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md index d0ee43fb1b74..1de4f43b4966 100644 --- a/docs/templates/template_reference.md +++ b/docs/templates/template_reference.md @@ -259,6 +259,8 @@ - **filepath** - File path to be checked. If the file path ends with `/` it describes a directory. Can also be a list of paths. + If **file_regex** is not specified, the rule will only check + and remediate directories. - **filepath_is_regex** - If set to `"true"` the OVAL will consider the value of **filepath** as a regular expression. @@ -294,6 +296,8 @@ they must be of the same length. - **filepath** - File path to be checked. If the file path ends with `/` it describes a directory. Can also be a list of paths. + If **file_regex** is not specified, the rule will only check + and remediate directories. - **filepath_is_regex** - If set to `"true"` the OVAL will consider the value of **filepath** as a regular expression. @@ -329,6 +333,8 @@ they must be of the same length. - **filepath** - File path to be checked. If the file path ends with `/` it describes a directory. Can also be a list of paths. + If **file_regex** is not specified, the rule will only check + and remediate directories. - **filepath_is_regex** - If set to `"true"` the OVAL will consider the value of **filepath** as a regular expression. From 141f72cbee9b3e428eebb5606d841e35683c4ba7 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 23 Mar 2022 16:53:17 +0100 Subject: [PATCH 14/23] Make sure that path pattern_match is achored Add beginning of string anchor to optimize regular expression matching. --- shared/templates/file_groupowner/oval.template | 2 +- shared/templates/file_owner/oval.template | 2 +- shared/templates/file_permissions/oval.template | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/shared/templates/file_groupowner/oval.template b/shared/templates/file_groupowner/oval.template index d54019822893..276965ad77ca 100644 --- a/shared/templates/file_groupowner/oval.template +++ b/shared/templates/file_groupowner/oval.template @@ -33,7 +33,7 @@ {{%- if IS_DIRECTORY -%}} {{%- if RECURSIVE %}} - {{{ filepath[:-1] }}} + ^{{{ filepath[:-1] }}} {{%- else %}} {{{ filepath[:-1] }}} {{%- endif %}} diff --git a/shared/templates/file_owner/oval.template b/shared/templates/file_owner/oval.template index 84025fadcb24..090ea49863a6 100644 --- a/shared/templates/file_owner/oval.template +++ b/shared/templates/file_owner/oval.template @@ -32,7 +32,7 @@ {{%- if IS_DIRECTORY -%}} {{%- if RECURSIVE %}} - {{{ filepath[:-1] }}} + ^{{{ filepath[:-1] }}} {{%- else %}} {{{ filepath[:-1] }}} {{%- endif %}} diff --git a/shared/templates/file_permissions/oval.template b/shared/templates/file_permissions/oval.template index 2a80fb8a5954..a22bb1046877 100644 --- a/shared/templates/file_permissions/oval.template +++ b/shared/templates/file_permissions/oval.template @@ -46,7 +46,7 @@ {{%- if IS_DIRECTORY %}} {{%- if RECURSIVE %}} - {{{ filepath[:-1] }}} + ^{{{ filepath[:-1] }}} {{%- else %}} {{{ filepath[:-1] }}} {{%- endif %}} From 0e235b994e0556ea07a1e2406dd4a3df18a6e34d Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 23 Mar 2022 20:21:30 +0100 Subject: [PATCH 15/23] Update test to reflect current rule behaviour After templates file_owner, file_groupowner and file_permissions was updated to handle simultaneous use of `recurse` and `file_regex` in commit 4c71f7e0f0ec5faa32d280a3d9ee56abf0d5aec4 and 4c71f7e0f0ec5faa32d280a3d9ee56abf0d5aec4, the rule changed to file_permissions_library_dirs only handle only file permissions, not directory permissions (which is kind of expected). The rule for directorires is dir_permissions_library_dirs --- .../tests/lenient_permissions.fail.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh index 913e75e7b178..7b0320fce482 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh @@ -2,6 +2,5 @@ DIRS="/lib /lib64 /usr/lib /usr/lib64" for dirPath in $DIRS; do - find "$dirPath" -type d -exec chmod go-w '{}' \; find "$dirPath" -type f -exec chmod go+w '{}' \; done From 98c28210ceef846a0df82ecfc6094ed7e70b93ff Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 24 Mar 2022 00:33:39 +0100 Subject: [PATCH 16/23] The mode should be interpreted as string Surround mode with quotes so it is interpreted as string --- shared/templates/file_permissions/ansible.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/templates/file_permissions/ansible.template b/shared/templates/file_permissions/ansible.template index 1d892fce5a31..4570ace9471d 100644 --- a/shared/templates/file_permissions/ansible.template +++ b/shared/templates/file_permissions/ansible.template @@ -24,7 +24,7 @@ file: path: "{{ item.path }}" mode: "{{{ FILEMODE }}}" - when: item.mode != {{{ FILEMODE}}} + when: item.mode != '{{{ FILEMODE}}}' with_items: - "{{ files_found.files }}" From 6dd56a4f480dd73f28f267a6ae177fe87087ec9f Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 24 Mar 2022 19:10:51 +0100 Subject: [PATCH 17/23] When 'file_regex' is set do not operate on symlinks The remediations should remediate regular files. No symlinks or the files they are pointing to should be changed. There are symlinks in `/lib/.buid-id/' that point to installed binaries. For example (the IDs will vary): '/lib/.build-id/a4/67cb9c8fa7306d41b96a820b0178f3a9c66055' -> '../../../../usr/bin/passwd' '/lib/.build-id/a4/8e8ae0d029dbbc1c1b0bb0fcea424860a6c412' -> '../../../../usr/bin/sudo' '/lib/.build-id/a4/2c53d4543f5c0bb8db47d65e4b766d12f3b7bd' -> '../../../../usr/lib64/python3.9/lib-dynload/_lsprof.cpython-39-x86_64-linux-gnu.so' --- shared/templates/file_groupowner/bash.template | 4 ++-- shared/templates/file_owner/bash.template | 4 ++-- shared/templates/file_permissions/bash.template | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/shared/templates/file_groupowner/bash.template b/shared/templates/file_groupowner/bash.template index f27d098e3ec2..b13c95e6b307 100644 --- a/shared/templates/file_groupowner/bash.template +++ b/shared/templates/file_groupowner/bash.template @@ -13,10 +13,10 @@ {{% for path in FILEPATH %}} {{%- if IS_DIRECTORY %}} {{%- if FILE_REGEX %}} -readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} ! -gid {{{ FILEGID }}}) +readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type f ! -gid {{{ FILEGID }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then - chgrp -h {{{ FILEGID }}} "$file" + chgrp {{{ FILEGID }}} "$file" fi done {{% else %}} diff --git a/shared/templates/file_owner/bash.template b/shared/templates/file_owner/bash.template index 07dc5f66997b..f2d2366d5850 100644 --- a/shared/templates/file_owner/bash.template +++ b/shared/templates/file_owner/bash.template @@ -13,10 +13,10 @@ {{% for path in FILEPATH %}} {{%- if IS_DIRECTORY %}} {{%- if FILE_REGEX %}} -readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} ! -uid {{{ FILEUID }}}) +readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type f ! -uid {{{ FILEUID }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then - chown -h {{{ FILEUID }}} "$file" + chown {{{ FILEUID }}} "$file" fi done {{%- else %}} diff --git a/shared/templates/file_permissions/bash.template b/shared/templates/file_permissions/bash.template index 78e8a4557c3a..16096959c7cd 100644 --- a/shared/templates/file_permissions/bash.template +++ b/shared/templates/file_permissions/bash.template @@ -13,7 +13,7 @@ {{% for path in FILEPATH %}} {{%- if IS_DIRECTORY %}} {{%- if FILE_REGEX %}} -readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}}) +readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type f) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then chmod {{{ FILEMODE }}} "$file" From 04027f381b42a7726aa4ac6a57dda8975dcf0bf8 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 24 Mar 2022 19:16:05 +0100 Subject: [PATCH 18/23] Prevent breaking the paths with spaces --- shared/templates/file_groupowner/bash.template | 2 +- shared/templates/file_owner/bash.template | 2 +- shared/templates/file_permissions/bash.template | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/shared/templates/file_groupowner/bash.template b/shared/templates/file_groupowner/bash.template index b13c95e6b307..a7133d28c632 100644 --- a/shared/templates/file_groupowner/bash.template +++ b/shared/templates/file_groupowner/bash.template @@ -15,7 +15,7 @@ {{%- if FILE_REGEX %}} readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type f ! -gid {{{ FILEGID }}}) for file in "${files[@]}"; do - if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then + if basename "$file" | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then chgrp {{{ FILEGID }}} "$file" fi done diff --git a/shared/templates/file_owner/bash.template b/shared/templates/file_owner/bash.template index f2d2366d5850..83a53b9d2432 100644 --- a/shared/templates/file_owner/bash.template +++ b/shared/templates/file_owner/bash.template @@ -15,7 +15,7 @@ {{%- if FILE_REGEX %}} readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type f ! -uid {{{ FILEUID }}}) for file in "${files[@]}"; do - if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then + if basename "$file" | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then chown {{{ FILEUID }}} "$file" fi done diff --git a/shared/templates/file_permissions/bash.template b/shared/templates/file_permissions/bash.template index 16096959c7cd..75f238530261 100644 --- a/shared/templates/file_permissions/bash.template +++ b/shared/templates/file_permissions/bash.template @@ -15,7 +15,7 @@ {{%- if FILE_REGEX %}} readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type f) for file in "${files[@]}"; do - if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then + if basename "$file" | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then chmod {{{ FILEMODE }}} "$file" fi done From c5feb7579776917e5ad0615c92ea31eafbe86758 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 24 Mar 2022 19:41:19 +0100 Subject: [PATCH 19/23] Update test scenario to align with OVAL behavior This test sets expectation on behavior of the rule. Symlinks are ignored, even when they have incompliant owner, and point to nowhere. --- .../tests/incorrect_symlink.fail.sh | 16 ---------------- .../tests/incorrect_symlink.pass.sh | 9 +++++++++ 2 files changed, 9 insertions(+), 16 deletions(-) delete mode 100644 linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.fail.sh create mode 100644 linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.pass.sh diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.fail.sh deleted file mode 100644 index 174a855fae84..000000000000 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.fail.sh +++ /dev/null @@ -1,16 +0,0 @@ -# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu - -useradd user_test - -TESTDIR="/usr/lib/" - -# The remediation performs a 'find' followed by a 'chwon' -# While 'find' doesn't follow symlinks by default, 'chown' does follow, -# so 'chown' will try to change owner of a non existent file while 'find' -# pointed out that the symlink has wrong owner. -ln -s $TESTDIR/mising_test_file $TESTDIR/faulty_symlink -chown -h user_test $TESTDIR/faulty_symlink - -# The Check ignores symlink, so we need to put a reason to run the remediations -touch $TESTDIR/test_me -chown user_test $TESTDIR/test_me diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.pass.sh new file mode 100644 index 000000000000..51bc6fe2d717 --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.pass.sh @@ -0,0 +1,9 @@ +# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu + +useradd user_test + +TESTDIR="/usr/lib/" + +# The check ignores this symlink and results in pass +ln -s $TESTDIR/mising_test_file $TESTDIR/faulty_symlink +chown -h user_test $TESTDIR/faulty_symlink From beb0e07f29ece7abdc861dd1909418653c573d06 Mon Sep 17 00:00:00 2001 From: Milan Lysonek Date: Fri, 25 Mar 2022 09:59:41 +0100 Subject: [PATCH 20/23] Exclude user nfsnobody when checking home directories --- .../file_groupownership_home_directories/oval/shared.xml | 9 +++++++++ .../file_ownership_home_directories/oval/shared.xml | 9 +++++++++ .../file_permissions_home_directories/oval/shared.xml | 9 +++++++++ 3 files changed, 27 insertions(+) diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml index a1d1f2ef52e7..67aeffab0cdf 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml @@ -14,12 +14,21 @@ nobody state_file_groupownership_home_directories_interactive_gids + {{%- if product == 'rhel7' %}} + state_file_permissions_groupownership_nfsnobody + {{%- endif %}} {{{ gid_min }}} +{{%- if product == 'rhel7' %}} + + nfsnobody + +{{%- endif %}} + diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml index 3d0b9aecbae3..a4a67f437092 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml @@ -23,6 +23,9 @@ nobody state_file_ownership_home_directories_interactive_uids + {{%- if product == 'rhel7' %}} + state_file_ownership_home_directories_nfsnobody + {{%- endif %}} From eaf86b0cc65147dd3fed91764d65718e9ca3ad19 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 25 Mar 2022 11:08:35 +0100 Subject: [PATCH 21/23] Ansible: When 'file_regex` is set, only operate on files In rule 'file_permissions_library_dirs', when navigating '/lib', the task finds hardlinks and trips on them: "failed: [rhel9] (item={'path': '/lib/locale/en_AG/LC_COLLATE', 'mode': '0644' .... "msg": "src is required for creating new hardlinks"}" This ensure that the Ansible task acts on regular files, and not on the hardlink or symlinks. --- shared/templates/file_groupowner/ansible.template | 1 + shared/templates/file_owner/ansible.template | 1 + shared/templates/file_permissions/ansible.template | 1 + 3 files changed, 3 insertions(+) diff --git a/shared/templates/file_groupowner/ansible.template b/shared/templates/file_groupowner/ansible.template index 8e8bbde440c0..316b89f34f72 100644 --- a/shared/templates/file_groupowner/ansible.template +++ b/shared/templates/file_groupowner/ansible.template @@ -24,6 +24,7 @@ file: path: "{{ item.path }}" group: "{{{ FILEGID }}}" + state: file when: item.gid != {{{ FILEGID }}} with_items: - "{{ files_found.files }}" diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template index a0d6c51c6139..bf36faca54c7 100644 --- a/shared/templates/file_owner/ansible.template +++ b/shared/templates/file_owner/ansible.template @@ -24,6 +24,7 @@ file: path: "{{ item.path }}" owner: "{{{ FILEUID }}}" + state: file when: item.uid != {{{ FILEUID }}} with_items: - "{{ files_found.files }}" diff --git a/shared/templates/file_permissions/ansible.template b/shared/templates/file_permissions/ansible.template index 4570ace9471d..80753f4fcf4c 100644 --- a/shared/templates/file_permissions/ansible.template +++ b/shared/templates/file_permissions/ansible.template @@ -24,6 +24,7 @@ file: path: "{{ item.path }}" mode: "{{{ FILEMODE }}}" + state: file when: item.mode != '{{{ FILEMODE}}}' with_items: - "{{ files_found.files }}" From 037056764223a3740fb6702e864e3f2d041a8dba Mon Sep 17 00:00:00 2001 From: Milan Lysonek Date: Fri, 25 Mar 2022 16:54:54 +0100 Subject: [PATCH 22/23] Define list of excluded users to check as shared variable --- .../oval/shared.xml | 12 ++++-------- .../oval/shared.xml | 12 ++++-------- .../oval/shared.xml | 12 ++++-------- .../oval/shared.xml | 12 ++++-------- .../file_ownership_home_directories/oval/shared.xml | 12 ++++-------- .../oval/shared.xml | 12 ++++-------- shared/macros-oval.jinja | 9 +++++++++ 7 files changed, 33 insertions(+), 48 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml index eb4774983738..180ded56be55 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml @@ -8,22 +8,18 @@ - nobody + .* state_accounts_users_home_files_groupownership_interactive_gids -{{%- if product == 'rhel7' %}} - state_accounts_users_home_files_groupownership_nfsnobody -{{%- endif %}} + state_accounts_users_home_files_groupownership_user_list {{{ gid_min }}} -{{%- if product == 'rhel7' %}} - - nfsnobody + + ^{{{ user_list }}}$ -{{%- endif %}} diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml index 503cc5daf7a9..72becc081297 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml @@ -8,22 +8,18 @@ - nobody + .* state_accounts_users_home_files_ownership_interactive_uids -{{%- if product == 'rhel7' %}} - state_accounts_users_home_files_ownership_nfsnobody -{{%- endif %}} + state_accounts_users_home_files_ownership_user_list {{{ uid_min }}} -{{%- if product == 'rhel7' %}} - - nfsnobody + + ^{{{ user_list }}}$ -{{%- endif %}} diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml index 1763f789ca47..39128ccea20a 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml @@ -10,22 +10,18 @@ - nobody + .* state_accounts_users_home_files_permissions_interactive_uids -{{%- if product == 'rhel7' %}} - state_accounts_users_home_files_permissions_nfsnobody -{{%- endif %}} + state_accounts_users_home_files_permissions_user_list {{{ uid_min }}} -{{%- if product == 'rhel7' %}} - - nfsnobody + + ^{{{ user_list }}}$ -{{%- endif %}} - nobody + .* state_file_groupownership_home_directories_interactive_gids - {{%- if product == 'rhel7' %}} - state_file_permissions_groupownership_nfsnobody - {{%- endif %}} + state_file_permissions_groupownership_user_list {{{ gid_min }}} -{{%- if product == 'rhel7' %}} - - nfsnobody + + ^{{{ user_list }}}$ -{{%- endif %}} - nobody + .* state_file_ownership_home_directories_interactive_uids - {{%- if product == 'rhel7' %}} - state_file_ownership_home_directories_nfsnobody - {{%- endif %}} + state_file_ownership_home_directories_user_list - nobody + .* state_file_permissions_home_directories_interactive_uids - {{%- if product == 'rhel7' %}} - state_file_permissions_home_files_permissions_nfsnobody - {{%- endif %}} + state_file_permissions_home_files_permissions_user_list {{{ uid_min }}} -{{%- if product == 'rhel7' %}} - - nfsnobody + + ^{{{ user_list }}}$ -{{%- endif %}} {{%- endmacro %}} + +{{# + User list in form of regex that are excluded when checking user home directory permissions and ownerships. +#}} +{{%- if product in ["rhel7", "ol7"] %}} + {{%- set user_list="(nobody|nfsnobody)" %}} +{{%- else %}} + {{%- set user_list="nobody" %}} +{{%- endif %}} From 9e65821bf540c27907db6baf81b719ef92495748 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Fri, 25 Mar 2022 18:51:34 +0100 Subject: [PATCH 23/23] Revert changes from OL8 STIG profile that cause conflict with master. --- products/ol8/profiles/stig.profile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/products/ol8/profiles/stig.profile b/products/ol8/profiles/stig.profile index 184e656984d7..039d54af22ca 100644 --- a/products/ol8/profiles/stig.profile +++ b/products/ol8/profiles/stig.profile @@ -935,11 +935,9 @@ selections: - package_abrt_removed - package_abrt-addon-ccpp_removed - package_abrt-addon-kerneloops_removed - - package_python3-abrt-addon_removed + - package_abrt-addon-python_removed - package_abrt-cli_removed - package_abrt-plugin-sosreport_removed - - package_libreport-plugin-rhtsupport_removed - - package_libreport-plugin-logger_removed # OL08-00-040002 - package_sendmail_removed