Update rule to allow special bits in library dirs

[yuumasato]

Description:

• Update file_permissions_library_dirs to allow special bits in the library dirs.
  • This will generate remediations that remove the write bit from group and others:
    e.g.: find -H /lib/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \;

Rationale:

• Rule file_permissions_library_dirs is about preventing group-writable or
  world-writable files in the library dirs. The Suid bits and the stick
  bit don't need to be stripped.
  The default mode of file_permissions is to allow stricter permissions,
  so this change will make the template ignore the special bits and remove
  only the 'w' bits from group and others.
• Fixes rpm_verify_permission and file_permissions_library_dirs conflict - /usr/lib/polkit-1/polkit-agent-helper-1 permissions #8500

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_library_dirs' differs:
--- old datastream
+++ new datastream
@@ -2,10 +2,10 @@
 
 
 
-find -H /lib/ -perm /u+s,g+ws,o+wt -type f -regex '^.*$' -exec chmod u-s,g-ws,o-wt {} \;
+find -H /lib/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \;
 
-find -H /lib64/ -perm /u+s,g+ws,o+wt -type f -regex '^.*$' -exec chmod u-s,g-ws,o-wt {} \;
+find -H /lib64/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \;
 
-find -H /usr/lib/ -perm /u+s,g+ws,o+wt -type f -regex '^.*$' -exec chmod u-s,g-ws,o-wt {} \;
+find -H /usr/lib/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \;
 
-find -H /usr/lib64/ -perm /u+s,g+ws,o+wt -type f -regex '^.*$' -exec chmod u-s,g-ws,o-wt {} \;
+find -H /usr/lib64/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \;

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_library_dirs' differs:
--- old datastream
+++ new datastream
@@ -1,5 +1,5 @@
 - name: Find /lib/ file(s) recursively
- command: find -H /lib/ -perm /u+s,g+ws,o+wt -type f -regex "^.*$"
+ command: find -H /lib/ -perm /g+w,o+w -type f -regex "^.*$"
 register: files_found
 changed_when: false
 failed_when: false
@@ -21,7 +21,7 @@
 - name: Set permissions for /lib/ file(s)
 file:
 path: '{{ item }}'
- mode: u-s,g-ws,o-wt
+ mode: g-w,o-w
 state: file
 with_items:
 - '{{ files_found.stdout_lines }}'
@@ -40,7 +40,7 @@
 - no_reboot_needed
 
 - name: Find /lib64/ file(s) recursively
- command: find -H /lib64/ -perm /u+s,g+ws,o+wt -type f -regex "^.*$"
+ command: find -H /lib64/ -perm /g+w,o+w -type f -regex "^.*$"
 register: files_found
 changed_when: false
 failed_when: false
@@ -62,7 +62,7 @@
 - name: Set permissions for /lib64/ file(s)
 file:
 path: '{{ item }}'
- mode: u-s,g-ws,o-wt
+ mode: g-w,o-w
 state: file
 with_items:
 - '{{ files_found.stdout_lines }}'
@@ -81,7 +81,7 @@
 - no_reboot_needed
 
 - name: Find /usr/lib/ file(s) recursively
- command: find -H /usr/lib/ -perm /u+s,g+ws,o+wt -type f -regex "^.*$"
+ command: find -H /usr/lib/ -perm /g+w,o+w -type f -regex "^.*$"
 register: files_found
 changed_when: false
 failed_when: false
@@ -103,7 +103,7 @@
 - name: Set permissions for /usr/lib/ file(s)
 file:
 path: '{{ item }}'
- mode: u-s,g-ws,o-wt
+ mode: g-w,o-w
 state: file
 with_items:
 - '{{ files_found.stdout_lines }}'
@@ -122,7 +122,7 @@
 - no_reboot_needed
 
 - name: Find /usr/lib64/ file(s) recursively
- command: find -H /usr/lib64/ -perm /u+s,g+ws,o+wt -type f -regex "^.*$"
+ command: find -H /usr/lib64/ -perm /g+w,o+w -type f -regex "^.*$"
 register: files_found
 changed_when: false
 failed_when: false
@@ -144,7 +144,7 @@
 - name: Set permissions for /usr/lib64/ file(s)
 file:
 path: '{{ item }}'
- mode: u-s,g-ws,o-wt
+ mode: g-w,o-w
 state: file
 with_items:
 - '{{ files_found.stdout_lines }}'

[vojtapolasek]

I confirm this works as expected. The rule does not react to changes in suid / sgid bits, it reacts only if there are group or world writable files within designated directories.

[vojtapolasek]

Could you please just rebase on master so that tests run properly?aaa

[yuumasato]

@vojtapolasek rebased.

[qlty-cloud-legacy]

Code Climate has analyzed commit 3bf26b7 and detected 0 issues on this pull request.

View more on Code Climate.

[openshift-ci]

@yuumasato: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-rhcos4-moderate	3bf26b7	link	true	/test e2e-aws-rhcos4-moderate
ci/prow/e2e-aws-rhcos4-e8	3bf26b7	link	true	/test e2e-aws-rhcos4-e8
ci/prow/e2e-aws-rhcos4-high	3bf26b7	link	true	/test e2e-aws-rhcos4-high

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.