Improve audit_rules_privileged_commands #12607
Conversation
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffOVAL for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands' differs.
--- oval:ssg-audit_rules_privileged_commands:def:1
+++ oval:ssg-audit_rules_privileged_commands:def:1
@@ -1,9 +1,23 @@
criteria OR
criteria AND
extend_definition oval:ssg-audit_rules_augenrules:def:1
+criteria OR
+criteria AND
+extend_definition oval:ssg-bootc:def:1
+criterion oval:ssg-test_augenrules_all_priv_cmds_covered_bootc:tst:1
+criterion oval:ssg-test_augenrules_count_matches_system_priv_cmds_bootc:tst:1
+criteria AND
+extend_definition oval:ssg-bootc:def:1
criterion oval:ssg-test_augenrules_all_priv_cmds_covered:tst:1
criterion oval:ssg-test_augenrules_count_matches_system_priv_cmds:tst:1
criteria AND
extend_definition oval:ssg-audit_rules_auditctl:def:1
+criteria OR
+criteria AND
+extend_definition oval:ssg-bootc:def:1
criterion oval:ssg-test_auditctl_all_priv_cmds_covered:tst:1
criterion oval:ssg-test_auditctl_count_matches_system_priv_cmds:tst:1
+criteria AND
+extend_definition oval:ssg-bootc:def:1
+criterion oval:ssg-test_auditctl_all_priv_cmds_covered:tst:1
+criterion oval:ssg-test_auditctl_count_matches_system_priv_cmds:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
@@ -7,12 +7,10 @@
KEY="privileged"
SYSCALL_GROUPING=""
-FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
-PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | grep -Pv "noexec|nosuid|/proc($|/.*$)" | awk '{ print $1 }')
-for PARTITION in $PARTITIONS; do
- PRIV_CMDS=$(find "${PARTITION}" -xdev -perm /6000 -type f 2>/dev/null)
- for PRIV_CMD in $PRIV_CMDS; do
- OTHER_FILTERS="-F path=$PRIV_CMD -F perm=x"
+function add_audit_rule()
+{
+ local PRIV_CMD="$1"
+ local OTHER_FILTERS="-F path=$PRIV_CMD -F perm=x"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
unset syscall_a
unset syscall_grouping
@@ -319,8 +317,23 @@
sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
fi
fi
+}
+
+if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+ PRIV_CMDS=$(find / -perm /6000 -type f -not -path "/sysroot/*" 2>/dev/null)
+ for PRIV_CMD in $PRIV_CMDS; do
+ add_audit_rule $PRIV_CMD
done
-done
+else
+ FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
+ PARTITIONS=$(findmnt -n -l -k -it "$FILTER_NODEV" | grep -Pv "noexec|nosuid|/proc($|/.*$)" | awk '{ print $1 }')
+ for PARTITION in $PARTITIONS; do
+ PRIV_CMDS=$(find "${PARTITION}" -xdev -perm /6000 -type f 2>/dev/null)
+ for PRIV_CMD in $PRIV_CMDS; do
+ add_audit_rule $PRIV_CMD
+ done
+ done
+fi
else
>&2 echo 'Remediation is not applicable, nothing was done' |
|
We need to change this PR because we have discovered that the OVAL doesn't work properly during the We need to examine better how the partitions work during podman build. We need to come up with an OVAL that is customized for this environment. We need to make sure that this OVAL fails before and passes after the remediation. Then, we need to merge in this customized OVAL into the existing OVAL so that the OVAL would work both during the podman build and during evaluation of a booted system. |
The rule audit_rules_privileged_commands needs to be adjusted because it doesn't work in bootable containers. - exclude /sysroot from searching for privileged commands - include composefs as a valid type of filesystem partition - apply remediations on the root filesystem during image build
|
I have changed the OVAL. It now contains special branch for the bootable containers environment. This code branch searches for the privileged commands in the whole |
|
Code Climate has analyzed commit 4db5e72 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.6% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
I tested the rule with CS9 bootc container and CIS profile and both OVAL check and Bash remediation seem to work correctly.
I also tested the modified OVAL and Bash remediation on a standard system using automatus test scenarios:
INFO - xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
INFO - Script augenrules_default.fail.sh using profile (all) OK
INFO - Script augenrules_duplicated.fail.sh using profile (all) OK
INFO - Script augenrules_extra_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_missing_rule.fail.sh using profile (all) OK
INFO - Script augenrules_one_rule.fail.sh using profile (all) OK
INFO - Script augenrules_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_configured_mixed_keys.pass.sh using profile (all) OK
INFO - Script augenrules_rules_ignore_dracut_tmp.pass.sh using profile (all) OK
INFO - Script augenrules_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_two_rules_mixed_keys.fail.sh using profile (all) OK
INFO - Script augenrules_two_rules_sep_files.fail.sh using profile (all) OK
INFO - Script rules_with_own_key.pass.sh using profile (all) OK
INFO - Script augenrules_rules_multiple_partitions.fail.sh using profile (all) OK
INFO - Script auditctl_default.fail.sh using profile (all) OK
INFO - Script auditctl_missing_rule.fail.sh using profile (all) OK
INFO - Script auditctl_one_rule.fail.sh using profile (all) OK
INFO - Script auditctl_rules_configured.pass.sh using profile (all) OK
INFO - Script auditctl_rules_without_perm_x.pass.sh using profile (all) OK
matusmarhefka
merged commit e6e8b73
into
ComplianceAsCode:master
The rule audit_rules_privileged_commands needs to be adjusted because it doesn't work in bootable containers.