Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix failing file_permissions_crontab #12807

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix failing file_permissions_crontab #12807

wants to merge 1 commit into from
+5 −2

Conversation

jan-cerny
Copy link
Collaborator

The rule file_permissions_crontab fails in a scan performed after deployment of a CentOS Stream 9 bootable container image hardened with the PCI-DSS profile. The HTML report shows that the mode of /etc/crontab is 0640 but the rule expects the mode of this file should be 0600. The rule passed during the container image build process because the file /etc/crontab didn't exist. The root cause is that the cronie RPM package that provides /etc/crontab is neither present in the CS 9 base image nor it's installed as a dependency of the PCI-DSS profile. We will fix this problem by including the rule package_cron_installed to the profile which will install the cronie package before oscap and then it will change the /etc/crontab mode during remediation.

@jan-cerny jan-cerny added Image Mode Bootable containers and Image Mode RHEL pci-dss labels Jan 10, 2025
@jan-cerny jan-cerny added this to the 0.1.76 milestone Jan 10, 2025
@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@jan-cerny
Fix failing file_permissions_crontab
2a2daf9 
The rule `file_permissions_crontab` fails in a scan performed after
deployment of a CentOS Stream 9 bootable container image hardened
with the PCI-DSS profile. The HTML report shows that the mode of
`/etc/crontab` is `0640` but the rule expects the mode of this
file should be `0600`. The rule passed during the container image
build process because the file `/etc/crontab` didn't exist. The root
cause is that the `cronie` RPM package that provides `/etc/crontab`
is neither present in the CS 9 base image nor it's installed as
a dependency of the PCI-DSS profile. We will fix this problem
by including the rule `package_cron_installed` to the profile
which will install the `cronie` package before `oscap` and then
it will change the `/etc/crontab` mode during remediation.
@vojtapolasek vojtapolasek self-assigned this Jan 10, 2025
@codeclimate CodeClimate
Copy link

codeclimate bot commented Jan 10, 2025

Code Climate has analyzed commit 2a2daf9 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.8% (0.0% change).

View more on Code Climate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@vojtapolasek vojtapolasek

Labels
Image Mode Bootable containers and Image Mode RHEL pci-dss
Projects
None yet
Milestone
0.1.76
Development

Successfully merging this pull request may close these issues.
2 participants
@jan-cerny @vojtapolasek