From c2d27006f11da3861c976fc96609c5a1b0655ac7 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 17 Nov 2023 13:15:49 +0100 Subject: [PATCH 01/22] Improve OVAL readability in file_permissions_ungroupowned The changes were only about style. No logic was changed. Also removed outdated comments. --- .../oval/shared.xml | 54 ++++++++----------- 1 file changed, 23 insertions(+), 31 deletions(-) diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml index db76acb4e7d..9617f2a9964 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml @@ -1,51 +1,43 @@ - + {{{ oval_metadata("All files should be owned by a group") }}} - + - - - + + + - - + + + - + - + / .* state_file_permissions_ungroupowned + - /etc/group - ^[^:]+:[^:]*:([\d]+):[^:]*$ - 1 + /etc/group + ^[^:]+:[^:]*:([\d]+):[^:]*$ + 1 - - - + + + From 7bf0f7597711af2747895170a7a201c53c10aa39 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 17 Nov 2023 14:20:34 +0100 Subject: [PATCH 02/22] Refactor OVAL in file_permissions_ungroupowned Optimized the file probe by ignoring pseudo and remote file systems. This will bring performance improvements and also likely reduce the memory consumed by the scanner tool. The test was not changed but only the number of objects to be tested. --- .../oval/shared.xml | 80 ++++++++++++------- 1 file changed, 52 insertions(+), 28 deletions(-) diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml index 9617f2a9964..13872dbc788 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml @@ -3,41 +3,65 @@ {{{ oval_metadata("All files should be owned by a group") }}} + comment="Check all local files and make sure they are owned by a group"/> - - - - - - - - - - - - / - .* - state_file_permissions_ungroupowned - - - + + /etc/group ^[^:]+:[^:]*:([\d]+):[^:]*$ 1 - - + + + + + + + + + + + ^/dev/.*$ + + + + + .* + state_file_permissions_ungroupowned_dev_partitons + + + + + + + + + + + .* + state_file_permissions_ungroupowned_local_group_owner + + + + + From 634f830aa8c0d4323d9f12f646333e4b443654b8 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 23 Nov 2023 11:24:38 +0100 Subject: [PATCH 03/22] Introduce OVAL macro to map local mount points This macro is expected to be used in many rules that need to check file properties in the whole system. The nature of these rules is to consume a lot of resources. This macro optimize the efficiency of these rules by avoiding remote file systems as well as special file systems, like /proc, /sys, etc. --- shared/macros/10-oval.jinja | 49 +++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 2c7c6560b47..a3ef9910a09 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -1176,6 +1176,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro %}} + {{# Extract from /etc/passwd a list of specified fields of local interactive users. The list contains only items related to non-system UIDs and is filtered to exclude some special usernames and users with /sbin/nologin shell. @@ -1231,6 +1232,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro %}} + {{# Extract from /etc/passwd a list of home directories of local interactive users. The list contains only items related to non-system UIDs and is filtered to exclude some special usernames and users with /sbin/nologin shell. @@ -1287,6 +1289,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo second_literal_component_regex=":)(?:[^:]*:){2}([^:]+):(?:[^:]*:){2}[^:]*$") }}} {{%- endmacro %}} + {{# Extract from /etc/passwd a list composed of password objects related to system UIDs. This list is then filtered to exclude some special usernames. @@ -1316,6 +1319,51 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro %}} +{{# + Check the system partition table and create a list of mount points referring to devices in /dev. + The filtered list of mount_points is stored in a local variable to be used in the "path" + parameter of "file_object" objects. + + When using this variable in the "path" parameter of a "file_object" also make sure the + "recurse_file_system" parameter is set to "defined" in order to make sure the probe doesn't + leave the scope of that mount point. For example, when probing "/", the probe will ignore any + child directory which is a mount point for any other partition. Check the + "file_permissions_ungroupowned" rule for a reference. + + Using this filtered list of mount points should increate performance and optimize resources + by skipping the check of a lot unnecessary file objects. + + The macro receives a string as parameter, which is used as the local_variable id in the rule. + +:param variable_id: Variable id to be created. +:type variable_id: str + +#}} +{{%- macro create_local_mount_points_list(variable_id) -%}} + + + ^/dev/.*$ + + + + + .* + state_{{{ rule_id }}}_dev_partitons + + + + + + +{{%- endmacro %}} + + {{%- macro mount_active_criterion(path) %}} @@ -1357,6 +1405,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro %}} + {{# Generates an OVAL check that checks a particular field in the "/etc/shadow" file. From f8f4dd1564d1eef5aaca16bf84cb81e4090a53f3 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 23 Nov 2023 11:52:45 +0100 Subject: [PATCH 04/22] Adopt new macro in file_permissions_ungroupowned Updated the OVAL to use the create_local_mount_points_list macro. --- .../oval/shared.xml | 23 +++---------------- 1 file changed, 3 insertions(+), 20 deletions(-) diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml index 13872dbc788..b7839d0de26 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml @@ -24,25 +24,8 @@ - - - ^/dev/.*$ - - - - - .* - state_file_permissions_ungroupowned_dev_partitons - - - - - - + {{%- set var_local_mount_points = "var_" ~ rule_id ~ "_local_mountpoints" -%}} + {{{ create_local_mount_points_list(var_local_mount_points) }}} + + true + - - + + / ^.*$ state_file_permissions_unauthorized_suid_suid_set - state_file_permissions_unauthorized_suid_filepaths - - + + + + + + + .* .* .* .* .* - + - - - / - ^.*$ - state_file_permissions_unauthorized_suid_suid_set - + + + + - - true - - + - - - + + + + + + + / + ^.*$ + state_file_permissions_unauthorized_suid_suid_set + state_file_permissions_unauthorized_suid_filepaths + - - - From 5089cb0aa9b5f4fb4a7000ca1fc100c40548a89c Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 29 Nov 2023 13:02:17 +0100 Subject: [PATCH 09/22] Refactor OVAL check to not collect same objects twice The OVAL was specifying the same file_object twice while the second object had just an extra filter. The OVAL test was changed to use variables which are constructed based on already collected objects. --- .../oval/shared.xml | 45 +++++++++---------- 1 file changed, 20 insertions(+), 25 deletions(-) diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml index 07ebb9f05c6..68f2d7788f7 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml @@ -12,7 +12,7 @@ true - @@ -24,11 +24,11 @@ + object_ref="object_file_permissions_unauthorized_suid_all_suid_files"/> - - + @@ -43,31 +43,26 @@ + datatype="string" comment="all files with suid set that are managed by a RPM package"> + object_ref="object_file_permissions_unauthorized_suid_rpms"/> - - - + + - + - - - - - - - / - ^.*$ - state_file_permissions_unauthorized_suid_suid_set - state_file_permissions_unauthorized_suid_filepaths - + + + var_file_permissions_unauthorized_suid_all_suid_files + state_file_permissions_unauthorized_suid_rpm_filepaths + + + + From 3963ecfad4fd7a665707061d573460f598d6253c Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 29 Nov 2023 15:36:18 +0100 Subject: [PATCH 10/22] Adopt new macro in file_permissions_unauthorized_suid Updated the OVAL to use the create_local_mount_points_list macro. This commit completes the improvements in file_permissions_unauthorized_suid rule. To have some idea of the gains, in a testing VM was created about 500.000 files and executed the OVAL check before and after the improvements. The assessment time was reduced from 2:25 to 1:45. --- .../oval/shared.xml | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml index 68f2d7788f7..74a4730af49 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml @@ -8,17 +8,26 @@ - + true + {{%- set var_local_mount_points = "var_" ~ rule_id ~ "_local_mountpoints" -%}} + {{{ create_local_mount_points_list(var_local_mount_points) }}} + + - / + recurse_file_system="defined"/> + ^.*$ - state_file_permissions_unauthorized_suid_suid_set + state_file_permissions_unauthorized_suid_set Date: Thu, 30 Nov 2023 11:01:21 +0100 Subject: [PATCH 11/22] Improve rule description in file_permissions_unauthorized_sgid Also include warning about high consume of system resources in some scenarios. --- .../rule.yml | 32 +++++++++++-------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml index b3e2a1a009b..b111eb829b2 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml @@ -5,22 +5,19 @@ title: 'Ensure All SGID Executables Are Authorized' prodtype: alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20 description: |- - The SGID (set group id) bit should be set only on files that were - installed via authorized means. A straightforward means of identifying - unauthorized SGID files is determine if any were not installed as part of an - RPM package, which is cryptographically verified. Investigate the origin - of any unpackaged SGID files. - This configuration check considers authorized SGID files which were installed via RPM. - It is assumed that when an individual has sudo access to install an RPM - and all packages are signed with an organizationally-recognized GPG key, - the software should be considered an approved package on the system. - Any SGID file not deployed through an RPM will be flagged for further review. + The SGID (set group id) bit should be set only on files that were installed via authorized + means. A straightforward means of identifying unauthorized SGID files is determine if any were + not installed as part of an RPM package, which is cryptographically verified. Investigate the + origin of any unpackaged SGID files. This configuration check considers authorized SGID files + those which were installed via RPM. It is assumed that when an individual has sudo access to + install an RPM and all packages are signed with an organizationally-recognized GPG key, the + software should be considered an approved package on the system. Any SGID file not deployed + through an RPM will be flagged for further review. rationale: |- - Executable files with the SGID permission run with the privileges of - the owner of the file. SGID files of uncertain provenance could allow for - unprivileged users to elevate privileges. The presence of these files should be - strictly controlled on the system. + Executable files with the SGID permission run with the privileges of the owner of the file. + SGID files of uncertain provenance could allow for unprivileged users to elevate privileges. + The presence of these files should be strictly controlled on the system. severity: medium @@ -52,3 +49,10 @@ ocil_clause: 'there is output' ocil: |- To find SGID files, run the following command: 
$ sudo find / -xdev -type f -perm -2000
+ +warnings: + - general: |- + This rule can take a long time to perform the check and might consume a considerable + amount of resources depending on the number of files present on the system. It is not a + problem in most cases, but especially systems with a large number of files can be affected. + See https://access.redhat.com/articles/6999111. From b2589cf2d7d60be1f607953cccfadb40054a2194 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 30 Nov 2023 11:13:00 +0100 Subject: [PATCH 12/22] Refactor OVAL in file_permissions_unauthorized_sgid Adopted the create_local_mount_points_list macro. Also aligned the rule logic to the file_permissions_unauthorized_suid rule. --- .../oval/shared.xml | 88 ++++++++++++------- 1 file changed, 56 insertions(+), 32 deletions(-) diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml index b932ac038b7..2537be2633e 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml @@ -1,53 +1,77 @@ - + {{{ oval_metadata("Evaluates to true if all files with SGID set are owned by RPM packages.") }}} - + - - - + + + true + - - - / + {{%- set var_local_mount_points = "var_" ~ rule_id ~ "_local_mountpoints" -%}} + {{{ create_local_mount_points_list(var_local_mount_points) }}} + + + + + ^.*$ - state_file_permissions_unauthorized_sgid_sgid_set - state_file_permissions_unauthorized_sgid_filepaths + state_file_permissions_unauthorized_sgid_set - - + + + + + + + .* .* .* .* .* - + - - - / - ^.*$ - state_file_permissions_unauthorized_sgid_sgid_set - - - - true - + + + + - - - + + + + - - - + + + var_file_permissions_unauthorized_sgid_all_sgid_files + state_file_permissions_unauthorized_sgid_rpm_filepaths + - - - + + + From c862b13e9cfbb6de8319f40212a66031b11d6baf Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 30 Nov 2023 11:41:44 +0100 Subject: [PATCH 13/22] Improve rule description in file_permissions_unauthorized_world_writable Also include warning about high consume of system resources in some scenarios. --- .../rule.yml | 27 ++++++++++--------- 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml index c873f1bcdc2..579148fb620 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml @@ -3,20 +3,16 @@ documentation_complete: true title: 'Ensure No World-Writable Files Exist' description: |- - It is generally a good idea to remove global (other) write - access to a file when it is discovered. However, check with - documentation for specific applications before making changes. - Also, monitor for recurring world-writable files, as these may be - symptoms of a misconfigured application or user account. Finally, - this applies to real files and not virtual files that are a part of - pseudo file systems such as sysfs or procfs. + It is generally a good idea to remove global (other) write access to a file when it is + discovered. However, check with documentation for specific applications before making changes. + Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured + application or user account. Finally, this applies to real files and not virtual files that + are a part of pseudo file systems such as sysfs or procfs. rationale: |- - Data in world-writable files can be modified by any - user on the system. In almost all circumstances, files can be - configured using a combination of user and group permissions to - support whatever legitimate access is needed without the risk - caused by world-writable files. + Data in world-writable files can be modified by any user on the system. In almost all + circumstances, files can be configured using a combination of user and group permissions to + support whatever legitimate access is needed without the risk caused by world-writable files. severity: medium @@ -53,3 +49,10 @@ ocil_clause: 'there is output' ocil: |- To find world-writable files, run the following command: 
$ sudo find / -xdev -type f -perm -002
+ +warnings: + - general: |- + This rule can take a long time to perform the check and might consume a considerable + amount of resources depending on the number of files present on the system. It is not a + problem in most cases, but especially systems with a large number of files can be affected. + See https://access.redhat.com/articles/6999111. From d8bbe7fb4714245beeba151b08235fa29d5bd532 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 30 Nov 2023 11:42:48 +0100 Subject: [PATCH 14/22] Refactor OVAL in file_permissions_unauthorized_world_writable Adopted the create_local_mount_points_list macro. Removed unnecessary filters already considered by the macro. --- .../oval/shared.xml | 61 +++++++++++-------- 1 file changed, 34 insertions(+), 27 deletions(-) diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml index dcb000af747..837a3f35aae 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml @@ -1,38 +1,45 @@ - + {{{ oval_metadata("The world-write permission should be disabled for all files.") }}} - + - - - - - - - - - - / - ^.*$ - state_file_permissions_unauthorized_world_write - - state_file_permissions_unauthorized_world_write_exclude_special_selinux_files - state_file_permissions_unauthorized_world_write_exclude_proc - state_file_permissions_unauthorized_world_write_exclude_sys - + regular true - - ^/selinux/(?:(?:member)|(?:user)|(?:relabel)|(?:create)|(?:access)|(?:context))$ - - - ^/proc/.*$ - - - ^/sys/.*$ + + + ^/selinux/(?:(?:member)|(?:user)|(?:relabel)|(?:create)|(?:access)|(?:context))$ + + {{%- set var_local_mount_points = "var_" ~ rule_id ~ "_local_mountpoints" -%}} + {{{ create_local_mount_points_list(var_local_mount_points) }}} + + + + + + ^.*$ + state_file_permissions_unauthorized_world_write + state_file_permissions_unauthorized_world_write_special_selinux_files + + + + + From 509f3247fd04bc115ebeaf6cfc57e08b19ecb410 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 30 Nov 2023 11:54:37 +0100 Subject: [PATCH 15/22] Improve Bash in file_permissions_unauthorized_world_writable Aligned the Bash remediation to the OVAL check. --- .../bash/shared.sh | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/bash/shared.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/bash/shared.sh index 63bc3c40a5a..e5da4aa037c 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/bash/shared.sh +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/bash/shared.sh @@ -1,3 +1,16 @@ # platform = multi_platform_all +# reboot = false +# strategy = configure +# complexity = low +# disruption = low -find / -xdev -type f -perm -002 -exec chmod o-w {} \; +FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) +PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | awk '{ print $1 }') +for PARTITION in $PARTITIONS; do + find "${PARTITION}" -xdev -type f -perm -002 -exec chmod o-w {} \; 2>/dev/null +done + +# Ensure /tmp is also fixed whem tmpfs is used. +if grep "^tmpfs /tmp" /proc/mounts; then + find /tmp -xdev -type f -perm -002 -exec chmod o-w {} \; 2>/dev/null +fi From 7d0a19d29ccf47508f08619b6b0ad1ed8584e458 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 30 Nov 2023 13:01:10 +0100 Subject: [PATCH 16/22] Improve rule description in dir_perms_world_writable_system_owned Also include warning about high consume of system resources in some scenarios. --- .../rule.yml | 30 +++++++++++-------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml index 35c1760145b..e49eab1d194 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml @@ -5,18 +5,15 @@ prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4 title: 'Ensure All World-Writable Directories Are Owned by a System Account' description: |- - All directories in local partitions which are - world-writable should be owned by root or another - system account. If any world-writable directories are not - owned by a system account, this should be investigated. - Following this, the files should be deleted or assigned to an + All directories in local partitions which are world-writable should be owned by root or + another system account. If any world-writable directories are not owned by a system account, + this should be investigated. Following this, the files should be deleted or assigned to an appropriate owner. rationale: |- - Allowing a user account to own a world-writable directory is - undesirable because it allows the owner of that directory to remove - or replace any files that may be placed in the directory by other - users. + Allowing a user account to own a world-writable directory is undesirable because it allows the + owner of that directory to remove or replace any files that may be placed in the directory by + other users. severity: medium @@ -40,7 +37,14 @@ references: ocil_clause: 'there is output' ocil: |- - The following command will discover and print world-writable directories that - are not owned by a system account, given the assumption that only system - accounts have a uid lower than 500. Run it once for each local partition PART: - 
$ sudo find PART -xdev -type d -perm -0002 -uid +499 -print
+ The following command will discover and print world-writable directories that are not owned by + a system account, given the assumption that only system accounts have a uid lower than 500. + Run it once for each local partition PART: + 
$ sudo find PART -xdev -type d -perm -0002 -uid +{{{ uid_min }}} -print
+ +warnings: + - general: |- + This rule can take a long time to perform the check and might consume a considerable + amount of resources depending on the number of directories present on the system. It is + not a problem in most cases, but especially systems with a large number of directories can + be affected. See https://access.redhat.com/articles/6999111. From e8894c8535ec5adb7b650d6f9a50808a7ca2d09c Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 30 Nov 2023 13:02:36 +0100 Subject: [PATCH 17/22] Refactor OVAL in dir_perms_world_writable_system_owned Adopted the create_local_mount_points_list macro. Simplified the test logic by removing the "negate" attribute. --- .../oval/shared.xml | 50 +++++++++++++------ 1 file changed, 34 insertions(+), 16 deletions(-) diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml index 8b03bfe0ec0..52ca19abd2b 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml @@ -1,22 +1,40 @@ - - {{{ oval_metadata("All world writable directories should be owned by a system user.") }}} - - + + {{{ oval_metadata("All world writable directories should be owned by a system account.") }}} + + - - - - - - - / - - state_uid_is_user_and_world_writable - - - {{{ auid }}} + + + {{{ uid_min }}} true + + {{%- set var_local_mount_points = "var_" ~ rule_id ~ "_local_mountpoints" -%}} + {{{ create_local_mount_points_list(var_local_mount_points) }}} + + + + + + + state_dir_perms_world_writable_system_owned + + + + + From 0f5832c35c6e165eb93f8027c4414a16b6d26b09 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 30 Nov 2023 13:20:12 +0100 Subject: [PATCH 18/22] Improve rule description in dir_perms_world_writable_sticky_bits Also include warning about high consume of system resources in some scenarios. --- .../rule.yml | 40 ++++++++++--------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml index 313a1b29ba8..fa48b62f9c9 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml @@ -3,30 +3,25 @@ documentation_complete: true title: 'Verify that All World-Writable Directories Have Sticky Bits Set' description: |- - When the so-called 'sticky bit' is set on a directory, - only the owner of a given file may remove that file from the - directory. Without the sticky bit, any user with write access to a - directory may remove any file in the directory. Setting the sticky - bit prevents users from removing each other's files. In cases where - there is no reason for a directory to be world-writable, a better - solution is to remove that permission rather than to set the sticky - bit. However, if a directory is used by a particular application, - consult that application's documentation instead of blindly - changing modes. + When the so-called 'sticky bit' is set on a directory, only the owner of a given file may + remove that file from the directory. Without the sticky bit, any user with write access to a + directory may remove any file in the directory. Setting the sticky bit prevents users from + removing each other's files. In cases where there is no reason for a directory to be + world-writable, a better solution is to remove that permission rather than to set the sticky + bit. However, if a directory is used by a particular application, consult that application's + documentation instead of blindly changing modes.
- To set the sticky bit on a world-writable directory DIR, run the - following command: + To set the sticky bit on a world-writable directory DIR, run the following command: 
$ sudo chmod +t DIR
rationale: |- - Failing to set the sticky bit on public directories allows unauthorized - users to delete files in the directory structure. + Failing to set the sticky bit on public directories allows unauthorized users to delete files + in the directory structure.

- The only authorized public directories are those temporary directories - supplied with the system, or those designed to be temporary file - repositories. The setting is normally reserved for directories used by the - system, by users for temporary file storage (such as /tmp), and - for directories requiring global read/write access. + The only authorized public directories are those temporary directories supplied with the + system, or those designed to be temporary file repositories. The setting is normally reserved + for directories used by the system, by users for temporary file storage (such as /tmp), + and for directories requiring global read/write access. severity: medium @@ -102,3 +97,10 @@ fixtext: |- srg_requirement: A sticky bit must be set on all {{{ full_name }}} public directories to prevent unauthorized and unintended information transferred via shared system resources. + +warnings: + - general: |- + This rule can take a long time to perform the check and might consume a considerable + amount of resources depending on the number of directories present on the system. It is + not a problem in most cases, but especially systems with a large number of directories can + be affected. See https://access.redhat.com/articles/6999111. From ac35fb211d9700cb2115786f9337decc3c7b1f0b Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 30 Nov 2023 13:21:02 +0100 Subject: [PATCH 19/22] Refactor OVAL in dir_perms_world_writable_sticky_bits Adopted the create_local_mount_points_list macro. Simplified the test logic by removing the "negate" attribute. Improved readability. --- .../oval/shared.xml | 43 +++++++++++++------ 1 file changed, 30 insertions(+), 13 deletions(-) diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/oval/shared.xml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/oval/shared.xml index e36015f316f..3f4854e675a 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/oval/shared.xml @@ -1,22 +1,39 @@ - + {{{ oval_metadata("The sticky bit should be set for all world-writable directories.") }}} - + - - - - - - - / - - state_world_writable_and_not_sticky - - + + false true + + {{%- set var_local_mount_points = "var_" ~ rule_id ~ "_local_mountpoints" -%}} + {{{ create_local_mount_points_list(var_local_mount_points) }}} + + + + + + + state_dir_perms_world_writable_sticky_bits + + + + + From e1a106bdca6f320ef5062ee9bdf9390261c2fb5f Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 30 Nov 2023 13:26:18 +0100 Subject: [PATCH 20/22] Fix test scenario comment in alignment to the commands --- .../dir_perms_world_writable_sticky_bits/tests/correct.pass.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/tests/correct.pass.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/tests/correct.pass.sh index ca2c7cb821c..42b6a64709e 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/tests/correct.pass.sh +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/tests/correct.pass.sh @@ -10,6 +10,6 @@ df --local -P | awk '{if (NR!=1) print $6}' \ mkdir -p /test_dir_1 chmod 1770 /test_dir_1 -# Create a new dir that is word-writable but doesn't have sticky bit +# Create a new dir that is word-readable and doesn't have sticky bit mkdir -p /test_dir_2 chmod 0774 /test_dir_2 From 57c541e33c9b1cfe085fb47988979dee750a8c84 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 30 Nov 2023 13:43:28 +0100 Subject: [PATCH 21/22] Improve rule description in no_files_unowned_by_user Also update warning about high consume of system resources in some scenarios. --- .../files/no_files_unowned_by_user/rule.yml | 55 ++++++++++--------- 1 file changed, 28 insertions(+), 27 deletions(-) diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml index 11ed3b37e7a..9e701ea1b71 100644 --- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml @@ -5,24 +5,22 @@ prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu20 title: 'Ensure All Files Are Owned by a User' description: |- - If any files are not owned by a user, then the - cause of their lack of ownership should be investigated. - Following this, the files should be deleted or assigned to an - appropriate user. The following command will discover and print - any files on local partitions which do not belong to a valid user: - 
$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser
- To search all filesystems on a system including network mounted - filesystems the following command can be run manually for each partition: - 
$ sudo find PARTITION -xdev -nouser
+ If any files are not owned by a user, then the cause of their lack of ownership should be + investigated. Following this, the files should be deleted or assigned to an appropriate user. + + Locate the mount points related to local devices by the following command: + 
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
+ + For all mount points listed by the previous command, it is necessary to search for files which + do not belong to a valid user using the following command: + 
$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null
rationale: |- - Unowned files do not directly imply a security problem, but they are generally - a sign that something is amiss. They may - be caused by an intruder, by incorrect software installation or - draft software removal, or by failure to remove all files belonging - to a deleted account. The files should be repaired so they - will not cause problems when accounts are created in the future, - and the cause should be discovered and addressed. + Unowned files do not directly imply a security problem, but they are generally a sign that + something is amiss. They may be caused by an intruder, by incorrect software installation or + draft software removal, or by failure to remove all files belonging to a deleted account, or + other similar cases. The files should be repaired so they will not cause problems when + accounts are created in the future, and the cause should be discovered and addressed. severity: medium @@ -67,14 +65,15 @@ platform: machine ocil_clause: 'files exist that are not owned by a valid user' ocil: |- - The following command will discover and print any - files on local partitions which do not belong to a valid user. - 
$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser
-

- Either remove all files and directories from the system that do not have a - valid user, or assign a valid user to all unowned files and directories on - the system with the chown command: - 
$ sudo chown user file
+ The following command will locate the mount points related to local devices: + 
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
+ + The following command will show files which do not belong to a valid user: + 
$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null
+ + Replace MOUNTPOINT by the mount points listed by the fist command. + + No files without a valid user should be located. fixtext: |- Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on {{{ full_name }}} with the "chown" command: @@ -89,6 +88,8 @@ warnings: so that running the command 
getent passwd
returns a list of all users in your organization. If using the System Security Services Daemon (SSSD), 
enumerate = true
must be configured in your organization's domain to return a complete list of users - - performance: |- - Enabling this rule will result in slower scan times depending on the size of your organization - and number of centralized users. + - general: |- + This rule can take a long time to perform the check and might consume a considerable + amount of resources depending on the number of files present on the system. It is not a + problem in most cases, but especially systems with a large number of files can be affected. + See https://access.redhat.com/articles/6999111. From 1269df02d97472bf5c1e566c9c3ee145acb7fbec Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 30 Nov 2023 14:00:17 +0100 Subject: [PATCH 22/22] Refactor OVAL in no_files_unowned_by_user Adopted the create_local_mount_points_list macro. Improved the OVAL readability. --- .../no_files_unowned_by_user/oval/shared.xml | 55 ++++++++++++------- 1 file changed, 35 insertions(+), 20 deletions(-) diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/oval/shared.xml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/oval/shared.xml index abcec8f34b2..4cfae8816a1 100644 --- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/oval/shared.xml @@ -1,34 +1,49 @@ - + {{{ oval_metadata("All files should be owned by a user") }}} - + - - - + + + .* + - - + + - - .* - + + + - - - / + {{%- set var_local_mount_points = "var_" ~ rule_id ~ "_local_mountpoints" -%}} + {{{ create_local_mount_points_list(var_local_mount_points) }}} + + + + + .* - file_permissions_unowned_userid_list_match + state_no_files_unowned_by_user_uids_list - - - + + + -