Add new templated rules for System.map files #11640
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Updated rule description and used the file_permissions template.
The file_permissions_systemmap rule is using the file_permissions template, which can't safely manage test scenarios with regex.
Rules related to System.map files are now complete. The file_permissions_systemmap rule was also removed from the "default" profile for RHEL products since it is now included in ANSSI control file.
marcusburghardt
added
New Rule
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_systemmap'.
--- xccdf_org.ssgproject.content_rule_file_permissions_systemmap
+++ xccdf_org.ssgproject.content_rule_file_permissions_systemmap
@@ -1,17 +1,23 @@
[title]:
-Verify that local System.map file (if exists) is readable only by root
+Verify Permissions on System.map Files
[description]:
-Files containing sensitive informations should be protected by restrictive
- permissions. Most of the time, there is no need that these files need to be read by any non-root user
+The System.map files are symbol map files generated during the compilation of the Linux
+kernel. They contain the mapping between kernel symbols and their corresponding memory
+addresses. In general, there is no need for non-root users to read these files.
-To properly set the permissions of /boot/System.map-*, run the command:
-$ sudo chmod 0600 /boot/System.map-*
+
+To properly set the permissions of /boot/System.map*, run the command:
+$ sudo chmod 0600 /boot/System.map*
+
+[reference]:
+R29
[rationale]:
-The System.map file contains information about kernel symbols and
- can give some hints to generate local exploitation.
+The purpose of System.map files is primarily for debugging and profiling the kernel.
+Unrestricted access to these files might disclose information useful to attackers and
+malicious software leading to more sophisticated exploitation.
[ident]:
CCE-82892-1
OVAL for rule 'xccdf_org.ssgproject.content_rule_file_permissions_systemmap' differs.
--- oval:ssg-file_permissions_systemmap:def:1
+++ oval:ssg-file_permissions_systemmap:def:1
@@ -1,2 +1,2 @@
criteria AND
-criterion oval:ssg-test_permissions_systemmap_files:tst:1
+criterion oval:ssg-test_file_permissions_systemmap_0:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_permissions_systemmap' differs.
--- ocil:ssg-file_permissions_systemmap_ocil:questionnaire:1
+++ ocil:ssg-file_permissions_systemmap_ocil:questionnaire:1
@@ -1,7 +1,7 @@
-To check the permissions of /boot/Sysem.map-*,
+To check the permissions of /boot/System.map*,
run the command:
-$ ls -l /boot/Sysem.map-*
+$ ls -l /boot/System.map*
If properly configured, the output should indicate the following permissions:
-rw-------
- Is it the case that ?
+ Is it the case that /boot/System.map* does not have unix mode -rw-------?
New data stream adds bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_systemmap'.
New data stream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_systemmap'. |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
|
I observed that there is no |
jan-cerny
reviewed
Mar 1, 2024
There was a problem hiding this comment.
I have run them locally and they have passed. Also, I have reviewed the code.
jcerny@fedora:~/work/git/scap-security-guide (pr/11640)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 file_groupowner_systemmap file_owner_systemmap file_permissions_systemmap
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-03-01-1604/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_file_permissions_systemmap
INFO - Script correct_multiple_files.pass.sh using profile (all) OK
INFO - Script correct_permissions.pass.sh using profile (all) OK
INFO - Script lenient_multiple_files.fail.sh using profile (all) OK
INFO - Script lenient_permissions.fail.sh using profile (all) OK
INFO - Script missing_file_test.pass.sh using profile (all) OK
INFO - Script stricter_permisions.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_file_groupowner_systemmap
INFO - Script correct_groupowner.pass.sh using profile (all) OK
INFO - Script correct_groupowner_multiple_files.pass.sh using profile (all) OK
INFO - Script incorrect_groupowner.fail.sh using profile (all) OK
INFO - Script incorrect_groupowner_multiple_files.fail.sh using profile (all) OK
INFO - Script missing_file_test.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_file_owner_systemmap
INFO - Script correct_owner.pass.sh using profile (all) OK
INFO - Script correct_owner_multiple_files.pass.sh using profile (all) OK
INFO - Script incorrect_owner.fail.sh using profile (all) OK
INFO - Script incorrect_owner_multiple_files.fail.sh using profile (all) OK
INFO - Script missing_file_test.pass.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/11640)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible file_groupowner_systemmap file_owner_systemmap file_permissions_systemmap
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-03-01-1609/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_file_permissions_systemmap
INFO - Script correct_multiple_files.pass.sh using profile (all) OK
INFO - Script correct_permissions.pass.sh using profile (all) OK
INFO - Script lenient_multiple_files.fail.sh using profile (all) OK
INFO - Script lenient_permissions.fail.sh using profile (all) OK
INFO - Script missing_file_test.pass.sh using profile (all) OK
INFO - Script stricter_permisions.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_file_groupowner_systemmap
INFO - Script correct_groupowner.pass.sh using profile (all) OK
INFO - Script correct_groupowner_multiple_files.pass.sh using profile (all) OK
INFO - Script incorrect_groupowner.fail.sh using profile (all) OK
INFO - Script incorrect_groupowner_multiple_files.fail.sh using profile (all) OK
INFO - Script missing_file_test.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_file_owner_systemmap
INFO - Script correct_owner.pass.sh using profile (all) OK
INFO - Script correct_owner_multiple_files.pass.sh using profile (all) OK
INFO - Script incorrect_owner.fail.sh using profile (all) OK
INFO - Script incorrect_owner_multiple_files.fail.sh using profile (all) OK
INFO - Script missing_file_test.pass.sh using profile (all) OK
linux_os/guide/system/permissions/files/file_groupowner_systemmap/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/system/permissions/files/file_owner_systemmap/rule.yml
Outdated
Show resolved
Hide resolved
Co-authored-by: Jan Černý <[email protected]>
marcusburghardt
force-pushed
the
systemmap_files
branch
from
0807a5f
to
87e45d2
Compare
|
Code Climate has analyzed commit 87e45d2 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.8% (0.0% change). View more on Code Climate. |
|
/retest |
jan-cerny
approved these changes
Mar 6, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
There was the
file_permissions_systemmaprule but it didn't have remediation or test scenarios.Following the standard for other similar files, it was ensured three specific templated rules to deal with files permissions, ownership and group-ownership:
These three rules also allow us to change the status of ANSSI R29 from
partialtoautomated.Rationale:
More granular rules for System.map files
Better alignment with ANSSI.
Review Hints:
Since these are templated rules, automatus tests should be enough.