Add new templated rules for System.map files

components/filesystem.yml

@@ -36,6 +36,7 @@ rules:
 - file_groupowner_etc_passwd
 - file_groupowner_etc_shadow
 - file_groupowner_etc_shells
+- file_groupowner_systemmap
 - file_groupowner_var_log
 - file_groupowner_var_log_messages
 - file_groupowner_var_log_syslog
@@ -51,6 +52,7 @@ rules:
 - file_owner_etc_passwd
 - file_owner_etc_shells
 - file_owner_etc_shadow
+- file_owner_systemmap
 - file_owner_var_log
 - file_owner_var_log_messages
 - file_owner_var_log_syslog

controls/anssi.yml

@@ -696,7 +696,7 @@ controls:
       The /boot partition mounted is essential to perform certain administrative actions, for
       example updating the kernel. Therefore, for better stability, in this requirement only rules
       to restrict the access to /boot are selected. It is not changed how the /boot is mounted.
-    status: partial
+    status: automated
     rules:
       - file_groupowner_efi_grub2_cfg
       - file_groupowner_grub2_cfg
@@ -710,8 +710,10 @@ controls:
       - file_owner_user_cfg
       - file_permissions_efi_user_cfg
       - file_permissions_user_cfg
+      - file_groupowner_systemmap
+      - file_owner_systemmap
+      - file_permissions_systemmap
     related_rules:
-      - file_permissions_systemmap # missing remediation
       - mount_option_boot_noauto
 
   - id: R30

linux_os/guide/system/permissions/files/file_groupowner_systemmap/rule.yml

@@ -0,0 +1,35 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns System.map Files'
+
+description: |-
+    The System.map files are symbol map files generated during the compilation of the Linux
+    kernel. They contain the mapping between kernel symbols and their corresponding memory
+    addresses. These files must be group-owned by root.
+
+    {{{ describe_file_group_owner(file="/boot/System.map*", group="root") }}}
+
+rationale: |-
+    The purpose of <tt>System.map</tt> files is primarily for debugging and profiling the kernel.
+    Unrestricted access to these files might disclose information useful to attackers and
+    malicious software leading to more sophisticated exploitation.
+
+severity: low
+
+identifiers:
+    cce@rhel7: CCE-86582-4
+    cce@rhel8: CCE-86583-2
+    cce@rhel9: CCE-86584-0
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/boot/System.map*", group="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_group_owner(file="/boot/System.map*", group="root") }}}
+
+template:
+    name: file_groupowner
+    vars:
+        filepath: /boot/
+        file_regex: ^.*System\.map.*$
+        gid_or_name: root
+        missing_file_pass: 'true'

linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/correct_groupowner.pass.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+mktemp -p /boot System.map-5.99.0-XXX
+chgrp root /boot/System.map*

linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/correct_groupowner_multiple_files.pass.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+mktemp -p /boot System.map-5.99.0-XXX
+mktemp -p /boot System.map-5.99.0-XXX
+chgrp root /boot/System.map*

linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/incorrect_groupowner.fail.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+FAKE_FILE=$(mktemp -p /boot System.map-5.99.0-XXX)
+chgrp 5 $FAKE_FILE

linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/incorrect_groupowner_multiple_files.fail.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+FAKE_FILE1=$(mktemp -p /boot System.map-5.99.0-XXX)
+chgrp root $FAKE_FILE1
+
+FAKE_FILE2=$(mktemp -p /boot System.map-5.99.0-XXX)
+chgrp 5 $FAKE_FILE2

linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/missing_file_test.pass.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+rm -f /boot/System.map*

linux_os/guide/system/permissions/files/file_owner_systemmap/rule.yml

@@ -0,0 +1,35 @@
+documentation_complete: true
+
+title: 'Verify User Who Owns System.map Files'
+
+description: |-
+    The System.map files are symbol map files generated during the compilation of the Linux
+    kernel. They contain the mapping between kernel symbols and their corresponding memory
+    addresses. These files must be owned by root.
+
+    {{{ describe_file_owner(file="/boot/System.map*", owner="root") }}}
+
+rationale: |-
+    The purpose of <tt>System.map</tt> files is primarily for debugging and profiling the kernel.
+    Unrestricted access to these files might disclose information useful to attackers and
+    malicious software leading to more sophisticated exploitation.
+
+severity: low
+
+identifiers:
+    cce@rhel7: CCE-86585-7
+    cce@rhel8: CCE-86586-5
+    cce@rhel9: CCE-86587-3
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/boot/System.map*", owner="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_owner(file="/boot/System.map*", owner="root") }}}
+
+template:
+    name: file_owner
+    vars:
+        filepath: /boot/
+        file_regex: ^.*System\.map.*$
+        fileuid: '0'
+        missing_file_pass: 'true'

linux_os/guide/system/permissions/files/file_owner_systemmap/tests/correct_owner.pass.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+mktemp -p /boot System.map-5.99.0-XXX
+chown root /boot/System.map*

linux_os/guide/system/permissions/files/file_owner_systemmap/tests/correct_owner_multiple_files.pass.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+mktemp -p /boot System.map-5.99.0-XXX
+mktemp -p /boot System.map-5.99.0-XXX
+chown root /boot/System.map*

linux_os/guide/system/permissions/files/file_owner_systemmap/tests/incorrect_owner.fail.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+FAKE_FILE=$(mktemp -p /boot System.map-5.99.0-XXX)
+chown 5 $FAKE_FILE

linux_os/guide/system/permissions/files/file_owner_systemmap/tests/incorrect_owner_multiple_files.fail.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+FAKE_FILE1=$(mktemp -p /boot System.map-5.99.0-XXX)
+chown root $FAKE_FILE1
+
+FAKE_FILE2=$(mktemp -p /boot System.map-5.99.0-XXX)
+chown 5 $FAKE_FILE2

linux_os/guide/system/permissions/files/file_owner_systemmap/tests/missing_file_test.pass.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+rm -f /boot/System.map*

linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml

@@ -1,22 +1,36 @@
 documentation_complete: true
 
-title: 'Verify that local System.map file (if exists) is readable only by root'
+title: 'Verify Permissions on System.map Files'
 
 description: |-
-    Files containing sensitive informations should be protected by restrictive
-      permissions. Most of the time, there is no need that these files need to be read by any non-root user
-    {{{ describe_file_permissions(file="/boot/System.map-*", perms="0600") }}}
+    The System.map files are symbol map files generated during the compilation of the Linux
+    kernel. They contain the mapping between kernel symbols and their corresponding memory
+    addresses. In general, there is no need for non-root users to read these files.
+
+    {{{ describe_file_permissions(file="/boot/System.map*", perms="0600") }}}
 
 rationale: |-
-    The <tt>System.map</tt> file contains information about kernel symbols and
-      can give some hints to generate local exploitation.
+    The purpose of <tt>System.map</tt> files is primarily for debugging and profiling the kernel.
+    Unrestricted access to these files might disclose information useful to attackers and
+    malicious software leading to more sophisticated exploitation.
 
-severity: unknown
+severity: low
 
 identifiers:
     cce@rhel7: CCE-82350-0
     cce@rhel8: CCE-82892-1
+    cce@rhel9: CCE-86581-6
 
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/boot/System.map*", perms="-rw-------") }}}'
 
 ocil: |-
-    {{{ ocil_file_permissions(file="/boot/Sysem.map-*", perms="-rw-------") }}}
+    {{{ ocil_file_permissions(file="/boot/System.map*", perms="-rw-------") }}}
+
+template:
+    name: file_permissions
+    vars:
+        filepath: /boot/
+        file_regex: ^.*System\.map.*$
+        filemode: '0600'
+        allow_stricter_permissions: 'true'
+        missing_file_pass: 'true'

linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/correct_multiple_files.pass.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+mktemp -p /boot System.map-5.99.0-XXX
+mktemp -p /boot System.map-5.99.0-XXX
+chmod 0600 /boot/System.map*

linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/correct_permissions.pass.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+mktemp -p /boot System.map-5.99.0-XXX
+chmod 0600 /boot/System.map*

linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/lenient_multiple_files.fail.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+FAKE_FILE1=$(mktemp -p /boot System.map-5.99.0-XXX)
+chmod 0600 $FAKE_FILE1
+
+FAKE_FILE2=$(mktemp -p /boot System.map-5.99.0-XXX)
+chmod 0644 $FAKE_FILE2

linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/lenient_permissions.fail.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+FAKE_FILE=$(mktemp -p /boot System.map-5.99.0-XXX)
+chmod 0644 $FAKE_FILE

linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/missing_file_test.pass.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+rm -f /boot/System.map*

linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/stricter_permisions.pass.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+mktemp -p /boot System.map-5.99.0-XXX
+chmod 0400 /boot/System.map*

products/rhel7/profiles/default.profile

@@ -410,7 +410,6 @@ selections:
     - audit_rules_unsuccessful_file_modification_fchownat
     - sebool_openvpn_enable_homedirs
     - bios_disable_usb_boot
-    - file_permissions_systemmap
     - service_docker_enabled
     - file_owner_etc_hosts_allow
     - audit_rules_unsuccessful_file_modification_open_o_creat

products/rhel8/profiles/default.profile

@@ -451,7 +451,6 @@ selections:
     - sebool_openvpn_enable_homedirs
     - zipl_enable_selinux
     - bios_disable_usb_boot
-    - file_permissions_systemmap
     - audit_rules_unsuccessful_file_modification_open_o_creat
     - kernel_config_ipv6
     - service_rpcgssd_disabled

products/rhel9/profiles/default.profile

@@ -370,7 +370,6 @@ selections:
     - audit_rules_unsuccessful_file_modification_fchownat
     - sebool_openvpn_enable_homedirs
     - zipl_enable_selinux
-    - file_permissions_systemmap
     - audit_rules_unsuccessful_file_modification_open_o_creat
     - kernel_config_ipv6
     - audit_rules_successful_file_modification_chown

shared/references/cce-redhat-avail.txt

@@ -144,13 +144,6 @@ CCE-86576-6
 CCE-86577-4
 CCE-86578-2
 CCE-86579-0
-CCE-86581-6
-CCE-86582-4
-CCE-86583-2
-CCE-86584-0
-CCE-86585-7
-CCE-86586-5
-CCE-86587-3
 CCE-86589-9
 CCE-86590-7
 CCE-86591-5