Add new rule file_permissions_sudo by Mab879 · Pull Request #11584 · ComplianceAsCode/content

Mab879 · 2024-02-13T16:05:18Z

Description:

Add new rule file_permissions_sudo

Rationale:

To cover ANSSI R38

github-actions · 2024-02-13T16:06:38Z

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

Mab879 · 2024-02-13T18:35:38Z

/packit retest-failed

jan-cerny · 2024-02-14T09:16:14Z

/packit retest-failed

jan-cerny · 2024-02-15T08:08:30Z

@Mab879 Testing farm fail is legit, it fail in the rule file_permissions_sudo in the ANSSI profile. The actual permissions are of /usr/bin/sudo are 4111.

Mab879 · 2024-02-15T22:32:22Z

/packit retest-failed

Mab879 · 2024-02-15T22:33:18Z

@Mab879 Testing farm fail is legit, it fail in the rule file_permissions_sudo in the ANSSI profile. The actual permissions are of /usr/bin/sudo are 4111.

So I misread the permissions in ANSSI, they are looking for 4110, but that might not be possible.

jan-cerny · 2024-02-16T07:13:19Z

+    name: "file_permissions"
+    vars:
+        filepath: "/usr/bin/sudo"
+        filemode: '4110'


CI still fails so we will probably need to change it to 4111.

The HTML report from the testing farm https://artifacts.dev.testing-farm.io/ae6aeb0b-5999-4a1d-ad23-2291c000eb50/work-ansible-anssivlxuhmw6/tests/fmf-plans/ansible-anssi/execute/data/guest/default-0/Sanity/ansible-machine-hardening/anssi_bp28_high-1/data/anssi_bp28_high.html indicates that 4111 .

On my machine:

jcerny@fedora:~$ stat -c %a /usr/bin/sudo 4111

But I haven't investigated it further.

jan-cerny · 2024-02-16T07:13:46Z

+title: 'Ensure That the sudo Binary Has the Correct Permissions'
+
+description: |-
+{{{ describe_file_permissions("/usr/bin/sudo", "4750") | indent(4) }}}


the value of the permissions will have to be the same as in the template section

Mab879 · 2024-02-16T13:01:00Z

Moving to 4111 as 4110 doesn't seem possible.

qlty-cloud-legacy · 2024-02-16T13:24:01Z

Code Climate has analyzed commit 257bf01 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.3% (0.0% change).

View more on Code Climate.

jan-cerny · 2024-02-19T08:13:30Z

/packit retest-failed

jan-cerny · 2024-02-19T08:49:56Z

/packit retest-failed

jan-cerny · 2024-02-19T13:48:31Z

/packit retest-failed

jan-cerny · 2024-02-20T07:40:42Z

/packit retest- failed

jan-cerny · 2024-02-20T14:06:37Z

/packit retest-failed

jan-cerny · 2024-02-21T10:46:23Z

/packit retest-failed

jan-cerny · 2024-02-22T07:32:28Z

/packit retest-failed

jan-cerny · 2024-02-22T08:11:38Z

/packit retest-failed

jan-cerny · 2024-02-22T10:20:13Z

/packit retest-failed

jan-cerny · 2024-02-22T10:56:56Z

/packit retest-failed

Mab879 added New Rule Issues or pull requests related to new Rules. ANSSI ANSSI Benchmark related. labels Feb 13, 2024

Mab879 added this to the 0.1.73 milestone Feb 13, 2024

Mab879 force-pushed the update_r38 branch from a621901 to 4f74e0a Compare February 13, 2024 16:42

jan-cerny self-assigned this Feb 14, 2024

jan-cerny requested changes Feb 14, 2024

View reviewed changes

Comment thread linux_os/guide/system/software/sudo/file_permissions_sudo/rule.yml

Mab879 force-pushed the update_r38 branch from 4f74e0a to 60fc770 Compare February 14, 2024 13:09

Mab879 force-pushed the update_r38 branch from 60fc770 to 4961c3d Compare February 15, 2024 14:00

jan-cerny reviewed Feb 16, 2024

View reviewed changes

Mab879 force-pushed the update_r38 branch from 4961c3d to a65ebe4 Compare February 16, 2024 13:00

Add new rule file_permissions_sudo

257bf01

Mab879 force-pushed the update_r38 branch from a65ebe4 to 257bf01 Compare February 16, 2024 13:02

jan-cerny approved these changes Feb 22, 2024

View reviewed changes

jan-cerny merged commit 570eeb7 into ComplianceAsCode:master Feb 22, 2024

Mab879 deleted the update_r38 branch February 22, 2024 13:21

obalpetre-anssi mentioned this pull request Apr 2, 2024

R38 ANSSI wrong file permissions #11779

Closed

Conversation

Mab879 commented Feb 13, 2024

Description:

Rationale:

Uh oh!

github-actions Bot commented Feb 13, 2024

Uh oh!

Mab879 commented Feb 13, 2024

Uh oh!

jan-cerny commented Feb 14, 2024

Uh oh!

Uh oh!

jan-cerny commented Feb 15, 2024

Uh oh!

Mab879 commented Feb 15, 2024

Uh oh!

Mab879 commented Feb 15, 2024

Uh oh!

jan-cerny Feb 16, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

jan-cerny Feb 16, 2024

Choose a reason for hiding this comment

Uh oh!

Mab879 commented Feb 16, 2024

Uh oh!

qlty-cloud-legacy Bot commented Feb 16, 2024

Uh oh!

jan-cerny commented Feb 19, 2024

Uh oh!

jan-cerny commented Feb 19, 2024

Uh oh!

jan-cerny commented Feb 19, 2024

Uh oh!

jan-cerny commented Feb 20, 2024

Uh oh!

jan-cerny commented Feb 20, 2024

Uh oh!

jan-cerny commented Feb 21, 2024

Uh oh!

jan-cerny commented Feb 22, 2024

Uh oh!

jan-cerny commented Feb 22, 2024

Uh oh!

jan-cerny commented Feb 22, 2024

Uh oh!

jan-cerny commented Feb 22, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

jan-cerny Feb 16, 2024 •

edited

Loading