Improve rule file_permissions_ungroupowned for use in bootable containers#12584
Conversation
In systems based on bootable container images the `/sysroot` directory contains the filesystem of the image which should be excluded from the scanned files check.
If the `nss-altfiles` are installed and `/etc/nsswitch.conf` is configured to use `nss-altfiles`, the users group can be defined als in `/usr/lib/group` next to `/etc/group`. The `/usr/lib/group` is a valid source of group definitions and therefore needs to be consulted during the check if nsswitch is configured to use this file. The `nss-altfiles` is often used in bootable containers base images.
Add new Automatus test scenarios for rule file_permissions_ungroupowned that cover recent changes - exclusion of /sysroot and addition of /usr/lib/group as second source of group data.
|
Skipping CI for Draft Pull Request. |
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
Reflects the recent change that the check now considers /usr/lib/group in addition.
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned'.
--- xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
+++ xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
@@ -3,9 +3,11 @@
Ensure All Files Are Owned by a Group
[description]:
-If any file is not group-owned by a group present in /etc/group, the cause of the lack of
+If any file is not group-owned by a valid defined group, the cause of the lack of
group-ownership must be investigated. Following this, those files should be deleted or
-assigned to an appropriate group.
+assigned to an appropriate group. The groups need to be defined in /etc/group
+or in /usr/lib/group if nss-altfiles are configured to be used
+in /etc/nsswitch.conf.
Locate the mount points related to local devices by the following command:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
@@ -16,7 +18,7 @@
[warning]:
This rule only considers local groups as valid groups.
-If you have your groups defined outside /etc/group, the rule won't consider those.
+If you have your groups defined outside /etc/group or /usr/lib/group, the rule won't consider those.
[warning]:
This rule can take a long time to perform the check and might consume a considerable
OVAL for rule 'xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned' differs.
--- oval:ssg-file_permissions_ungroupowned:def:1
+++ oval:ssg-file_permissions_ungroupowned:def:1
@@ -1,2 +1,7 @@
+criteria OR
criteria AND
+criterion oval:ssg-test_file_permissions_ungroupowned_nsswitch_uses_altfiles:tst:1
criterion oval:ssg-test_file_permissions_ungroupowned:tst:1
+criteria AND
+criterion oval:ssg-test_file_permissions_ungroupowned_nsswitch_uses_altfiles:tst:1
+criterion oval:ssg-test_file_permissions_ungroupowned_with_usrlib:tst:1 |
|
I think this won't cover all situations. In bootable containers, for "system" users it's strongly recommended to use systemd DynamicUser=yes where possible. See https://containers.github.io/bootc/building/users-and-groups.html#using-dynamicuseryes-for-systemd-units. This isn't covered by our OVAL. |
This will ensure that the test will use the groups from nssaltfiles only if the nsswitch is configured to use nssaltfiles.
|
I have changed the OVAL so that it will consider the /usr/lib/group only if the /etc/nssswitch.conf is configured to consider it. I can't cover the systemd DynamicUser by OVAL. I will mark the PR as ready. |
|
Code Climate has analyzed commit b435af1 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 60.9% (0.0% change). View more on Code Climate. |
matusmarhefka
left a comment
There was a problem hiding this comment.
Tested in bootable container and with Automatus, LGTM.
$ ./automatus.py rule --libvirt qemu:///session ssgts_94 --datastream ../build/ssg-rhel9-ds.xml --remediate-using bash file_permissions_ungroupowned
INFO - xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
INFO - Script unowned_file.fail.sh using profile (all) OK
INFO - Script all_owned.pass.sh using profile (all) OK
INFO - Script group_in_usr_lib.pass.sh using profile (all) OK
INFO - Script unowned_in_sysroot.pass.sh using profile (all) OK
Description:
/sysrootfrom scanning/usr/lib/groupFor more details, please read commit messages of all commits.
Rationale:
In systems based on bootable container images the
/sysrootdirectory contains the filesystem of the image which should be excluded from the scanned files check.If the
nss-altfilesare installed and/etc/nsswitch.confis configured to usenss-altfiles, the users group can be definedalso in
/usr/lib/groupnext to/etc/group. The/usr/lib/groupis a valid source of group definitions and therefore needs to be consulted during the check if nsswitch is configured to use this file. Thenss-altfilesis often used in bootable containers base images.Review Hints:
Build CS9 data stream and apply STIG profile in podman build of an image based on quay.io/centos-bootc/centos-bootc:stream9.