Improve audit_rules_privileged_commands

The rule audit_rules_privileged_commands needs to be adjusted because it doesn't work in bootable containers. - exclude /sysroot from searching for privileged commands - include composefs as a valid type of filesystem partition - apply remediations on the root filesystem during image build
ComplianceAsCode · Nov 13, 2024 · 6c9e879 · 6c9e879
1 parent 54959c1
commit 6c9e879
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/..._configure_rules/audit_privileged_commands/audit_rules_privileged_commands/bash/shared.sh b/..._configure_rules/audit_privileged_commands/audit_rules_privileged_commands/bash/shared.sh
@@ -11,7 +11,11 @@ KEY="privileged"
 SYSCALL_GROUPING=""
 
 FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
-PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | grep -Pv "noexec|nosuid|/proc($|/.*$)" | awk '{ print $1 }')
+if {{{ bash_bootc_build() }}} ; then
+  PARTITIONS=("/")
+else
+  PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | grep -Pv "noexec|nosuid|/proc($|/.*$)" | awk '{ print $1 }')
+fi
 for PARTITION in $PARTITIONS; do
   PRIV_CMDS=$(find "${PARTITION}" -xdev -perm /6000 -type f 2>/dev/null)
   for PRIV_CMD in $PRIV_CMDS; do

diff --git a/...configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml b/...configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml
@@ -24,7 +24,7 @@
 
   <!-- First define OVAL entities that can be reused across tests below -->
   <linux:partition_state id="state_audit_rules_privileged_commands_dev_partitons" version="1">
-    <linux:device operation="pattern match">^/dev/.*$</linux:device>
+    <linux:device operation="pattern match">^(/dev/.*|composefs)$</linux:device>
   </linux:partition_state>
 
   <linux:partition_state id="state_audit_rules_privileged_commands_nosuid_partitons" version="1">
@@ -64,6 +64,11 @@
     <unix:filepath operation="pattern match">^/var/tmp/dracut.*</unix:filepath>
   </unix:file_state>
 
+    <unix:file_state id="state_audit_rules_privileged_commands_sysroot" version="1"
+        comment="Used to filter out all files in the /sysroot directory">
+        <unix:filepath operation="pattern match">^/sysroot/.*$</unix:filepath>
+    </unix:file_state>
+
   <!-- This file_object will only find privileged commands located only in file systems that allow
        their execution. The recurse_file_system parameter is set to defined in order to make sure
        the probe doesn't leave the scope of that mount point. For example, when probing "/", the
@@ -78,6 +83,7 @@
     <unix:filename operation="pattern match">^\w+</unix:filename>
     <filter action="include">state_setuid_or_setgid_set</filter>
     <filter action="exclude">state_dracut_tmp_files</filter>
+    <filter action="exclude">state_audit_rules_privileged_commands_sysroot</filter>
   </unix:file_object>
 
   <local_variable id="var_audit_rules_privileged_commands_priv_cmds" version="1"