From 6c9e879a3ad9e7f47750646785b5bb9e801156e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 13 Nov 2024 16:09:31 +0100
Subject: [PATCH] Improve audit_rules_privileged_commands

The rule audit_rules_privileged_commands needs to be
adjusted because it doesn't work in bootable containers.
- exclude /sysroot from searching for privileged commands
- include composefs as a valid type of filesystem partition
- apply remediations on the root filesystem during image build
---
 .../audit_rules_privileged_commands/bash/shared.sh        | 6 +++++-
 .../audit_rules_privileged_commands/oval/shared.xml       | 8 +++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/bash/shared.sh
index cd61de6dfe30..f99dd6a8d17e 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/bash/shared.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/bash/shared.sh
@@ -11,7 +11,11 @@ KEY="privileged"
 SYSCALL_GROUPING=""
 
 FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
-PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | grep -Pv "noexec|nosuid|/proc($|/.*$)" | awk '{ print $1 }')
+if {{{ bash_bootc_build() }}} ; then
+  PARTITIONS=("/")
+else
+  PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | grep -Pv "noexec|nosuid|/proc($|/.*$)" | awk '{ print $1 }')
+fi
 for PARTITION in $PARTITIONS; do
   PRIV_CMDS=$(find "${PARTITION}" -xdev -perm /6000 -type f 2>/dev/null)
   for PRIV_CMD in $PRIV_CMDS; do
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml
index 35cc22cf7843..c59a37663d06 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml
@@ -24,7 +24,7 @@
 
   <!-- First define OVAL entities that can be reused across tests below -->
   <linux:partition_state id="state_audit_rules_privileged_commands_dev_partitons" version="1">
-    <linux:device operation="pattern match">^/dev/.*$</linux:device>
+    <linux:device operation="pattern match">^(/dev/.*|composefs)$</linux:device>
   </linux:partition_state>
 
   <linux:partition_state id="state_audit_rules_privileged_commands_nosuid_partitons" version="1">
@@ -64,6 +64,11 @@
     <unix:filepath operation="pattern match">^/var/tmp/dracut.*</unix:filepath>
   </unix:file_state>
 
+    <unix:file_state id="state_audit_rules_privileged_commands_sysroot" version="1"
+        comment="Used to filter out all files in the /sysroot directory">
+        <unix:filepath operation="pattern match">^/sysroot/.*$</unix:filepath>
+    </unix:file_state>
+
   <!-- This file_object will only find privileged commands located only in file systems that allow
        their execution. The recurse_file_system parameter is set to defined in order to make sure
        the probe doesn't leave the scope of that mount point. For example, when probing "/", the
@@ -78,6 +83,7 @@
     <unix:filename operation="pattern match">^\w+</unix:filename>
     <filter action="include">state_setuid_or_setgid_set</filter>
     <filter action="exclude">state_dracut_tmp_files</filter>
+    <filter action="exclude">state_audit_rules_privileged_commands_sysroot</filter>
   </unix:file_object>
 
   <local_variable id="var_audit_rules_privileged_commands_priv_cmds" version="1"