Use nss-altfiles in file_groupowner_etc_chrony_keys

[jan-cerny]

The bootable containers and Image Mode Operating systems use /usr/lib/group provided by the nss-altfiles RPM package as an alternative place to define user groups in the system.

The rule file_groupowner_etc_chrony_keys didn't read the /usr/lib/group. As a result the rule failed in the after-deployment scan with the ANSSI BP28 High profile. This commit extends the check to read /usr/lib/group, which makes the rule pass in Image Mode.

This change has been inspired by the code in rule
file_permissions_ungroupowned which already has been modified for Image Mode. The code that is same in OVALs in both rules has been extracted to a Jinja 2 macro to prevent code duplication and enable further reuse in future.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

OVAL for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys' differs.
--- oval:ssg-file_groupowner_etc_chrony_keys:def:1
+++ oval:ssg-file_groupowner_etc_chrony_keys:def:1
@@ -1,2 +1,7 @@
+criteria OR
 criteria AND
-criterion oval:ssg-test_file_groupowner_etc_chrony_keys_0:tst:1
+criterion oval:ssg-test_file_groupowner_etc_chrony_keys_nsswitch_uses_altfiles:tst:1
+criterion oval:ssg-test_file_groupowner_etc_chrony_keys:tst:1
+criteria AND
+criterion oval:ssg-test_file_groupowner_etc_chrony_keys_nsswitch_uses_altfiles:tst:1
+criterion oval:ssg-test_file_groupowner_etc_chrony_keys_with_usrlib:tst:1

[jan-cerny]

I don't know what is the problem because I pass all locally. Any help?

jcerny@fedora:~/work/git/scap-security-guide (file_groupowner_etc_chrony_keys)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 file_groupowner_etc_chrony_keys
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-01-08-1139/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys
INFO - Script incorrect_groupowner.fail.sh using profile (all) OK
INFO - Script correct_groupowner.pass.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (file_groupowner_etc_chrony_keys)$ 
jcerny@fedora:~/work/git/scap-security-guide (file_groupowner_etc_chrony_keys)$ 
jcerny@fedora:~/work/git/scap-security-guide (file_groupowner_etc_chrony_keys)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 file_permissions_ungroupowned
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-01-08-1140/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
INFO - Script all_owned.pass.sh using profile (all) OK
INFO - Script unowned_file.fail.sh using profile (all) OK
INFO - Script group_in_usr_lib.pass.sh using profile (all) OK
INFO - Script unowned_in_sysroot.pass.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (file_groupowner_etc_chrony_keys)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible file_groupowner_etc_chrony_keys
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-01-08-1142/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys
INFO - Script incorrect_groupowner.fail.sh using profile (all) OK
INFO - Script correct_groupowner.pass.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (file_groupowner_etc_chrony_keys)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible file_permissions_ungroupowned
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-01-08-1143/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
INFO - Script all_owned.pass.sh using profile (all) OK
INFO - Script unowned_file.fail.sh using profile (all) OK
INFO - Script group_in_usr_lib.pass.sh using profile (all) OK
INFO - Script unowned_in_sysroot.pass.sh using profile (all) OK

[Mab879]

Thanks for the PR.

Just one minor change.

[Mab879]

Suggested change

	{{{ oval_metadata("All files should be owned by a group") }}}
	{{{ oval_metadata("All files should be owned by a group") }}}

While this is true, I don't think this is the best description for the rule.

[codeclimate]

Code Climate has analyzed commit af3c6e7 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.6% (0.0% change).

View more on Code Climate.

[jan-cerny]

I have changed the comments.