Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use nss-altfiles in file_groupowner_etc_chrony_keys #12789

Merged

Conversation

jan-cerny
Copy link
Collaborator

The bootable containers and Image Mode Operating systems use /usr/lib/group provided by the nss-altfiles RPM package as an alternative place to define user groups in the system.

The rule file_groupowner_etc_chrony_keys didn't read the /usr/lib/group. As a result the rule failed in the after-deployment scan with the ANSSI BP28 High profile. This commit extends the check to read /usr/lib/group, which makes the rule pass in Image Mode.

This change has been inspired by the code in rule
file_permissions_ungroupowned which already has been modified for Image Mode. The code that is same in OVALs in both rules has been extracted to a Jinja 2 macro to prevent code duplication and enable further reuse in future.

The bootable containers and Image Mode Operating systems use
`/usr/lib/group` provided by the `nss-altfiles` RPM package as an
alternative place to define user groups in the system.

The rule `file_groupowner_etc_chrony_keys` didn't read the
`/usr/lib/group`. As a result the rule failed in the after-deployment
scan with the ANSSI BP28 High profile.  This commit extends the check to
read `/usr/lib/group`, which makes the rule pass in Image Mode.

This change has been inspired by the code in rule
`file_permissions_ungroupowned` which already has been modified for
Image Mode. The code that is same in OVALs in both rules has been
extracted to a Jinja 2 macro to prevent code duplication and enable
further reuse in future.
@jan-cerny jan-cerny added OVAL OVAL update. Related to the systems assessments. Image Mode Bootable containers and Image Mode RHEL labels Jan 8, 2025
Copy link

github-actions bot commented Jan 8, 2025

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

Copy link

github-actions bot commented Jan 8, 2025

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff
OVAL for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys' differs.
--- oval:ssg-file_groupowner_etc_chrony_keys:def:1
+++ oval:ssg-file_groupowner_etc_chrony_keys:def:1
@@ -1,2 +1,7 @@
+criteria OR
 criteria AND
-criterion oval:ssg-test_file_groupowner_etc_chrony_keys_0:tst:1
+criterion oval:ssg-test_file_groupowner_etc_chrony_keys_nsswitch_uses_altfiles:tst:1
+criterion oval:ssg-test_file_groupowner_etc_chrony_keys:tst:1
+criteria AND
+criterion oval:ssg-test_file_groupowner_etc_chrony_keys_nsswitch_uses_altfiles:tst:1
+criterion oval:ssg-test_file_groupowner_etc_chrony_keys_with_usrlib:tst:1

@jan-cerny
Copy link
Collaborator Author

I don't know what is the problem because I pass all locally. Any help?

jcerny@fedora:~/work/git/scap-security-guide (file_groupowner_etc_chrony_keys)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 file_groupowner_etc_chrony_keys
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-01-08-1139/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys
INFO - Script incorrect_groupowner.fail.sh using profile (all) OK
INFO - Script correct_groupowner.pass.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (file_groupowner_etc_chrony_keys)$ 
jcerny@fedora:~/work/git/scap-security-guide (file_groupowner_etc_chrony_keys)$ 
jcerny@fedora:~/work/git/scap-security-guide (file_groupowner_etc_chrony_keys)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 file_permissions_ungroupowned
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-01-08-1140/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
INFO - Script all_owned.pass.sh using profile (all) OK
INFO - Script unowned_file.fail.sh using profile (all) OK
INFO - Script group_in_usr_lib.pass.sh using profile (all) OK
INFO - Script unowned_in_sysroot.pass.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (file_groupowner_etc_chrony_keys)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible file_groupowner_etc_chrony_keys
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-01-08-1142/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_file_groupowner_etc_chrony_keys
INFO - Script incorrect_groupowner.fail.sh using profile (all) OK
INFO - Script correct_groupowner.pass.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (file_groupowner_etc_chrony_keys)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible file_permissions_ungroupowned
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-01-08-1143/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
INFO - Script all_owned.pass.sh using profile (all) OK
INFO - Script unowned_file.fail.sh using profile (all) OK
INFO - Script group_in_usr_lib.pass.sh using profile (all) OK
INFO - Script unowned_in_sysroot.pass.sh using profile (all) OK

@jan-cerny jan-cerny added this to the 0.1.76 milestone Jan 8, 2025
@Mab879 Mab879 self-assigned this Jan 8, 2025
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR.

Just one minor change.

<def-group>

<definition class="compliance" id="{{{ rule_id }}}" version="1">
{{{ oval_metadata("All files should be owned by a group") }}}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
{{{ oval_metadata("All files should be owned by a group") }}}
{{{ oval_metadata("All files should be owned by a group") }}}

While this is true, I don't think this is the best description for the rule.

Copy link

codeclimate bot commented Jan 9, 2025

Code Climate has analyzed commit af3c6e7 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.6% (0.0% change).

View more on Code Climate.

@jan-cerny
Copy link
Collaborator Author

I have changed the comments.

@Mab879
Copy link
Member

Mab879 commented Jan 9, 2025

Waving the following tests:

Windows - Not Related to this PR
Ubuntu 24.04 Gating - Not related to this PR

The automatus tests pass locally.

@Mab879 Mab879 merged commit 8825a47 into ComplianceAsCode:master Jan 9, 2025
98 of 107 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Image Mode Bootable containers and Image Mode RHEL OVAL OVAL update. Related to the systems assessments.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants