Update file_permissions_unauthorized_world_writable #12791
Conversation
Update file_permissions_unauthorized_world_writable for bootable containers. Filter out the `/sysroot` directory from results because it contains only the physical read-only root and not the real file system, see https://containers.github.io/bootc/filesystem-sysroot.html#sysroot-mount.
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable
+++ xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable
@@ -1,11 +1,15 @@
FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
-PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | awk '{ print $1 }')
+
+# Do not consider /sysroot partition because it contains only the physical
+# read-only root on bootable containers.
+PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | awk '{ print $1 }' | grep -v "/sysroot")
+
for PARTITION in $PARTITIONS; do
find "${PARTITION}" -xdev -type f -perm -002 -exec chmod o-w {} \; 2>/dev/null
done
-# Ensure /tmp is also fixed whem tmpfs is used.
+# Ensure /tmp is also fixed when tmpfs is used.
if grep "^tmpfs /tmp" /proc/mounts; then
find /tmp -xdev -type f -perm -002 -exec chmod o-w {} \; 2>/dev/null
fi |
|
Code Climate has analyzed commit b7679cd and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.6% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
I have built a CS 9 data stream from this pull request branch. I have used this data stream to build a hardened bootable container image based on CS 9 using the CIS profile. I have booted the image using podman-bootc. I have run a scan of that machine. The rule xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable has passed in the scan.
Update file_permissions_unauthorized_world_writable for bootable containers. Filter out the
/sysrootdirectory from results because it contains only the physical read-only root and not the real file system, see https://containers.github.io/bootc/filesystem-sysroot.html#sysroot-mount.