Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

file_permission_user_init_files is misaligned with DISA #11699

Closed
jan-cerny opened this issue Mar 13, 2024 · 0 comments · Fixed by #11729
Closed

file_permission_user_init_files is misaligned with DISA #11699

jan-cerny opened this issue Mar 13, 2024 · 0 comments · Fixed by #11729
Assignees
@jan-cerny
Labels
productization-issue Issue found in upstream stabilization process. RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related.

Comments

@jan-cerny
Copy link
Collaborator

Description of problem:

file_permission_user_init_files is misaligned with DISA

Details:

The SSG's rule hasn't found any files with wrong permissions.

DISA's rule has found these files:

/root/.bash_profile	regular	0	0	141	rw-r--r-- 
/root/.bash_logout	regular	0	0	18	rw-r--r-- 
/root/.bashrc	regular	0	0	429	rw-r--r-- 
/root/.cshrc	regular	0	0	100	rw-r--r-- 
/root/.tcshrc	regular	0	0	129	rw-r--r--

Outcome:

SSG result: pass
DISA result: fail

The issue is present in these test variants:

  • oscap
  • ansible
  • anaconda

SCAP Security Guide Version:

Current upstream master as of 2024-03-12 as of HEAD cbbca44.

External Content's Version:

DISA STIG RHEL 9 V1R1
@jan-cerny jan-cerny added productization-issue Issue found in upstream stabilization process. RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related. labels Mar 13, 2024
@jan-cerny jan-cerny self-assigned this Mar 19, 2024
jan-cerny added a commit to jan-cerny/scap-security-guide that referenced this issue Mar 19, 2024
@jan-cerny
Add root user to interactive users
872d4d8 
The rule file_permission_user_init_files now checks only dot files of
users with UID greater than or equal 1000. But according to RHEL 9 STIG
and CIS benchmarks it should check also the root user's dot files. This
commit extends the rule to account also for the root user and adds a
simple test scenario covering this situation.

Fixes ComplianceAsCode#11699
@jan-cerny jan-cerny mentioned this issue Mar 19, 2024
Merged
jan-cerny added a commit to jan-cerny/scap-security-guide that referenced this issue Mar 26, 2024
@jan-cerny
Add root user to interactive users
af615e2 
The rule file_permission_user_init_files now checks only dot files of
users with UID greater than or equal 1000. But according to RHEL 9 STIG
and CIS benchmarks it should check also the root user's dot files.

This commit creates a new rule file_permission_user_init_files_root
which is almost the same as file_permission_user_init_files, but the
new rule accounts also for the root user and his init files.

We also change the OVAL jinja macro. This change will include the root
user to the user list only if needed. We will use the root in the rule
file_permission_user_init_file. But we will not use the root in
accounts_user_interactive_home_directory_defined where we keep the old
behavior.

The commit also adds a simple test scenario covering this situation.

Fixes: ComplianceAsCode#11699
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jan-cerny jan-cerny

Labels
productization-issue Issue found in upstream stabilization process. RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add root user to interactive users jan-cerny/scap-security-guide
1 participant
@jan-cerny