Improve rule file_permissions_ungroupowned for use in bootable containers

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats

https://complianceascode.readthedocs.io/en/latest/

Other

2.22k stars 698 forks source link

Improve rule file_permissions_ungroupowned for use in bootable containers #12584

Open jan-cerny opened 2 weeks ago

jan-cerny commented 2 weeks ago

Description:

Exclude /sysroot from scanning
Get additional group data from /usr/lib/group
Add test scenarios

For more details, please read commit messages of all commits.

Rationale:

In systems based on bootable container images the /sysroot directory contains the filesystem of the image which should be excluded from the scanned files check.

If the nss-altfiles are installed and /etc/nsswitch.conf is configured to use nss-altfiles, the users group can be defined also in /usr/lib/group next to /etc/group. The /usr/lib/group is a valid source of group definitions and therefore needs to be consulted during the check if nsswitch is configured to use this file. The nss-altfiles is often used in bootable containers base images.

Review Hints:

Build CS9 data stream and apply STIG profile in podman build of an image based on quay.io/centos-bootc/centos-bootc:stream9.

openshift-ci[bot] commented 2 weeks ago

Skipping CI for Draft Pull Request. If you want CI signal for your change, please convert it to an actual PR. You can still manually trigger a test run with /test all

github-actions[bot] commented 2 weeks ago

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

github-actions[bot] commented 2 weeks ago

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

```diff New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned'. --- xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned +++ xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned @@ -3,9 +3,11 @@ Ensure All Files Are Owned by a Group [description]: -If any file is not group-owned by a group present in /etc/group, the cause of the lack of +If any file is not group-owned by a valid defined group, the cause of the lack of group-ownership must be investigated. Following this, those files should be deleted or -assigned to an appropriate group. +assigned to an appropriate group. The groups need to be defined in /etc/group +or in /usr/lib/group if nss-altfiles are configured to be used +in /etc/nsswitch.conf. Locate the mount points related to local devices by the following command: $ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) @@ -16,7 +18,7 @@ [warning]: This rule only considers local groups as valid groups. -If you have your groups defined outside /etc/group, the rule won't consider those. +If you have your groups defined outside /etc/group or /usr/lib/group, the rule won't consider those. [warning]: This rule can take a long time to perform the check and might consume a considerable ```

codeclimate[bot] commented 2 weeks ago

Code Climate has analyzed commit 6a30452f and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 60.9% (0.0% change).

View more on Code Climate.

jan-cerny commented 1 week ago

I think this won't cover all situations. In bootable containers, for "system" users it's strongly recommended to use systemd DynamicUser=yes where possible. See https://containers.github.io/bootc/building/users-and-groups.html#using-dynamicuseryes-for-systemd-units. This isn't covered by our OVAL.