search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.22k stars 697 forks source link

Check /etc/systemd/rules and other directories in systemd rules #3359

Open jan-cerny opened 6 years ago

jan-cerny commented 6 years ago

During my work on https://github.com/ComplianceAsCode/content/pull/3308 that extended rule require_singleuser_auth @redhatrises pointed out that there are multiple locations of configuration files that can affect this rule.

I originally added a check for /etc/systemd/user, but it turned out the problem is more complex.

Manual page man 5 systemd.unit describes unit file load path.

UNIT FILE LOAD PATH
       Unit files are loaded from a set of paths determined during compilation, described in the two tables below. Unit files found in directories listed earlier override files with the same name in
       directories lower in the list.

       When the variable $SYSTEMD_UNIT_PATH is set, the contents of this variable overrides the unit load path. If $SYSTEMD_UNIT_PATH ends with an empty component (":"), the usual unit load path will be
       appended to the contents of the variable.

       Table 1.  Load path when running in system mode (--system).
       ┌────────────────────────┬─────────────────────────────┐
       │Path                    │ Description                 │
       ├────────────────────────┼─────────────────────────────┤
       │/etc/systemd/system     │ Local configuration         │
       ├────────────────────────┼─────────────────────────────┤
       │/run/systemd/system     │ Runtime units               │
       ├────────────────────────┼─────────────────────────────┤
       │/usr/lib/systemd/system │ Units of installed packages │
       └────────────────────────┴─────────────────────────────┘

       Table 2.  Load path when running in user mode (--user).
       ┌────────────────────────────────┬──────────────────────────────────────────────────────────────────┐
       │Path                            │ Description                                                      │
       ├────────────────────────────────┼──────────────────────────────────────────────────────────────────┤
       │$XDG_CONFIG_HOME/systemd/user   │ User configuration (only used when $XDG_CONFIG_HOME is set)      │
       ├────────────────────────────────┼──────────────────────────────────────────────────────────────────┤
       │$HOME/.config/systemd/user      │ User configuration (only used when $XDG_CONFIG_HOME is not set)  │
       ├────────────────────────────────┼──────────────────────────────────────────────────────────────────┤
       │/etc/systemd/user               │ Local configuration                                              │
       ├────────────────────────────────┼──────────────────────────────────────────────────────────────────┤
       │$XDG_RUNTIME_DIR/systemd/user   │ Runtime units (only used when $XDG_RUNTIME_DIR is set)           │
       ├────────────────────────────────┼──────────────────────────────────────────────────────────────────┤
       │/run/systemd/user               │ Runtime units                                                    │
       ├────────────────────────────────┼──────────────────────────────────────────────────────────────────┤
       │$XDG_DATA_HOME/systemd/user     │ Units of packages that have been installed in the home directory │
       │                                │ (only used when $XDG_DATA_HOME is set)                           │
       ├────────────────────────────────┼──────────────────────────────────────────────────────────────────┤
       │$HOME/.local/share/systemd/user │ Units of packages that have been installed in the home directory │
       │                                │ (only used when $XDG_DATA_HOME is not set)                       │
       ├────────────────────────────────┼──────────────────────────────────────────────────────────────────┤
       │/usr/lib/systemd/user           │ Units of packages that have been installed system-wide           │
       └────────────────────────────────┴──────────────────────────────────────────────────────────────────┘

As @yuumasato pointed out this problem affects also rules that determine if auditctl or augen is used.

trevor-vaughan commented 5 years ago

@jan-cerny The only way to check this is to use systemctl show as far as I can tell. I don't think that SCAP should implement a full systemd config file processor.