search

canonical / charm-lldpd

LLDPd charm
Other
1 stars 8 forks source link

lldpd charm causes DISA-STIG non complaince after deployment #13

Closed jeff-hillman closed 2 years ago

jeff-hillman commented 2 years ago

ubuntu 20.04.5 juju 2.9.37 charm latest/stable rev CH:9

When running sudo usg fix disa_stig against an ubuntu 20.04.5 machine, it becomes DISA-STIG compliant.

running juju add-machine <user>@<ip> and then juju deploy ubuntu --to 0; juju deploy lldpd; juju add-relation lldpd ubuntu' causes DISA-STIG to no longer be compliant

Specifically, running a diff against the compliant results sudo usg audit disa_stig and then against the newly deployed lldpd charm causes the following diff:

-    <rule-result idref="file_groupownership_system_commands_dirs" time="2022-11-18T17:04:27" severity="medium" weight="1.
000000">
-      <result>pass</result>
+    <rule-result idref="file_groupownership_system_commands_dirs" time="2022-11-18T17:13:34" severity="medium" weight="1.
000000">
+      <result>fail</result>
       <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref name="oval:ssg-file_groupownership_system_commands_dirs:def:1" href="ssg-ubuntu2004-oval.xml"/>
       </check>
     </rule-result>

and

-    <rule-result idref="file_ownership_binary_dirs" time="2022-11-18T17:04:27" severity="medium" weight="1.000000">
-      <result>pass</result>
+    <rule-result idref="file_ownership_binary_dirs" time="2022-11-18T17:13:34" severity="medium" weight="1.000000">
+      <result>fail</result>
       <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref name="oval:ssg-file_ownership_binary_dirs:def:1" href="ssg-ubuntu2004-oval.xml"/>
       </check>
     </rule-result>

lldpd charm is breaking the file_groupownership_system_commands_dirs and file_groupownership_system_commands_dirs DISA-STIG compliance.

ivoks commented 2 years ago

Hi Jeff

Looking at the output, it seems that it's complaining about permissions on filesystem. I can only guess which file it's complaining about (probably /usr/sbin/lldpcli). Either way, lldpd charm does not create that file, or any other file on the filesystem (unless explicitly asked). You are most probably having an issue with lldpd package itself and it's requirement to use setuid, which I could imagine, DISA doesn't like. Closing this as a non-issue for lldpd charm.