From 72cea18bfe42d1e227627c4799d5479382073614 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 30 Nov 2023 13:02:36 +0100
Subject: [PATCH] Refactor OVAL in dir_perms_world_writable_system_owned

Adopted the create_local_mount_points_list macro.
Simplified the test logic by removing the "negate" attribute.
---
 .../oval/shared.xml                           | 50 +++++++++++++------
 1 file changed, 34 insertions(+), 16 deletions(-)

diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml
index 8b03bfe0ec04..52ca19abd2ba 100644
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml
@@ -1,22 +1,40 @@
 <def-group>
-  <definition class="compliance" id="dir_perms_world_writable_system_owned" version="1">
-    {{{ oval_metadata("All world writable directories should be owned by a system user.") }}}
-    <criteria comment="check for local directories that are world writable and have uid greater than or equal to {{{ auid }}}" negate="true">
-      <criterion comment="check for local directories that are world writable and have uid greater than or equal to {{{ auid }}}" test_ref="test_dir_world_writable_uid_gt_value" />
+  <definition class="compliance" id="{{{ rule_id }}}" version="2">
+    {{{ oval_metadata("All world writable directories should be owned by a system account.") }}}
+    <criteria>
+      <criterion test_ref="test_dir_perms_world_writable_system_owned"
+        comment="Check world-writable directories with uid greater than or equal to {{{ uid_min }}}"/>
     </criteria>
   </definition>
-  <unix:file_test check="all" comment="check for local directories that are world writable and have uid greater than or equal to {{{ auid }}}" id="test_dir_world_writable_uid_gt_value" version="1">
-    <unix:object object_ref="all_local_directories_uid" />
-    <unix:state state_ref="state_uid_is_user_and_world_writable" />
-  </unix:file_test>
-  <unix:file_object comment="all local directories" id="all_local_directories_uid" version="1">
-    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
-    <unix:path operation="equals">/</unix:path>
-    <unix:filename xsi:nil="true" />
-    <filter action="include">state_uid_is_user_and_world_writable</filter>
-  </unix:file_object>
-  <unix:file_state comment="uid greater than or equal to {{{ auid }}} and world writable" id="state_uid_is_user_and_world_writable" version="1">
-    <unix:user_id datatype="int" operation="greater than or equal">{{{ auid }}}</unix:user_id>
+
+  <unix:file_state id="state_dir_perms_world_writable_system_owned" version="1"
+    comment="uid greater than or equal to {{{ uid_min }}} and world writable">
+    <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
     <unix:owrite datatype="boolean">true</unix:owrite>
   </unix:file_state>
+
+  {{%- set var_local_mount_points = "var_" ~ rule_id ~ "_local_mountpoints" -%}}
+  {{{ create_local_mount_points_list(var_local_mount_points) }}}
+
+  <!--
+    This file_object will only find files located in local and not special file systems. The
+    recurse_file_system parameter is set to defined in order to make sure the probe doesn't
+    leave the scope of that mount point. For example, when probing "/", the probe will ignore
+    any child directory which is a mount point for any other partition. This will ensure
+    considerable performance improvement. -->
+  <unix:file_object id="object_dir_perms_world_writable_system_owned" version="1"
+    comment="All world-writable directories.">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1"
+      recurse_file_system="defined"/>
+      <unix:path operation="equals" var_check="at least one"
+        var_ref="{{{ var_local_mount_points }}}"/>
+    <unix:filename xsi:nil="true"/>
+    <filter action="include">state_dir_perms_world_writable_system_owned</filter>
+  </unix:file_object>
+
+  <unix:file_test id="test_dir_perms_world_writable_system_owned" version="2"
+    check="all" check_existence="none_exist"
+    comment="Check the existence of world-writable directories not owned by system accounts.">
+    <unix:object object_ref="object_dir_perms_world_writable_system_owned"/>
+  </unix:file_test>
 </def-group>