Improve audit_rules_privileged_commands

[jan-cerny]

The rule audit_rules_privileged_commands needs to be adjusted because it doesn't work in bootable containers.

• exclude /sysroot from searching for privileged commands
• include composefs as a valid type of filesystem partition
• apply remediations on the root filesystem during image build

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

OVAL for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands' differs.
--- oval:ssg-audit_rules_privileged_commands:def:1
+++ oval:ssg-audit_rules_privileged_commands:def:1
@@ -1,9 +1,23 @@
 criteria OR
 criteria AND
 extend_definition oval:ssg-audit_rules_augenrules:def:1
+criteria OR
+criteria AND
+extend_definition oval:ssg-bootc:def:1
+criterion oval:ssg-test_augenrules_all_priv_cmds_covered_bootc:tst:1
+criterion oval:ssg-test_augenrules_count_matches_system_priv_cmds_bootc:tst:1
+criteria AND
+extend_definition oval:ssg-bootc:def:1
 criterion oval:ssg-test_augenrules_all_priv_cmds_covered:tst:1
 criterion oval:ssg-test_augenrules_count_matches_system_priv_cmds:tst:1
 criteria AND
 extend_definition oval:ssg-audit_rules_auditctl:def:1
+criteria OR
+criteria AND
+extend_definition oval:ssg-bootc:def:1
 criterion oval:ssg-test_auditctl_all_priv_cmds_covered:tst:1
 criterion oval:ssg-test_auditctl_count_matches_system_priv_cmds:tst:1
+criteria AND
+extend_definition oval:ssg-bootc:def:1
+criterion oval:ssg-test_auditctl_all_priv_cmds_covered:tst:1
+criterion oval:ssg-test_auditctl_count_matches_system_priv_cmds:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
@@ -7,12 +7,10 @@
 KEY="privileged"
 SYSCALL_GROUPING=""
 
-FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
-PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | grep -Pv "noexec|nosuid|/proc($|/.*$)" | awk '{ print $1 }')
-for PARTITION in $PARTITIONS; do
-  PRIV_CMDS=$(find "${PARTITION}" -xdev -perm /6000 -type f 2>/dev/null)
-  for PRIV_CMD in $PRIV_CMDS; do
-    OTHER_FILTERS="-F path=$PRIV_CMD -F perm=x"
+function add_audit_rule()
+{
+    local PRIV_CMD="$1"
+    local OTHER_FILTERS="-F path=$PRIV_CMD -F perm=x"
     # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
     unset syscall_a
     unset syscall_grouping
@@ -319,8 +317,23 @@
             sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
         fi
     fi
+}
+
+if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+  PRIV_CMDS=$(find / -perm /6000 -type f -not -path "/sysroot/*" 2>/dev/null)
+  for PRIV_CMD in $PRIV_CMDS; do
+    add_audit_rule $PRIV_CMD
   done
-done
+else
+  FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
+  PARTITIONS=$(findmnt -n -l -k -it "$FILTER_NODEV" | grep -Pv "noexec|nosuid|/proc($|/.*$)" | awk '{ print $1 }')
+  for PARTITION in $PARTITIONS; do
+    PRIV_CMDS=$(find "${PARTITION}" -xdev -perm /6000 -type f 2>/dev/null)
+    for PRIV_CMD in $PRIV_CMDS; do
+      add_audit_rule $PRIV_CMD
+    done
+  done
+fi
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

[jan-cerny]

We need to change this PR because we have discovered that the OVAL doesn't work properly during the podman build process. The OVAL fails because it isn't able to detect any partitions on the system. The remediation seems to work fine. After the remediation the rule is failing, but after the boot the rule is passing.

We need to examine better how the partitions work during podman build. We need to come up with an OVAL that is customized for this environment. We need to make sure that this OVAL fails before and passes after the remediation. Then, we need to merge in this customized OVAL into the existing OVAL so that the OVAL would work both during the podman build and during evaluation of a booted system.

[jan-cerny]

I have changed the OVAL. It now contains special branch for the bootable containers environment. This code branch searches for the privileged commands in the whole / file system, except /sysroot. The branch doesn't use OVAL partition_test at all.

[codeclimate]

Code Climate has analyzed commit 4db5e72 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.6% (0.0% change).

View more on Code Climate.