[PATCH] exclude proc/selinux files from world_writeable_files

[Paul Tittle]

The following commit in openscap causes proc to be considered a 'local'
filesystem.
---
commit a9d98d697d85cb7f26c615543276e042c9749af0
Author: Tomas Heinrich <thein...@redhat.com>
Date:   Tue Nov 12 11:01:21 2013 +0100

    OVAL: change the algo used to distinguish 'local' and 'remote' fs

    With 'local', fts now descends into /proc and /sys, among others,
    which were previously excluded. This can cause performance issues.
---

The 'world_writeable_files' test will fail if a world-writeable
regular file is found. So we must mask out /proc files with a filter.
I did a `find / -perm -002 -type f` and also found some 'special' files
in /selinux that are world-writeable and type f, so a filter has been
added for those too.
---
 ...ile_permissions_unauthorized_world_writable.xml |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

diff --git 
a/RHEL/6/input/checks/file_permissions_unauthorized_world_writable.xml 
b/RHEL/6/input/checks/file_permissions_unauthorized_world_writable.xml
index 599ad98..c3d4c8a 100644
--- a/RHEL/6/input/checks/file_permissions_unauthorized_world_writable.xml
+++ b/RHEL/6/input/checks/file_permissions_unauthorized_world_writable.xml
@@ -23,9 +23,17 @@
     <unix:path operation="equals">/</unix:path>
     <unix:filename operation="pattern match">^.*$</unix:filename>
     <filter 
action="include">state_file_permissions_unauthorized_world_write</filter>
+    <filter 
action="exclude">state_file_permissions_unauthorized_world_write_exclude_special_selinux_files</filter>
+    <filter 
action="exclude">state_file_permissions_unauthorized_world_write_exclude_proc</filter>
   </unix:file_object>
   <unix:file_state id="state_file_permissions_unauthorized_world_write" 
version="1">
     <unix:type operation="equals">regular</unix:type>
     <unix:owrite datatype="boolean">true</unix:owrite>
   </unix:file_state>
+  <unix:file_state 
id="state_file_permissions_unauthorized_world_write_exclude_special_selinux_files"
 version="1">
+    <unix:filepath operation="pattern 
match">^/selinux/(?:(?:member)|(?:user)|(?:relabel)|(?:create)|(?:access)|(?:context))$</unix:filepath>
+  </unix:file_state>
+  <unix:file_state 
id="state_file_permissions_unauthorized_world_write_exclude_proc" version="1">
+    <unix:filepath operation="pattern match">^/proc/.*$</unix:filepath>
+  </unix:file_state>
 </def-group>
-- 
1.7.1

_______________________________________________
scap-security-guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide