Thanks for the ack, Jan. Pushed.
There is at least one more check that has the same issue of searching
/proc and /sys. I'm not sure I should submit patches for those other
checks because there's discussion on the openscap list about how to more
precisely define what a 'local' filesystem is.
This will probably lead to a philosophical discussion about whether or
not we should define /proc and /sys as local filesystems. If we declare
them as not local, then there's no way to search them with a
recurse_file_system="local" behavior. Not the worst problem to have, as
you would just define another file_object just for special filesystems
if your check really had to look in /proc and /sys. But if we define
them as not local, that sounds strange because they are, of course,
local filesystems.
It seems like OVAL should have other recurse_file_system values, such as
'normal' and 'special'. 'normal' could mean a filesystem that represents
regular data on a disk somewhere, and 'special' could be /proc, /sys,
and other filesystems that are useful abstractions but otherwise aren't
backed by storage.
On 5/22/14 7:57 AM, Jan Lieskovsky wrote:
----- Original Message -----
From: "Paul Tittle" <[email protected]>
To: [email protected]
Sent: Wednesday, May 21, 2014 3:03:23 PM
Subject: [PATCH] exclude /sys from search in world_writeable_files
Thank you for the patch, Paul. Sample stats:
Unpatched:
----------
# time oscap oval eval --id oval:ssg:def:1086 ssg-rhel6-oval.xml
Definition oval:ssg:def:1086: true
Evaluation done.
real 0m8.423s
user 0m7.060s
sys 0m1.330s
Patched:
--------
# time oscap oval eval --id oval:ssg:def:1086 ssg-rhel6-patched-oval.xml
Definition oval:ssg:def:1086: true
Evaluation done.
real 0m8.370s
user 0m6.982s
sys 0m1.352s
Have also checked RHEL/6's make, main make succeeded after applying the patch,
and (related) check can be still performed with the freshly build & installed
rpm.
ACK for this change.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
---
...ile_permissions_unauthorized_world_writable.xml | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git
a/RHEL/6/input/checks/file_permissions_unauthorized_world_writable.xml
b/RHEL/6/input/checks/file_permissions_unauthorized_world_writable.xml
index c3d4c8a..b6624c4 100644
--- a/RHEL/6/input/checks/file_permissions_unauthorized_world_writable.xml
+++ b/RHEL/6/input/checks/file_permissions_unauthorized_world_writable.xml
@@ -23,8 +23,10 @@
<unix:path operation="equals">/</unix:path>
<unix:filename operation="pattern match">^.*$</unix:filename>
<filter
action="include">state_file_permissions_unauthorized_world_write</filter>
+ <!-- don't search /proc, /sys, and some special files from /selinux -->
<filter
action="exclude">state_file_permissions_unauthorized_world_write_exclude_special_selinux_files</filter>
<filter
action="exclude">state_file_permissions_unauthorized_world_write_exclude_proc</filter>
+ <filter
action="exclude">state_file_permissions_unauthorized_world_write_exclude_sys</filter>
</unix:file_object>
<unix:file_state id="state_file_permissions_unauthorized_world_write"
version="1">
<unix:type operation="equals">regular</unix:type>
@@ -36,4 +38,7 @@
<unix:file_state
id="state_file_permissions_unauthorized_world_write_exclude_proc"
version="1">
<unix:filepath operation="pattern match">^/proc/.*$</unix:filepath>
</unix:file_state>
+ <unix:file_state
id="state_file_permissions_unauthorized_world_write_exclude_sys"
version="1">
+ <unix:filepath operation="pattern match">^/sys/.*$</unix:filepath>
+ </unix:file_state>
</def-group>
--
1.7.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
