Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new rule file_permissions_sudo #11584

Merged
merged 1 commit into from
Feb 22, 2024
Merged

Add new rule file_permissions_sudo #11584

merged 1 commit into from
Feb 22, 2024

Conversation

Mab879
Copy link
Member

@Mab879 Mab879 commented Feb 13, 2024

Description:

Add new rule file_permissions_sudo

Rationale:

To cover ANSSI R38

@Mab879 Mab879 added New Rule Issues or pull requests related to new Rules. ANSSI ANSSI Benchmark related. labels Feb 13, 2024
@Mab879 Mab879 added this to the 0.1.73 milestone Feb 13, 2024
@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@Mab879
Copy link
Member Author

Mab879 commented Feb 13, 2024

/packit retest-failed

@jan-cerny jan-cerny self-assigned this Feb 14, 2024
@jan-cerny
Copy link
Collaborator

/packit retest-failed

@jan-cerny
Copy link
Collaborator

@Mab879 Testing farm fail is legit, it fail in the rule file_permissions_sudo in the ANSSI profile. The actual permissions are of /usr/bin/sudo are 4111.

@Mab879
Copy link
Member Author

Mab879 commented Feb 15, 2024

/packit retest-failed

@Mab879
Copy link
Member Author

Mab879 commented Feb 15, 2024

@Mab879 Testing farm fail is legit, it fail in the rule file_permissions_sudo in the ANSSI profile. The actual permissions are of /usr/bin/sudo are 4111.

So I misread the permissions in ANSSI, they are looking for 4110, but that might not be possible.

jan-cerny
jan-cerny reviewed Feb 16, 2024
View reviewed changes
linux_os/guide/system/software/sudo/file_permissions_sudo/rule.yml Outdated
name: "file_permissions"
vars:
filepath: "/usr/bin/sudo"
filemode: '4110'
Copy link
Collaborator

@jan-cerny jan-cerny Feb 16, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI still fails so we will probably need to change it to 4111.

The HTML report from the testing farm https://artifacts.dev.testing-farm.io/ae6aeb0b-5999-4a1d-ad23-2291c000eb50/work-ansible-anssivlxuhmw6/tests/fmf-plans/ansible-anssi/execute/data/guest/default-0/Sanity/ansible-machine-hardening/anssi_bp28_high-1/data/anssi_bp28_high.html indicates that 4111 .

On my machine:

jcerny@fedora:~$ stat -c %a /usr/bin/sudo
4111

But I haven't investigated it further.

linux_os/guide/system/software/sudo/file_permissions_sudo/rule.yml Outdated
title: 'Ensure That the sudo Binary Has the Correct Permissions'

description: |-
{{{ describe_file_permissions("/usr/bin/sudo", "4750") | indent(4) }}}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the value of the permissions will have to be the same as in the template section

@Mab879
Copy link
Member Author

Mab879 commented Feb 16, 2024

Moving to 4111 as 4110 doesn't seem possible.

@codeclimate CodeClimate
Copy link

codeclimate bot commented Feb 16, 2024

Code Climate has analyzed commit 257bf01 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.3% (0.0% change).

View more on Code Climate.

@jan-cerny
Copy link
Collaborator

/packit retest-failed

2 similar comments
@jan-cerny
Copy link
Collaborator

/packit retest-failed

@jan-cerny
Copy link
Collaborator

/packit retest-failed

@jan-cerny
Copy link
Collaborator

/packit retest- failed

@jan-cerny
Copy link
Collaborator

/packit retest-failed

5 similar comments
@jan-cerny
Copy link
Collaborator

/packit retest-failed

@jan-cerny
Copy link
Collaborator

/packit retest-failed

@jan-cerny
Copy link
Collaborator

/packit retest-failed

@jan-cerny
Copy link
Collaborator

/packit retest-failed

@jan-cerny
Copy link
Collaborator

/packit retest-failed

@jan-cerny jan-cerny merged commit 570eeb7 into ComplianceAsCode:master Feb 22, 2024
44 checks passed
@Mab879 Mab879 deleted the update_r38 branch February 22, 2024 13:21
@obp-anssi obp-anssi mentioned this pull request Apr 2, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-cerny jan-cerny jan-cerny approved these changes

Assignees

@jan-cerny jan-cerny

Labels
ANSSI ANSSI Benchmark related. New Rule Issues or pull requests related to new Rules.
Projects
None yet
Milestone
0.1.73
Development

Successfully merging this pull request may close these issues.
2 participants
@Mab879 @jan-cerny