scap-security-guide/scap-security-guide-0.1.62-sysctl_dont_ignore_all_symlinks-PR_8707.patch

146 lines
7.5 KiB
Diff
Raw Normal View History

From 2275e47e111ba89595658f5d91964454c1a65323 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 4 May 2022 19:21:04 +0200
Subject: [PATCH 1/3] Add tests to ensure valid symlinks are checked
These sysctl tests help check cases when:
- A symlink points to a file out of the default default dirs
- Multile symlinks point to the same file in the default dirs
Symlinks are a valid use case how to configure sysctls.
---
.../tests/symlink_root_duplicate.fail.sh | 15 +++++++++++++++
.../tests/symlink_root_incompliant.fail.sh | 15 +++++++++++++++
.../tests/symlinks_to_same_file.pass.sh | 14 ++++++++++++++
3 files changed, 44 insertions(+)
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh
new file mode 100644
index 00000000000..c4f756a110f
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+
+# Put a config file out of the default dirs
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /root/root-sysctl.conf
+
+# Add a symlink
+ln -s /root/root-sysctl.conf /etc/sysctl.d/90-root.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh
new file mode 100644
index 00000000000..3b67676ac69
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+
+# Put a config file out of the default dirs
+echo "net.ipv4.conf.default.accept_source_route = 1" >> /root/root-sysctl.conf
+
+# Add a symlink
+ln -s /root/root-sysctl.conf /etc/sysctl.d/90-root.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh
new file mode 100644
index 00000000000..6164d0b1ca9
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+
+# Multiple symliks to the same file should be ignored
+ln -s /etc/sysctl.conf /etc/sysctl.d/90-sysctl.conf
+ln -s /etc/sysctl.conf /etc/sysctl.d/99-sysctl.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
+
From 4f4bb24620338b2ff8f59d173b575d2089618357 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 4 May 2022 19:23:41 +0200
Subject: [PATCH 2/3] Filter out symlinks referencing default dirs
Apply a filter on the collected symlinks and exclude the ones that
don't point to the default dirs.
In other words, only remove ignore options in symlinks if the files they
reference will be scanned anyway, because they are in the one of the
default dirs.
---
shared/templates/sysctl/oval.template | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index 0b5cde45045..ac395d545c3 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -217,10 +217,20 @@
<!-- "pattern match" doesn't seem to work with symlink_object, not sure if a bug or not.
Workaround by querying for all conf files found -->
- <unix:symlink_object comment="syctl symlinks" id="object_{{{ SYSCTLID }}}_symlinks" version="1">
+ <unix:symlink_object comment="Symlinks referencing files in default dirs" id="object_{{{ SYSCTLID }}}_symlinks" version="1">
<unix:filepath operation="equals" var_ref="local_var_conf_files_{{{ SYSCTLID }}}" />
+ <filter action="exclude">state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}</filter>
</unix:symlink_object>
+ <!-- The state matches symlinks that don't point to the default dirs, i.e. paths that are not:
+ ^/etc/sysctl.conf$
+ ^/etc/sysctl.d/.*$
+ ^/run/sysctl.d/.*$
+ ^/usr/lib/sysctl.d/.*$ -->
+ <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}" version="1">
+ <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
+ </unix:symlink_state>
+
<local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ SYSCTLID }}}" version="1">
<object_component object_ref="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />
</local_variable>
From 156291af3ae48fc0dff668b05e9e0bbdd42868b2 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 6 May 2022 11:49:00 +0200
Subject: [PATCH 3/3] Consider file/link/dir while applying ansible remediation
on sysctl template.
---
shared/templates/sysctl/ansible.template | 1 +
1 file changed, 1 insertion(+)
diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
index f525cf873f7..5a178fa7f49 100644
--- a/shared/templates/sysctl/ansible.template
+++ b/shared/templates/sysctl/ansible.template
@@ -9,6 +9,7 @@
paths: "/etc/sysctl.d/"
contains: '^[\s]*{{{ SYSCTLVAR }}}.*$'
patterns: "*.conf"
+ file_type: any
register: find_sysctl_d
- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files