audit_rules_privileged commands: skip /proc directory

[vojtapolasek]

Description:

• modify OVAL, Ansible, Bash to skip this directory and any subdirectories
• add warning to the rule stating this fact

Rationale:

• this directory should not be scanned anyway - it is a virtual file system and it should not contain any executable programs.

• Scanning of this directory caused undesirable side effects, e.g. Openscap showing a confusing error.

• Fixes ANSSI high profile triggers OpenSCAP error #10450

Review Hints:

There is no test scenario as you can't effectively modify the /proc file system by standard means.

I suggest to review changes to OVAL, Bash and Ansible.

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
@@ -31,6 +31,13 @@
 specific privileged commands, other more specific rules should be considered. For example:
 audit_rules_privileged_commands_suaudit_rules_privileged_commands_umountaudit_rules_privileged_commands_passwd
 
+[warning]:
+Note that OVAL check and Bash / Ansible remediation of this rule
+explicitly excludes file systems mounted at /proc directory
+and its subdirectories. It is a virtual file system and it doesn't
+contain executable applications. At the same time, interacting with this
+file system during check or remediation caused undesirable errors.
+
 [reference]:
 BP28(R73)
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
@@ -8,7 +8,7 @@
 SYSCALL_GROUPING=""
 
 FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
-PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | grep -Pv "noexec|nosuid" | awk '{ print $1 }')
+PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | grep -Pv "noexec|nosuid|/proc($|/.*$)" | awk '{ print $1 }')
 for PARTITION in $PARTITIONS; do
 PRIV_CMDS=$(find "${PARTITION}" -xdev -perm /6000 -type f 2>/dev/null)
 for PRIV_CMD in $PRIV_CMDS; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
@@ -23,7 +23,8 @@
 List of Mount Points Which Permits Execution of Privileged Commands
 ansible.builtin.set_fact:
 privileged_mount_points: '{{(ansible_facts.mounts | rejectattr(''options'', ''search'',
- ''noexec|nosuid'') | map(attribute=''mount'') | list ) }}'
+ ''noexec|nosuid'') | rejectattr(''mount'', ''match'', ''/proc($|/.*$)'') | map(attribute=''mount'')
+ | list ) }}'
 when:
 - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[codeclimate]

Code Climate has analyzed commit 8086f23 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 52.4% (0.0% change).

View more on Code Climate.

[mildas]

/packit retest-failed

[marcusburghardt]

Thanks for the fix and for the great investigation in the #10450 . I have successfully tested the rule in local VMs and confirmed the relevant CI tests are no longer reporting the error mentioned in the issue. The removal of /proc mount point is safe in the context of this rule.