Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow default permission for user.cfg file in UEFI systems #10884

Merged
merged 2 commits into from
Jul 20, 2023
Merged

Allow default permission for user.cfg file in UEFI systems #10884

merged 2 commits into from
Jul 20, 2023

Conversation

marcusburghardt
Copy link
Member

Description:

This rule was asking 0600 permission for user.cfg file even in a UEFI boot partition.
However, UEFI usually uses a vfat file system, which makes the chmod command ineffective if the file system "umask" mount option is set to 0077, as it is by default.
If the permissions of files in /boot/efi using vfat needs to be changed, the umask value should be updated in fstab.

Rationale:

CIS allows 0700 permission for /boot/efi and currently it is the only profile using this rule.
This PR makes 0700 permission accepted.

@marcusburghardt
Allow 0700 permission for UEFI files
ae1cee0 
This rule was asking 0600 permission for user.cfg file even in a UEFI
boot partition. However, UEFI usually uses a VFAT file system, which
makes the chmod command ineffective if the filesystem "umask" mount
option is set to "0077", as it is by default. If the permissions of
files in /boot/efi using VFAT file system need to be changed, the umask
value should be updated in fstab. In addition, CIS allows 0700
permission for /boot/efi and currently it is the only profile using
this rule. This PR makes 0700 permission accepted.
@marcusburghardt
Include warning in uefi group regarding vfat file systems
6245d67
@marcusburghardt marcusburghardt added bugfix Fixes to reported bugs. Update Rule Issues or pull requests related to Rules updates. labels Jul 20, 2023
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@jan-cerny jan-cerny self-assigned this Jul 20, 2023
@github-actions
Copy link

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
@@ -1,7 +1,7 @@
 # Remediation is applicable only in certain platforms
 if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
-chmod u-xs,g-xwrs,o-xwrt /boot/efi/EFI/redhat/user.cfg
+chmod u-s,g-xwrs,o-xwrt /boot/efi/EFI/redhat/user.cfg
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
@@ -33,10 +33,10 @@
   - medium_severity
   - no_reboot_needed
 
-- name: Ensure permission u-xs,g-xwrs,o-xwrt on /boot/efi/EFI/redhat/user.cfg
+- name: Ensure permission u-s,g-xwrs,o-xwrt on /boot/efi/EFI/redhat/user.cfg
   file:
     path: /boot/efi/EFI/redhat/user.cfg
-    mode: u-xs,g-xwrs,o-xwrt
+    mode: u-s,g-xwrs,o-xwrt
   when:
   - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
   - '"grub2-common" in ansible_facts.packages'

jan-cerny
jan-cerny approved these changes Jul 20, 2023
View reviewed changes
Copy link
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have followed the reproducer on a fresh RHEL 8.8 virtual machine with UEFI. With scap-security-guide-0.1.66-2.el8.noarch, the rule xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg failed, but with the data stream built with your patch the rule passed, which is the expected result.

[root@localhost ~]# grub2-setpassword
Enter password: 
Confirm password: 
[root@localhost ~]# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_server_l1 --rule xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg --results-arf original.arf.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 file which is referenced from XCCDF content
--- Starting Evaluation ---

Title   Verify /boot/efi/EFI/redhat/user.cfg Permissions
Rule    xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
Ident   CCE-86028-8
Result  fail

[root@localhost ~]# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_server_l1 --rule xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg --results-arf new.arf.xml ./ssg-rhel8-ds.xml 
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-v2-RHEL8-rhel-8.oval.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/v2/RHEL8/rhel-8.oval.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/v2/RHEL8/rhel-8.oval.xml.bz2' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-v2-RHEL8-rhel-8.oval.xml.bz2 file which is referenced from XCCDF content
--- Starting Evaluation ---

Title   Verify /boot/efi/EFI/redhat/user.cfg Permissions
Rule    xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
Ident   CCE-86028-8
Result  pass

@codeclimate
Copy link

codeclimate bot commented Jul 20, 2023

Code Climate has analyzed commit 6245d67 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.2% (0.0% change).

View more on Code Climate.

@jan-cerny jan-cerny modified the milestones: 0.1.70, 0.1.69 Jul 20, 2023
@jan-cerny
Copy link
Collaborator

The CI fail on Rawhide is caused by Python 3.12 and isn't related to the content of this PR.

@jan-cerny jan-cerny merged commit 552c16e into ComplianceAsCode:master Jul 20, 2023
@marcusburghardt marcusburghardt deleted the RHBZ2184487 branch July 20, 2023 12:29
@marcusburghardt marcusburghardt mentioned this pull request Jul 20, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-cerny jan-cerny jan-cerny approved these changes

Assignees

@jan-cerny jan-cerny

Labels
bugfix Fixes to reported bugs. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.69
Development

Successfully merging this pull request may close these issues.
2 participants
@marcusburghardt @jan-cerny