Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve audit_rules_privileged_commands #12607

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Improve audit_rules_privileged_commands #12607

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6c9e879
Improve audit_rules_privileged_commands
jan-cerny Nov 13, 2024
c5b20f9
Fix Shellcheck warning
jan-cerny Nov 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion ..._configure_rules/audit_privileged_commands/audit_rules_privileged_commands/bash/shared.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,11 @@ KEY="privileged"
SYSCALL_GROUPING=""

FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | grep -Pv "noexec|nosuid|/proc($|/.*$)" | awk '{ print $1 }')
if {{{ bash_bootc_build() }}} ; then
PARTITIONS="/"
else
PARTITIONS=$(findmnt -n -l -k -it "$FILTER_NODEV" | grep -Pv "noexec|nosuid|/proc($|/.*$)" | awk '{ print $1 }')
fi
for PARTITION in $PARTITIONS; do
PRIV_CMDS=$(find "${PARTITION}" -xdev -perm /6000 -type f 2>/dev/null)
for PRIV_CMD in $PRIV_CMDS; do
Expand Down
8 changes: 7 additions & 1 deletion ...configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@

<!-- First define OVAL entities that can be reused across tests below -->
<linux:partition_state id="state_audit_rules_privileged_commands_dev_partitons" version="1">
<linux:device operation="pattern match">^/dev/.*$</linux:device>
<linux:device operation="pattern match">^(/dev/.*|composefs)$</linux:device>
</linux:partition_state>

<linux:partition_state id="state_audit_rules_privileged_commands_nosuid_partitons" version="1">
Expand Down Expand Up @@ -64,6 +64,11 @@
<unix:filepath operation="pattern match">^/var/tmp/dracut.*</unix:filepath>
</unix:file_state>

<unix:file_state id="state_audit_rules_privileged_commands_sysroot" version="1"
comment="Used to filter out all files in the /sysroot directory">
<unix:filepath operation="pattern match">^/sysroot/.*$</unix:filepath>
</unix:file_state>

<!-- This file_object will only find privileged commands located only in file systems that allow
their execution. The recurse_file_system parameter is set to defined in order to make sure
the probe doesn't leave the scope of that mount point. For example, when probing "/", the
Expand All @@ -78,6 +83,7 @@
<unix:filename operation="pattern match">^\w+</unix:filename>
<filter action="include">state_setuid_or_setgid_set</filter>
<filter action="exclude">state_dracut_tmp_files</filter>
<filter action="exclude">state_audit_rules_privileged_commands_sysroot</filter>
</unix:file_object>

<local_variable id="var_audit_rules_privileged_commands_priv_cmds" version="1"
Expand Down
Loading