----- Original Message -----
From: "Paul Tittle" <ptittle(a)cmf.nrl.navy.mil>
To: scap-security-guide(a)lists.fedorahosted.org
Sent: Tuesday, May 20, 2014 9:24:44 PM
Subject: [PATCH] exclude proc/selinux files from world_writeable_files
The following commit in openscap causes proc to be considered a 'local'
filesystem.
---
commit a9d98d697d85cb7f26c615543276e042c9749af0
Author: Tomas Heinrich <theinric(a)redhat.com>
Date: Tue Nov 12 11:01:21 2013 +0100
OVAL: change the algo used to distinguish 'local' and 'remote' fs
With 'local', fts now descends into /proc and /sys, among others,
which were previously excluded. This can cause performance issues.
---
The 'world_writeable_files' test will fail if a world-writeable
regular file is found. So we must mask out /proc files with a filter.
I did a `find / -perm -002 -type f` and also found some 'special' files
in /selinux that are world-writeable and type f, so a filter has been
added for those too.
Just to explicitly see the performance difference / gain / improvement
for that rule.
Unpatched:
----------
# time oscap oval eval --id oval:ssg:def:1086 ssg-rhel6-oval.xml
Definition oval:ssg:def:1086: false
Evaluation done.
real 0m14.138s
user 0m7.327s
sys 0m2.590s
Patched:
--------
# time oscap oval eval --id oval:ssg:def:1086 ssg-rhel6-oval-patched.xml
Definition oval:ssg:def:1086: true
Evaluation done.
real 0m8.038s
user 0m6.783s
sys 0m1.232s
=> ACK, thank you for the patch.
Btw. (IMHO) another good candidate for exclusion is /sys filesystem due the reasons
outlined below:
* it should be considered as dump of kernel data structures, their attributes (&
linkage
between them) to userspace (from
https://www.kernel.org/doc/Documentation/filesystems/sysfs.txt) =>
as such there shouldn't be reason / need why even administrator should want to
update file
permissions on the files under that subdirectory (if the permissions should be changed,
it's
bug of the package / kernel module creating that file, and it should be reported)
* change of permissions (even when performed as root) from user-space holds only till the
next reboot (if not implemented via the particular module directly) => even the fix
would
be only temporary
* last, but not least, /sys contains lot of symlink loops, which by themselves might cause
the
scanner to enter such infinite loop => IMHO I would propose /sys filesystem to be
excluded from
scan too (just margin note).
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
---
...ile_permissions_unauthorized_world_writable.xml | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git
a/RHEL/6/input/checks/file_permissions_unauthorized_world_writable.xml
b/RHEL/6/input/checks/file_permissions_unauthorized_world_writable.xml
index 599ad98..c3d4c8a 100644
--- a/RHEL/6/input/checks/file_permissions_unauthorized_world_writable.xml
+++ b/RHEL/6/input/checks/file_permissions_unauthorized_world_writable.xml
@@ -23,9 +23,17 @@
<unix:path operation="equals">/</unix:path>
<unix:filename operation="pattern match">^.*$</unix:filename>
<filter
action="include">state_file_permissions_unauthorized_world_write</filter>
+ <filter
action="exclude">state_file_permissions_unauthorized_world_write_exclude_special_selinux_files</filter>
+ <filter
action="exclude">state_file_permissions_unauthorized_world_write_exclude_proc</filter>
</unix:file_object>
<unix:file_state id="state_file_permissions_unauthorized_world_write"
version="1">
<unix:type operation="equals">regular</unix:type>
<unix:owrite datatype="boolean">true</unix:owrite>
</unix:file_state>
+ <unix:file_state
id="state_file_permissions_unauthorized_world_write_exclude_special_selinux_files"
version="1">
+ <unix:filepath operation="pattern
match">^/selinux/(?:(?:member)|(?:user)|(?:relabel)|(?:create)|(?:access)|(?:context))$</unix:filepath>
+ </unix:file_state>
+ <unix:file_state
id="state_file_permissions_unauthorized_world_write_exclude_proc"
version="1">
+ <unix:filepath operation="pattern
match">^/proc/.*$</unix:filepath>
+ </unix:file_state>
</def-group>
--
1.7.1
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide