Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve Performance on rules probing the whole file system #11319

Merged
Merged
Changes from 1 commit
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
c2d2700
Improve OVAL readability in file_permissions_ungroupowned
marcusburghardt Nov 17, 2023
7bf0f75
Refactor OVAL in file_permissions_ungroupowned
marcusburghardt Nov 17, 2023
634f830
Introduce OVAL macro to map local mount points
marcusburghardt Nov 23, 2023
f8f4dd1
Adopt new macro in file_permissions_ungroupowned
marcusburghardt Nov 23, 2023
d9043e9
Update file_permissions_ungroupowned description
marcusburghardt Nov 17, 2023
8730760
Include warning in file_permissions_ungroupowned
marcusburghardt Nov 23, 2023
b29b04a
Update file_permissions_unauthorized_suid description
marcusburghardt Nov 23, 2023
34fb66d
Improve OVAL readability in file_permissions_unauthorized_suid
marcusburghardt Nov 23, 2023
5089cb0
Refactor OVAL check to not collect same objects twice
marcusburghardt Nov 29, 2023
3963ecf
Adopt new macro in file_permissions_unauthorized_suid
marcusburghardt Nov 29, 2023
ec64b7a
Improve rule description in file_permissions_unauthorized_sgid
marcusburghardt Nov 30, 2023
b2589cf
Refactor OVAL in file_permissions_unauthorized_sgid
marcusburghardt Nov 30, 2023
c862b13
Improve rule description in file_permissions_unauthorized_world_writable
marcusburghardt Nov 30, 2023
d8bbe7f
Refactor OVAL in file_permissions_unauthorized_world_writable
marcusburghardt Nov 30, 2023
509f324
Improve Bash in file_permissions_unauthorized_world_writable
marcusburghardt Nov 30, 2023
7d0a19d
Improve rule description in dir_perms_world_writable_system_owned
marcusburghardt Nov 30, 2023
e8894c8
Refactor OVAL in dir_perms_world_writable_system_owned
marcusburghardt Nov 30, 2023
0f5832c
Improve rule description in dir_perms_world_writable_sticky_bits
marcusburghardt Nov 30, 2023
ac35fb2
Refactor OVAL in dir_perms_world_writable_sticky_bits
marcusburghardt Nov 30, 2023
e1a106b
Fix test scenario comment in alignment to the commands
marcusburghardt Nov 30, 2023
57c541e
Improve rule description in no_files_unowned_by_user
marcusburghardt Nov 30, 2023
1269df0
Refactor OVAL in no_files_unowned_by_user
marcusburghardt Nov 30, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Refactor OVAL in dir_perms_world_writable_system_owned
Adopted the create_local_mount_points_list macro.
Simplified the test logic by removing the "negate" attribute.
  • Loading branch information
marcusburghardt committed Dec 4, 2023
commit e8894c8535ec5adb7b650d6f9a50808a7ca2d09c
Original file line number Diff line number Diff line change
@@ -1,22 +1,40 @@
<def-group>
<definition class="compliance" id="dir_perms_world_writable_system_owned" version="1">
{{{ oval_metadata("All world writable directories should be owned by a system user.") }}}
<criteria comment="check for local directories that are world writable and have uid greater than or equal to {{{ auid }}}" negate="true">
<criterion comment="check for local directories that are world writable and have uid greater than or equal to {{{ auid }}}" test_ref="test_dir_world_writable_uid_gt_value" />
<definition class="compliance" id="{{{ rule_id }}}" version="2">
{{{ oval_metadata("All world writable directories should be owned by a system account.") }}}
<criteria>
<criterion test_ref="test_dir_perms_world_writable_system_owned"
comment="Check world-writable directories with uid greater than or equal to {{{ uid_min }}}"/>
</criteria>
</definition>
<unix:file_test check="all" comment="check for local directories that are world writable and have uid greater than or equal to {{{ auid }}}" id="test_dir_world_writable_uid_gt_value" version="1">
<unix:object object_ref="all_local_directories_uid" />
<unix:state state_ref="state_uid_is_user_and_world_writable" />
</unix:file_test>
<unix:file_object comment="all local directories" id="all_local_directories_uid" version="1">
<unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
<unix:path operation="equals">/</unix:path>
<unix:filename xsi:nil="true" />
<filter action="include">state_uid_is_user_and_world_writable</filter>
</unix:file_object>
<unix:file_state comment="uid greater than or equal to {{{ auid }}} and world writable" id="state_uid_is_user_and_world_writable" version="1">
<unix:user_id datatype="int" operation="greater than or equal">{{{ auid }}}</unix:user_id>

<unix:file_state id="state_dir_perms_world_writable_system_owned" version="1"
comment="uid greater than or equal to {{{ uid_min }}} and world writable">
<unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
<unix:owrite datatype="boolean">true</unix:owrite>
</unix:file_state>

{{%- set var_local_mount_points = "var_" ~ rule_id ~ "_local_mountpoints" -%}}
{{{ create_local_mount_points_list(var_local_mount_points) }}}

<!--
This file_object will only find files located in local and not special file systems. The
recurse_file_system parameter is set to defined in order to make sure the probe doesn't
leave the scope of that mount point. For example, when probing "/", the probe will ignore
any child directory which is a mount point for any other partition. This will ensure
considerable performance improvement. -->
<unix:file_object id="object_dir_perms_world_writable_system_owned" version="1"
comment="All world-writable directories.">
<unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1"
recurse_file_system="defined"/>
<unix:path operation="equals" var_check="at least one"
var_ref="{{{ var_local_mount_points }}}"/>
<unix:filename xsi:nil="true"/>
<filter action="include">state_dir_perms_world_writable_system_owned</filter>
</unix:file_object>

<unix:file_test id="test_dir_perms_world_writable_system_owned" version="2"
check="all" check_existence="none_exist"
comment="Check the existence of world-writable directories not owned by system accounts.">
<unix:object object_ref="object_dir_perms_world_writable_system_owned"/>
</unix:file_test>
</def-group>