content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon ComplianceAsCode

Create mount_option_home template and use it in ol8

Open Xeicker opened this issue 3 years ago • 14 comments

Description:

  • Create mount_option_home template, this searches in which partitions are located the interactive users and checks that all those partitions have the expected mount option
  • Migrate rules mount_option_home_noexec and mount_option_home_nosuid to a new template for OL8

Rationale:

  • Covers better the expected behavior of checking the partitions where are the home directories, to have the expected mount options

Xeicker avatar Jun 07 '22 16:06 Xeicker

Hi @Xeicker. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci[bot] avatar Jun 07 '22 16:06 openshift-ci[bot]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment) Open in Gitpod

Fedora Testing Environment Open in Gitpod

Oracle Linux 8 Environment Open in Gitpod

github-actions[bot] avatar Jun 07 '22 16:06 github-actions[bot]

/ok-to-test

Mab879 avatar Jun 07 '22 17:06 Mab879

Hello, could you please clarify what does this new template improve when compared to original mount_option template? I think it would be better to bring improvements directly into the mount_option template than creating individual templates for each partition.

vojtapolasek avatar Jun 08 '22 10:06 vojtapolasek

Hello, could you please clarify what does this new template improve when compared to original mount_option template?

This template searches for the partitions where the home directories are located instead of assuming they are in /home

Xeicker avatar Jun 08 '22 14:06 Xeicker

Hello @Xeicker this looks really interesting. I have discovered a glitch - I created a fake user having a home directory at /var/tmp. The variable with mount points then contained both /var and /var/tmp. Could you fix it? I think it needs a tweak to the regex.

vojtapolasek avatar Jun 17 '22 11:06 vojtapolasek

@vojtapolasek it is not that easy, because if /var/tmp wasn't a separate partition, then OVAL should look for the mount point /var. So the issue at the end is how to find the longest match, I wasn't able to solve that

Xeicker avatar Jun 21 '22 15:06 Xeicker

/retest

jhrozek avatar Jun 22 '22 08:06 jhrozek

I have some concerns with this approach. Checking the latest STIG benchmarks for RHEL8 and OL8, I confirmed they are almost the same, except the RHEL8 requirement (https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2021-12-03/finding/V-230302) includes an extra note:

Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is automatically a finding as the "noexec" option cannot be used on the "/" system.

The case mentioned by @vojtapolasek could be slightly changed to a more risky scenario. For example, if an interactive user (UID >= 1000) has the home directory set, by any reason, to /lib, /opt, /usr or even /, this remediation would be capable to break the system, for example, if binary execution is blocked in a critical partition. I am not sure for now if the system has any safe guard for this, but I would be more conservative.

I think the proper solution for this would be a an explicit recommendation from the benchmark restricting the partitions where the interactive users have a home directory. Something like, no home directory for interactive users on default mount points different than /home.

marcusburghardt avatar Jun 23 '22 12:06 marcusburghardt

@marcusburghardt well in that case I think it is reasonable to add a check in OVAL to verify that all interactive users have their home directories into /home. What do you think?

Xeicker avatar Jun 24 '22 21:06 Xeicker

@marcusburghardt well in that case I think it is reasonable to add a check in OVAL to verify that all interactive users have their home directories into /home. What do you think?

I think it could be good. However, it looks more feasible to work with an exclusion list instead of an inclusion list. For example, instead of checking if the user home directory is in /home partition, I would check if the user home directly is not in any critical partition.

marcusburghardt avatar Jul 14 '22 10:07 marcusburghardt

I made this exclusion list: "/lib","/opt", "/usr", "/bin","/sbin","/boot","/dev","/proc Also updated bash script so it updates always the correct partition (not depending on any sort of sub-string issue)

Xeicker avatar Jul 14 '22 20:07 Xeicker

It would also be great to have test scenarios in this template, so we can better test the affected rules. It is possible to use the mount_option_home_nosuid rule as reference.

marcusburghardt avatar Aug 22 '22 15:08 marcusburghardt

@marcusburghardt I included tests and made a few updates based on the development of those tests

  • OVAL pass in case no partition with interactive users is found, this could imply, there are no interactive users, or the partition isn't mounted
  • Bash first validates if the homedirectory exists, before getting the partition. This handles the situation in which the partition for this directory isn't mounted, or the directory was deleted without updating user info

Xeicker avatar Aug 26 '22 17:08 Xeicker

Code Climate has analyzed commit 6e36e9a7 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 40.4% (0.0% change).

View more on Code Climate.

qlty-cloud-legacy[bot] avatar Sep 06 '22 22:09 qlty-cloud-legacy[bot]

@Xeicker: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-rhcos4-moderate 6e36e9a7ff2228efc5577a0a09ae2ac9e328443d link true /test e2e-aws-rhcos4-moderate
ci/prow/e2e-aws-ocp4-moderate 6e36e9a7ff2228efc5577a0a09ae2ac9e328443d link true /test e2e-aws-ocp4-moderate
ci/prow/e2e-aws-ocp4-high-node 6e36e9a7ff2228efc5577a0a09ae2ac9e328443d link true /test e2e-aws-ocp4-high-node
ci/prow/e2e-aws-rhcos4-high 6e36e9a7ff2228efc5577a0a09ae2ac9e328443d link true /test e2e-aws-rhcos4-high
ci/prow/e2e-aws-ocp4-cis-node 6e36e9a7ff2228efc5577a0a09ae2ac9e328443d link true /test e2e-aws-ocp4-cis-node

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

openshift-ci[bot] avatar Sep 07 '22 00:09 openshift-ci[bot]