ComplianceAsCode
Should files in /tmp be checked for permissions when using tmpfs?
Description of problem:
Some policies require a separate partition for /tmp but when this is not required and /tmp uses a tmpfs file system, the mount point will be ignored by rules using the create_local_mount_points_list macro.
This macro was introduced by #11319 and brought significant performance improvements by, among other aspects, skipping remote and pseudo file systems during the scan.
After a recent analysis I noticed a possible case that could impact the following rules:
- file_permissions_unauthorized_sgid
- file_permissions_unauthorized_suid
- file_permissions_unauthorized_world_writable
- file_permissions_ungroupowned
- no_files_unowned_by_user
These rules check for files permissions or ownership.
In a scenario where the system is using tmpfs for /tmp, assuming a non-compliant file is stored in /tmp, which could be a valid case due to the nature of /tmp, these rules would not report this file.
On the other hand, tmpfs is not persistent and this could minimize the risk.
The solution seems simple, by ensuring /tmp is always checked regardless of using tmpfs or a device partition.
However, it is very hard to make this using OVAL without big changes in the macro or on these specific rules.
I tried some tests updating the macro in order to include the /tmp unconditionally in the resulting variable but had no success.
I am filing this issue here so others can also give insights on how to solve it using OVAL or even comment on how relevant is this issue.
SCAP Security Guide Version:
master as of 2024-05-08
