rpms / scap-security-guide

Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.62-sysctl_dont_ignore_all_symlinks-PR_8707.patch

c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   e1877ae7c725264899def91d9f102cf83b6bdcbc
  2.   SOURCES
  3.   scap-security-guide-0.1.62-sysctl_dont_ignore_all_symlinks-PR_8707.patch
Blob History Raw
e1877a 
From 2275e47e111ba89595658f5d91964454c1a65323 Mon Sep 17 00:00:00 2001
e1877a 
From: Watson Sato <wsato@redhat.com>
e1877a 
Date: Wed, 4 May 2022 19:21:04 +0200
e1877a 
Subject: [PATCH 1/2] Add tests to ensure valid symlinks are checked
e1877a
e1877a 
These sysctl tests help check cases when:
e1877a 
- A symlink points to a file out of the default default dirs
e1877a 
- Multile symlinks point to the same file in the default dirs
e1877a
e1877a 
Symlinks are a valid use case how to configure sysctls.
e1877a 
---
e1877a 
 .../tests/symlink_root_duplicate.fail.sh          | 15 +++++++++++++++
e1877a 
 .../tests/symlink_root_incompliant.fail.sh        | 15 +++++++++++++++
e1877a 
 .../tests/symlinks_to_same_file.pass.sh           | 14 ++++++++++++++
e1877a 
 3 files changed, 44 insertions(+)
e1877a 
 create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh
e1877a 
 create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh
e1877a 
 create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh
e1877a
e1877a 
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh
e1877a 
new file mode 100644
e1877a 
index 00000000000..c4f756a110f
e1877a 
--- /dev/null
e1877a 
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh
e1877a 
@@ -0,0 +1,15 @@
e1877a 
+#!/bin/bash
e1877a 
+
e1877a 
+# Clean sysctl config directories
e1877a 
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
e1877a 
+
e1877a 
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
e1877a 
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
e1877a 
+
e1877a 
+# Put a config file out of the default dirs
e1877a 
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /root/root-sysctl.conf
e1877a 
+
e1877a 
+# Add a symlink
e1877a 
+ln -s /root/root-sysctl.conf /etc/sysctl.d/90-root.conf
e1877a 
+
e1877a 
+sysctl -w net.ipv4.conf.default.accept_source_route=0
e1877a 
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh
e1877a 
new file mode 100644
e1877a 
index 00000000000..3b67676ac69
e1877a 
--- /dev/null
e1877a 
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh
e1877a 
@@ -0,0 +1,15 @@
e1877a 
+#!/bin/bash
e1877a 
+
e1877a 
+# Clean sysctl config directories
e1877a 
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
e1877a 
+
e1877a 
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
e1877a 
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
e1877a 
+
e1877a 
+# Put a config file out of the default dirs
e1877a 
+echo "net.ipv4.conf.default.accept_source_route = 1" >> /root/root-sysctl.conf
e1877a 
+
e1877a 
+# Add a symlink
e1877a 
+ln -s /root/root-sysctl.conf /etc/sysctl.d/90-root.conf
e1877a 
+
e1877a 
+sysctl -w net.ipv4.conf.default.accept_source_route=0
e1877a 
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh
e1877a 
new file mode 100644
e1877a 
index 00000000000..6164d0b1ca9
e1877a 
--- /dev/null
e1877a 
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh
e1877a 
@@ -0,0 +1,14 @@
e1877a 
+#!/bin/bash
e1877a 
+
e1877a 
+# Clean sysctl config directories
e1877a 
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
e1877a 
+
e1877a 
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
e1877a 
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
e1877a 
+
e1877a 
+# Multiple symliks to the same file should be ignored
e1877a 
+ln -s /etc/sysctl.conf /etc/sysctl.d/90-sysctl.conf
e1877a 
+ln -s /etc/sysctl.conf /etc/sysctl.d/99-sysctl.conf
e1877a 
+
e1877a 
+sysctl -w net.ipv4.conf.default.accept_source_route=0
e1877a 
+
e1877a
e1877a 
From 4f4bb24620338b2ff8f59d173b575d2089618357 Mon Sep 17 00:00:00 2001
e1877a 
From: Watson Sato <wsato@redhat.com>
e1877a 
Date: Wed, 4 May 2022 19:23:41 +0200
e1877a 
Subject: [PATCH 2/2] Filter out symlinks referencing default dirs
e1877a
e1877a 
Apply a filter on the collected symlinks and exclude the ones that
e1877a 
don't point to the default dirs.
e1877a 
In other words, only remove ignore options in symlinks if the files they
e1877a 
reference will be scanned anyway, because they are in the one of the
e1877a 
default dirs.
e1877a 
---
e1877a 
 shared/templates/sysctl/oval.template | 12 +++++++++++-
e1877a 
 1 file changed, 11 insertions(+), 1 deletion(-)
e1877a
e1877a 
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
e1877a 
index 0b5cde45045..ac395d545c3 100644
e1877a 
--- a/shared/templates/sysctl/oval.template
e1877a 
+++ b/shared/templates/sysctl/oval.template
e1877a 
@@ -217,10 +217,20 @@
e1877a
e1877a
e1877a 
        Workaround by querying for all conf files found -->
e1877a 
-  <unix:symlink_object comment="syctl symlinks" id="object_{{{ SYSCTLID }}}_symlinks" version="1">
e1877a 
+  <unix:symlink_object comment="Symlinks referencing files in default dirs" id="object_{{{ SYSCTLID }}}_symlinks" version="1">
e1877a 
     <unix:filepath operation="equals" var_ref="local_var_conf_files_{{{ SYSCTLID }}}" />
e1877a 
+    <filter action="exclude">state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}</filter>
e1877a 
   </unix:symlink_object>
e1877a
e1877a 
+
e1877a 
+       ^/etc/sysctl.conf$
e1877a 
+       ^/etc/sysctl.d/.*$
e1877a 
+       ^/run/sysctl.d/.*$
e1877a 
+       ^/usr/lib/sysctl.d/.*$ -->
e1877a 
+  <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}" version="1">
e1877a 
+    <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
e1877a 
+  </unix:symlink_state>
e1877a 
+
e1877a 
   <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ SYSCTLID }}}" version="1">
e1877a 
     <object_component object_ref="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />
e1877a 
   </local_variable>

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation