|
 |
f6303c |
From 9a72c4cef2dd782e14f1534a52c45125671a828d Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Marcus Burghardt <maburgha@redhat.com>
|
|
|
f6303c |
Date: Mon, 14 Nov 2022 15:23:32 +0100
|
|
|
f6303c |
Subject: [PATCH 2/4] Update remediation to skip .bash_profile file
|
|
|
f6303c |
|
|
|
f6303c |
This file can have the umask content but for a different purpose than
|
|
|
f6303c |
this rule intention. It was ignored in order to avoid changing the bash
|
|
|
f6303c |
history. Ansible and Bash were updated.
|
|
|
f6303c |
---
|
|
|
f6303c |
.../accounts_umask_interactive_users/ansible/shared.yml | 4 +++-
|
|
|
f6303c |
.../accounts_umask_interactive_users/bash/shared.sh | 4 +++-
|
|
|
f6303c |
2 files changed, 6 insertions(+), 2 deletions(-)
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
|
|
|
f6303c |
index 67064ac4a3b..3586ae69cbe 100644
|
|
|
f6303c |
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
|
|
|
f6303c |
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
|
|
|
f6303c |
@@ -9,6 +9,8 @@
|
|
|
f6303c |
cmd: |
|
|
|
f6303c |
for dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $6}' /etc/passwd); do
|
|
|
f6303c |
for file in $(find $dir -maxdepth 1 -type f -name ".*"); do
|
|
|
f6303c |
- sed -i 's/^\([\s]*umask\s*\)/#\1/g' $file
|
|
|
f6303c |
+ if [ "$(basename $file)" != ".bash_history" ]; then
|
|
|
f6303c |
+ sed -i 's/^\([\s]*umask\s*\)/#\1/g' $file
|
|
|
f6303c |
+ fi
|
|
|
f6303c |
done
|
|
|
f6303c |
done
|
|
|
f6303c |
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
|
|
|
f6303c |
index d5f803db313..f524ff01f9a 100644
|
|
|
f6303c |
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
|
|
|
f6303c |
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
|
|
|
f6303c |
@@ -6,6 +6,8 @@
|
|
|
f6303c |
|
|
|
f6303c |
{{% call iterate_over_command_output("dir", "awk -F':' '{ if ($3 >= " ~ uid_min ~ " && $3 != 65534) print $6}' /etc/passwd") -%}}
|
|
|
f6303c |
{{% call iterate_over_find_output("file", '$dir -maxdepth 1 -type f -name ".*"') -%}}
|
|
|
f6303c |
-sed -i 's/^\([\s]*umask\s*\)/#\1/g' "$file"
|
|
|
f6303c |
+if [ "$(basename $file)" != ".bash_history" ]; then
|
|
|
f6303c |
+ sed -i 's/^\([\s]*umask\s*\)/#\1/g' "$file"
|
|
|
f6303c |
+fi
|
|
|
f6303c |
{{%- endcall %}}
|
|
|
f6303c |
{{%- endcall %}}
|
|
|
f6303c |
|
|
|
f6303c |
From d0dcfc06b31d08cb42151463473ba0b211c54e6a Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Marcus Burghardt <maburgha@redhat.com>
|
|
|
f6303c |
Date: Mon, 14 Nov 2022 15:26:04 +0100
|
|
|
f6303c |
Subject: [PATCH 3/4] Include test scenario to test .bash_history treatment
|
|
|
f6303c |
|
|
|
f6303c |
---
|
|
|
f6303c |
.../tests/bash_history_ignored.pass.sh | 5 +++++
|
|
|
f6303c |
1 file changed, 5 insertions(+)
|
|
|
f6303c |
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh
|
|
|
f6303c |
new file mode 100644
|
|
|
f6303c |
index 00000000000..8eeffc233b2
|
|
|
f6303c |
--- /dev/null
|
|
|
f6303c |
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh
|
|
|
f6303c |
@@ -0,0 +1,5 @@
|
|
|
f6303c |
+#!/bin/bash
|
|
|
f6303c |
+
|
|
|
f6303c |
+USER="cac_user"
|
|
|
f6303c |
+useradd -m $USER
|
|
|
f6303c |
+echo "umask 022" > /home/$USER/.bash_history
|
|
|
f6303c |
|
|
|
f6303c |
From c8dc63aad4fbe6df499192eda01d66e64bc8c9c3 Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Marcus Burghardt <maburgha@redhat.com>
|
|
|
f6303c |
Date: Mon, 14 Nov 2022 15:27:26 +0100
|
|
|
f6303c |
Subject: [PATCH 4/4] Extend OVAL check to ignore .bash_history file
|
|
|
f6303c |
|
|
|
f6303c |
This rule targets user files where the umask can be changed. It is not the
|
|
|
f6303c |
case for .bash_history. In addition, it should be avoided to change the
|
|
|
f6303c |
.bash_history file by this rule remediations.
|
|
|
f6303c |
---
|
|
|
f6303c |
.../accounts_umask_interactive_users/oval/shared.xml | 6 ++++++
|
|
|
f6303c |
1 file changed, 6 insertions(+)
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
|
|
|
f6303c |
index 42dbdbbae46..6f3eaa570d7 100644
|
|
|
f6303c |
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
|
|
|
f6303c |
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
|
|
|
f6303c |
@@ -29,8 +29,14 @@
|
|
|
f6303c |
<ind:filename operation="pattern match">^\..*</ind:filename>
|
|
|
f6303c |
<ind:pattern operation="pattern match">^[\s]*umask\s*</ind:pattern>
|
|
|
f6303c |
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
f6303c |
+ <filter action="exclude">state_accounts_umask_interactive_users_bash_history</filter>
|
|
|
f6303c |
</ind:textfilecontent54_object>
|
|
|
f6303c |
|
|
|
f6303c |
+
|
|
|
f6303c |
+ version="1">
|
|
|
f6303c |
+ <ind:filename operation="pattern match">^\.bash_history</ind:filename>
|
|
|
f6303c |
+ </ind:textfilecontent54_state>
|
|
|
f6303c |
+
|
|
|
f6303c |
|
|
|
f6303c |
|
|
|
f6303c |
check_existence="none_exist" version="1"
|