Skip to content

Turn off remedations for /dev/shm #11364

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
marcusburghardt merged 2 commits into from
Dec 8, 2023
Merged

Turn off remedations for /dev/shm #11364

marcusburghardt merged 2 commits into from
Dec 8, 2023

Conversation

@Mab879
Copy link
Member

@Mab879 Mab879 commented Dec 7, 2023

Description:

  • Disable anaconda and blueprint on mount_option_dev_shm_noexec
  • Disable blueprint (anaconda is already disabled) on mount_option_dev_shm_*

Rationale:

Fixes #11344
Fixes RHEL-16801 and RHEL-17386

It should be fine since default this will be tmpfs partition managed by systemd.

@Mab879 Mab879 added Blueprint Image Builder Blueprint remediation update. first-boot-remediation first-boot-remediation update. labels Dec 7, 2023
@Mab879 Mab879 added this to the 0.1.72 milestone Dec 7, 2023
@github-actions
Copy link

github-actions bot commented Dec 7, 2023

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

Mab879 added 2 commits December 7, 2023 16:43
@Mab879
Remove remediations from partition_for_dev_shm
88f3dba 
Both the Blueprint and Anaconda are not applicable on modern Linux OSs.
@Mab879
Turn off blueprint remediation for mount_option_dev_shm_*
490f4c0 
Since this should be tmpfs and this making IB builds fail these rules'
blueprint remediation has been disabled.
@github-actions
Copy link

github-actions bot commented Dec 7, 2023

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_dev_shm'.
--- xccdf_org.ssgproject.content_rule_partition_for_dev_shm
+++ xccdf_org.ssgproject.content_rule_partition_for_dev_shm
@@ -3,19 +3,23 @@
 Ensure /dev/shm is configured
 
 [description]:
-The /dev/shm is a traditional shared memory concept. 
-One program will create a memory portion, which other processes 
-(if permitted) can access. If /dev/shm is not configured, 
+The /dev/shm is a traditional shared memory concept.
+One program will create a memory portion, which other processes
+(if permitted) can access. If /dev/shm is not configured,
 tmpfs will be mounted to /dev/shm by systemd.
 
+[warning]:
+This rule does not have a remedation.
+It is expected that this will be managed by systemd and will be a tmpfs partition.
+
 [rationale]:
-Any user can upload and execute files inside the /dev/shm similar to 
-the /tmp partition. Configuring /dev/shm allows an administrator 
-to set the noexec option on the mount, making /dev/shm useless for an attacker to 
-install executable code. It would also prevent an attacker from establishing a 
-hardlink to a system setuid program and wait for it to be updated. Once the program 
-was updated, the hardlink would be broken and the attacker would have his own copy 
-of the program. If the program happened to have a security vulnerability, the attacker 
+Any user can upload and execute files inside the /dev/shm similar to
+the /tmp partition. Configuring /dev/shm allows an administrator
+to set the noexec option on the mount, making /dev/shm useless for an attacker to
+install executable code. It would also prevent an attacker from establishing a
+hardlink to a system setuid program and wait for it to be updated. Once the program
+was updated, the hardlink would be broken and the attacker would have his own copy
+of the program. If the program happened to have a security vulnerability, the attacker
 could continue to exploit the known flaw.
 
 [ident]:

New data stream is missing blueprint remediation for rule 'xccdf_org.ssgproject.content_rule_partition_for_dev_shm'.
New data stream is missing anaconda remediation for rule 'xccdf_org.ssgproject.content_rule_partition_for_dev_shm'.

@qlty-cloud-legacy
Copy link

qlty-cloud-legacy bot commented Dec 7, 2023

Code Climate has analyzed commit 490f4c0 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.5%.

View more on Code Climate.

marcusburghardt
marcusburghardt approved these changes Dec 8, 2023
View reviewed changes
Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@marcusburghardt marcusburghardt merged commit f5f16a1 into ComplianceAsCode:master Dec 8, 2023
@marcusburghardt marcusburghardt self-assigned this Dec 8, 2023
@Mab879 Mab879 deleted the custom_dev_shm branch February 12, 2024 21:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marcusburghardt marcusburghardt marcusburghardt approved these changes

Assignees

@marcusburghardt marcusburghardt

Labels

Blueprint Image Builder Blueprint remediation update. first-boot-remediation first-boot-remediation update.

Projects

None yet

Milestone

0.1.72

Development

Successfully merging this pull request may close these issues.

Rule partition_for_dev_shm in RHEL9 CIS profile is redundant

2 participants

@Mab879 @marcusburghardt