From 5e183ab5e15b7d9b9a2b32fad59380e686db2b9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com> Date: Mon, 20 Jan 2025 08:35:16 +0100 Subject: [PATCH] Fix file_permissions_etc_audit_rulesd in Image Mode The rule file_permissions_etc_audit_rulesd fails in a scan executed after VM deployment of a CentOS Stream 9 bootable container image hardened with the STIG profile. The rule requires that all files in the `/etc/audit/rules.d/*.rules` directory need to have mode 0600. However, the scan report shows 2 files with mode 0640. This rule passed during the build of the bootable container image. Therefore, the offending files were created after the rule is evaluated. These files are created by a remediation of a different rule `audit_rules_kernel_module_loading_delete`. We can fix the problem by setting the expected mode at the time of creating these files. The file mode set by `bash_fix_audit_syscall_rule` was inconsistent: on line 1768 we set it to 0600, but in this case we just removed permissions of the others. With this fix the file mode value in the macro will be consistently set to 0600. --- shared/macros/10-bash.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 13a74c32564..78d00c169ae 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1858,7 +1858,7 @@ if [ "$skip" -ne 0 ]; then auid_string=$([[ {{{ auid_filters }}} ]] && echo " {{{ auid_filters }}}") || /bin/true full_rule="{{{ action_arch_filters }}}${syscall_string}${other_string}${auid_string} -F key={{{ key }}}" || /bin/true echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} + chmod 0600 ${default_file} else # Check if the syscalls are declared as a comma separated list or # as multiple -S parameters