From 5e183ab5e15b7d9b9a2b32fad59380e686db2b9a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 20 Jan 2025 08:35:16 +0100
Subject: [PATCH] Fix file_permissions_etc_audit_rulesd in Image Mode

The rule file_permissions_etc_audit_rulesd fails in a scan executed
after VM deployment of a CentOS Stream 9 bootable container image
hardened with the STIG profile. The rule requires that all files in the
`/etc/audit/rules.d/*.rules` directory need to have mode 0600.  However,
the scan report shows 2 files with mode 0640. This rule passed during
the build of the bootable container image. Therefore, the offending
files were created after the rule is evaluated.  These files are created
by a remediation of a different rule
`audit_rules_kernel_module_loading_delete`.  We can fix the problem by
setting the expected mode at the time of creating these files.  The file
mode set by `bash_fix_audit_syscall_rule` was inconsistent: on line 1768
we set it to 0600, but in this case we just removed permissions of the
others. With this fix the file mode value in the macro will be
consistently set to 0600.
---
 shared/macros/10-bash.jinja | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 13a74c32564..78d00c169ae 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -1858,7 +1858,7 @@ if [ "$skip" -ne 0 ]; then
         auid_string=$([[ {{{ auid_filters }}} ]] && echo " {{{ auid_filters }}}") || /bin/true
         full_rule="{{{ action_arch_filters }}}${syscall_string}${other_string}${auid_string} -F key={{{ key }}}" || /bin/true
         echo "$full_rule" >> "$default_file"
-        chmod o-rwx ${default_file}
+        chmod 0600 ${default_file}
     else
         # Check if the syscalls are declared as a comma separated list or
         # as multiple -S parameters