Fix rsyslog logfiles bash remediation for omfile paths and globs#14715
Conversation
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
openshift-ci
Bot
removed
the
do-not-merge/work-in-progress
|
/retest-required |
| # newline-concatenated string being appended as one bogus array element (breaks chmod). | ||
| ACTION_OMFILE_LINES=$(LC_ALL=C grep -iozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" "${LOG_FILE}" 2>/dev/null || true) | ||
| [[ -n "${ACTION_OMFILE_LINES}" ]] || continue | ||
| _ACTION_NL=$(printf '%s' "${ACTION_OMFILE_LINES}" | tr '\0' '\n') |
There was a problem hiding this comment.
I'm pretty sure this doesn't do anything, bash variables cannot contain zeros.
$ printf '\x00\x01\x02' | hexdump -C
00000000 00 01 02 |...|
00000003
$ a=$(printf '\x00\x01\x02')
bash: warning: command substitution: ignored null byte in input
$ echo ${#a}
2
$ printf '\x00\x01\x02' > tmpf
$ read a < tmpf
$ echo ${#a}
2
$ printf '%s' "$a" | hexdump -C
00000000 01 02 |..|
00000002
$ hexdump -C <<<"$a"
00000000 01 02 0a |...|
00000003
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
Split NUL-separated omfile matches into separate paths before chmod, expand $IncludeConfig globs in a nullglob subshell, and skip non-regular files. Document eval trust boundary for include path expansion.
Mab879
force-pushed
the
cursor/rsyslog-logfiles-bash-remediation-fix
branch
from
f6fa85c to
76bb56d
Compare
Mab879
requested review from
jan-cerny,
matusmarhefka and
vojtapolasek
as code owners
openshift-ci
Bot
removed
the
do-not-merge/work-in-progress
|
@Mab879: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
jan-cerny
left a comment
jan-cerny
left a comment
There was a problem hiding this comment.
Using a custom pipeline I have verified that the rule rsyslog_files_permissions passes in /hardening/host-os/oscap/anssi_bp28_high and /hardening/host-os/oscap/cis on RHEL 9 and 10. Also, the rule passes in the Testing farm tests executed as a part of the PR gating on CentOS Stream 9 and 10.
4 participants
Description:
Split NUL-separated omfile matches into separate paths before chmod, expand $IncludeConfig globs in a nullglob subshell, and skip non-regular files. Document eval trust boundary for include path expansion.
Rationale:
Fixes #14570
Review Hints:
Review the contest test results and ensure they pass.