EasyRSA Charm

Suspicious file ownership breaks CIS hardening rule

Bug #2060365 reported by Gaetan Gouzi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
EasyRSA Charm
New
Undecided
Unassigned

Bug Description

When trying to perform CIS hardening level1 on the unit, the hardening fails because of the rule `xccdf_org.ssgproject.content_rule_no_files_unowned_by_user` not passing.

- Rule name:
"Ensure All Files Are Owned by a User"

- Rule description:
"If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. The following command will discover and print any files on local partitions which do not belong to a valid user:

$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser

To search all filesystems on a system including network mounted filesystems the following command can be run manually for each partition:

$ sudo find PARTITION -xdev -nouser"

Indeed some files are owned by "staff" user.
```
ubuntu@juju-8a4335-4-lxd-5:~$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser
/var/lib/juju/agents/unit-easyrsa-1/charm/EasyRSA-3.0.1
/var/lib/juju/agents/unit-easyrsa-1/charm/EasyRSA-3.0.1/ChangeLog
/var/lib/juju/agents/unit-easyrsa-1/charm/EasyRSA-3.0.1/README.quickstart.md
/var/lib/juju/agents/unit-easyrsa-1/charm/EasyRSA-3.0.1/COPYING
/var/lib/juju/agents/unit-easyrsa-1/charm/EasyRSA-3.0.1/vars.example
/var/lib/juju/agents/unit-easyrsa-1/charm/EasyRSA-3.0.1/gpl-2.0.txt
/var/lib/juju/agents/unit-easyrsa-1/charm/EasyRSA-3.0.1/doc
/var/lib/juju/agents/unit-easyrsa-1/charm/EasyRSA-3.0.1/doc/Hacking.md
/var/lib/juju/agents/unit-easyrsa-1/charm/EasyRSA-3.0.1/doc/EasyRSA-Readme.md
/var/lib/juju/agents/unit-easyrsa-1/charm/EasyRSA-3.0.1/doc/EasyRSA-Advanced.md
/var/lib/juju/agents/unit-easyrsa-1/charm/EasyRSA-3.0.1/doc/Intro-To-PKI.md
/var/lib/juju/agents/unit-easyrsa-1/charm/EasyRSA-3.0.1/doc/EasyRSA-Upgrade-Notes.md
/var/lib/juju/agents/unit-easyrsa-1/charm/EasyRSA-3.0.1/easyrsa
/var/lib/juju/agents/unit-easyrsa-1/charm/EasyRSA-3.0.1/openssl-1.0.cnf
/var/lib/juju/agents/unit-easyrsa-1/charm/EasyRSA-3.0.1/x509-types
/var/lib/juju/agents/unit-easyrsa-1/charm/EasyRSA-3.0.1/x509-types/ca
/var/lib/juju/agents/unit-easyrsa-1/charm/EasyRSA-3.0.1/x509-types/client
/var/lib/juju/agents/unit-easyrsa-1/charm/EasyRSA-3.0.1/x509-types/server
/var/lib/juju/agents/unit-easyrsa-1/charm/EasyRSA-3.0.1/x509-types/COMMON

ubuntu@juju-8a4335-4-lxd-5:~$ ll /var/lib/juju/agents/unit-easyrsa-1/charm/EasyRSA-3.0.1/
total 104
drwxrwxr-x 5 501 staff 4096 Apr 6 10:22 ./
drwxr-xr-x 12 root root 4096 Apr 6 11:55 ../
rw-rw-r- 1 501 staff 1270 Sep 2 2015 COPYING
rw-rw-r- 1 501 staff 2415 Sep 2 2015 ChangeLog
rw-rw-r- 1 501 staff 3350 Sep 2 2015 README.quickstart.md
drwxrwxr-x 2 501 staff 4096 Apr 6 10:22 doc/
-rwxrwxr-x 1 501 staff 34910 Sep 9 2015 easyrsa*
rw-rw-r- 1 501 staff 18093 Sep 2 2015 gpl-2.0.txt
rw-rw-r- 1 501 staff 4583 Apr 6 10:22 openssl-1.0.cnf
drwx------ 6 root root 4096 Apr 6 10:27 pki/
rw-rw-r- 1 501 staff 8126 Sep 2 2015 vars.example
drwxrwxr-x 2 501 staff 4096 Sep 2 2015 x509-types/
```

Questions:
- What is this staff owernship ?
- Can we apply a remediation by changing ownership to root ?

Attached usg report where rule is failing.

Environment:
- LXD-based
- Single unit
- easyrsa: 3.0.1
- channel: latest/stable
- revision: 55

Revision history for this message
Gaetan Gouzi (ggouzi) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.