Should files in /tmp be checked for permissions when using tmpfs?

[marcusburghardt]

Description of problem:

Some policies require a separate partition for /tmp but when this is not required and /tmp uses a tmpfs file system, the mount point will be ignored by rules using the create_local_mount_points_list macro.

This macro was introduced by #11319 and brought significant performance improvements by, among other aspects, skipping remote and pseudo file systems during the scan.

After a recent analysis I noticed a possible case that could impact the following rules:

• file_permissions_unauthorized_sgid
• file_permissions_unauthorized_suid
• file_permissions_unauthorized_world_writable
• file_permissions_ungroupowned
• no_files_unowned_by_user

These rules check for files permissions or ownership.
In a scenario where the system is using tmpfs for /tmp, assuming a non-compliant file is stored in /tmp, which could be a valid case due to the nature of /tmp, these rules would not report this file.
On the other hand, tmpfs is not persistent and this could minimize the risk.

The solution seems simple, by ensuring /tmp is always checked regardless of using tmpfs or a device partition.
However, it is very hard to make this using OVAL without big changes in the macro or on these specific rules.
I tried some tests updating the macro in order to include the /tmp unconditionally in the resulting variable but had no success.

I am filing this issue here so others can also give insights on how to solve it using OVAL or even comment on how relevant is this issue.

SCAP Security Guide Version:

master as of 2024-05-08

Additional Information/Debugging Steps: