Signed-off-by: Jeffrey Blank <[email protected]> --- RHEL6/input/system/permissions/files.xml | 102 ++++++++++++++++++++++++++++-- 1 files changed, 97 insertions(+), 5 deletions(-)
diff --git a/RHEL6/input/system/permissions/files.xml b/RHEL6/input/system/permissions/files.xml index de254f8..0663828 100644 --- a/RHEL6/input/system/permissions/files.xml +++ b/RHEL6/input/system/permissions/files.xml @@ -11,11 +11,11 @@ arisen.</description> <Group id="permissions_important_account_files"> <title>Verify Permissions on <tt>passwd</tt>, <tt>shadow</tt>, <tt>group</tt> and <tt>gshadow</tt> Files</title> -<description>These are the default permissions for these files. -Many utilities need read access to the <tt>passwd</tt> file in order to -function properly, but read access to the <tt>shadow</tt> file allows -malicious attacks against system passwords, and should never be -enabled.</description> +<description>Default permissions for the <tt>passwd</tt>, <tt>shadow</tt>, +<tt>group</tt>, and <tt>gshadow</tt> files should be maintained. Many +utilities need read access to the <tt>passwd</tt> file in order to function +properly, but read access to the <tt>shadow</tt> file allows malicious attacks +against system passwords, and should never be enabled.</description> <Rule id="userowner_shadow_file"> <title>Verify user who owns <tt>shadow</tt> file</title> @@ -157,6 +157,98 @@ list of acounts on the system and associated information.</rationale> </Rule> </Group> + +<!-- pull /var/log permissions out of rsyslog discussion section? --> + +<Group id="permissions_within_important_dirs"> +<title>Verify File Permissions Within Some Important Directories</title> +<description>Some directories contain files whose confidentiality or integrity +is notably important and may also be susceptible to misconfiguration over time, particularly if +unpackaged software is installed. As such, +an argument exists to verify that files' permissions within these directories remain +configured correctly and restrictively. +</description> + +<Rule id="file_permissions_library_dirs"> +<title>Verify that Shared Library Files Have Restrictive Permissions</title> +<description>System-wide shared library files, which are linked to executables +during process load time or run time, are stored in the following directories +by default: +<pre>/lib +/lib64 +/usr/lib +/usr/lib64 +</pre> +Kernel modules, which can be added to the kernel during runtime, are +stored in <tt>/lib/modules</tt>. All files in these directories should not be +group-writable or world-writable. +</description> +<rationale>Files from shared library directories are loaded into the address +space of processes (including privileged ones) or of the kernel itself at +runtime. Restrictive permissions are necessary to protect the integrity of the system. +</rationale> +</Rule> + +<Rule id="file_ownership_library_dirs"> +<title>Verify that Shared Library Files Have Root Ownership</title> +<description>System-wide shared library files, which are linked to executables +during process load time or run time, are stored in the following directories +by default: +<pre>/lib +/lib64 +/usr/lib +/usr/lib64 +</pre> +Kernel modules, which can be added to the kernel during runtime, are also +stored in <tt>/lib/modules</tt>. All files in these directories should be +owned by the <tt>root</tt> user. +</description> +<rationale>Files from shared library directories are loaded into the address +space of processes (including privileged ones) or of the kernel itself at +runtime. Proper ownership is necessary to protect the integrity of the system. +</rationale> +</Rule> + + +<Rule id="file_permissions_binary_dirs"> +<title>Verify that System Executables Have Restrictive Permissions</title> +<description> +System executables are stored in the following directories by default: +<pre>/bin +/usr/bin +/usr/local/bin +/sbin +/usr/sbin +/usr/local/sbin</pre> +All files in these directories should not be group-writable or world-writable. +</description> +<rationale>System binaries are executed by privileged users as well as system services, +and restrictive permissions are necessary to ensure that their +execution of these programs cannot be co-opted. +</rationale> +</Rule> + +<Rule id="file_ownership_binary_dirs"> +<title>Verify that System Executables Have Root Ownership</title> +<description> +System executables are stored in the following directories by default: +<pre>/bin +/usr/bin +/usr/local/bin +/sbin +/usr/sbin +/usr/local/sbin</pre> +All files in these directories should be owned by the <tt>root</tt> user. +</description> +<rationale>System binaries are executed by privileged users as well as system services, +and restrictive permissions are necessary to ensure that their +execution of these programs cannot be co-opted. +</rationale> +</Rule> + + +</Group> + <Rule id="sticky_world_writable_dirs"> <title>Verify that All World-Writable Directories Have Sticky Bits Set</title> <description>When the so-called 'sticky bit' is set on a directory, -- 1.7.1 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
