>From 154b1aed6de0628abb37c7848cd174a1175cdef2 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Wed, 17 Apr 2013 05:47:18 -0400 Subject: [PATCH] Ticket 396: Created OVAL for file_ownership_library_dirs - Created OVAL - Updated XCCDF rule to reflect
Testing: [root@rhel6 checks]# chown shawn /lib/modules/2.6.32-* [root@rhel6 checks]# ./testcheck.py file_ownership_library_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_etc_skelaqFW7F.xml Definition oval:scap-security-guide.testing:def:106: false Evaluation done. [root@rhel6 checks]# chown root /lib/modules/2.6.32-* [root@rhel6 checks]# ./testcheck.py file_ownership_library_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_etc_skelOvly_8.xml Definition oval:scap-security-guide.testing:def:106: true Evaluation done. --- RHEL6/input/checks/file_ownership_library_dirs.xml | 140 ++++++++++++++++++++ RHEL6/input/system/permissions/files.xml | 2 +- 2 files changed, 141 insertions(+), 1 deletions(-) create mode 100644 RHEL6/input/checks/file_ownership_library_dirs.xml diff --git a/RHEL6/input/checks/file_ownership_library_dirs.xml b/RHEL6/input/checks/file_ownership_library_dirs.xml new file mode 100644 index 0000000..e68ec20 --- /dev/null +++ b/RHEL6/input/checks/file_ownership_library_dirs.xml @@ -0,0 +1,140 @@ +<def-group> + <definition class="compliance" id="file_ownership_etc_skel" version="1"> + <metadata> + <title>Verify that Shared Library Files Have Root Ownership</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and objects therein, are owned by root</description> + </metadata> + <criteria operator="AND"> + <criterion test_ref="test_ownership_lib_dir" /> + <criterion test_ref="test_ownership_lib_files" /> + </criteria> + </definition> + + <unix:file_test check="all" check_existence="none_exist" comment="/lib directories uid root" id="test_ownership_lib_dir" version="1"> + <unix:object object_ref="object_lib_dir" /> + <unix:state state_ref="state_owner_not_root" /> + </unix:file_test> + + <unix:file_test check="all" check_existence="none_exist" comment="/lib files uid root" id="test_ownership_lib_files" version="1"> + <unix:object object_ref="object_lib_files" /> + <unix:state state_ref="state_owner_not_root" /> + </unix:file_test> + + <unix:file_object comment="/lib directories" id="object_lib_dir" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/lib</unix:path> + <unix:filename xsi:nil="true" /> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_object comment="/lib files" id="object_lib_files" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/lib</unix:path> + <unix:filename operation="pattern match">^.*$</unix:filename> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_test check="all" check_existence="none_exist" comment="/lib64 directories uid root" id="test_ownership_lib64_dir" version="1"> + <unix:object object_ref="object_lib64_dir" /> + <unix:state state_ref="state_owner_not_root" /> + </unix:file_test> + + <unix:file_test check="all" check_existence="none_exist" comment="/lib64 files uid root" id="test_ownership_lib64_files" version="1"> + <unix:object object_ref="object_lib64_files" /> + <unix:state state_ref="state_owner_not_root" /> + </unix:file_test> + + <unix:file_object comment="/lib64 directories" id="object_lib64_dir" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/lib64</unix:path> + <unix:filename xsi:nil="true" /> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_object comment="/lib64 files" id="object_lib64_files" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/lib64</unix:path> + <unix:filename operation="pattern match">^.*$</unix:filename> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_test check="all" check_existence="none_exist" comment="/usr/lib directories uid root" id="test_ownership_usr_lib_dir" version="1"> + <unix:object object_ref="object_usr_lib_dir" /> + <unix:state state_ref="state_owner_not_root" /> + </unix:file_test> + + <unix:file_test check="all" check_existence="none_exist" comment="/usr/lib files uid root" id="test_ownership_usr_lib_files" version="1"> + <unix:object object_ref="object_usr_lib_files" /> + <unix:state state_ref="state_owner_not_root" /> + </unix:file_test> + + <unix:file_object comment="/usr/lib directories" id="object_usr_lib_dir" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/usr/lib</unix:path> + <unix:filename xsi:nil="true" /> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_object comment="/usr/lib files" id="object_usr_lib_files" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/usr/lib</unix:path> + <unix:filename operation="pattern match">^.*$</unix:filename> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_test check="all" check_existence="none_exist" comment="/usr/lib64 directories uid root" id="test_ownership_usr_lib64_dir" version="1"> + <unix:object object_ref="object_usr_lib64_dir" /> + <unix:state state_ref="state_owner_not_root" /> + </unix:file_test> + + <unix:file_test check="all" check_existence="none_exist" comment="/usr/lib64 files uid root" id="test_ownership_usr_lib64_files" version="1"> + <unix:object object_ref="object_usr_lib64_files" /> + <unix:state state_ref="state_owner_not_root" /> + </unix:file_test> + + <unix:file_object comment="/usr/lib64 directories" id="object_usr_lib64_dir" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/usr/lib64</unix:path> + <unix:filename xsi:nil="true" /> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_object comment="/usr/lib64 files" id="object_usr_lib64_files" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/usr/lib64</unix:path> + <unix:filename operation="pattern match">^.*$</unix:filename> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_test check="all" check_existence="none_exist" comment="/lib/modules directories uid root" id="test_ownership_lib_modules_dir" version="1"> + <unix:object object_ref="object_lib_modules_dir" /> + <unix:state state_ref="state_owner_not_root" /> + </unix:file_test> + + <unix:file_test check="all" check_existence="none_exist" comment="/lib/modules files uid root" id="test_ownership_lib_modules_files" version="1"> + <unix:object object_ref="object_lib_modules_files" /> + <unix:state state_ref="state_owner_not_root" /> + </unix:file_test> + + <unix:file_object comment="/lib/modules directories" id="object_lib_modules_dir" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/lib/modules</unix:path> + <unix:filename xsi:nil="true" /> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_object comment="/lib/modules files" id="object_lib_modules_files" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/lib/modules</unix:path> + <unix:filename operation="pattern match">^.*$</unix:filename> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_state id="state_owner_not_root" version="1" operator="OR"> +<!-- <unix:group_id datatype="int" operation="not equal">0</unix:group_id> --> + <unix:user_id datatype="int" operation="not equal">0</unix:user_id> + </unix:file_state> +</def-group> diff --git a/RHEL6/input/system/permissions/files.xml b/RHEL6/input/system/permissions/files.xml index 6a9c707..21af4ea 100644 --- a/RHEL6/input/system/permissions/files.xml +++ b/RHEL6/input/system/permissions/files.xml @@ -251,9 +251,9 @@ space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. </rationale> <ref nist="AC-6" disa="1499"/> +<oval id="file_ownership_library_dirs" /> </Rule> - <Rule id="file_permissions_binary_dirs" severity="medium"> <title>Verify that System Executables Have Restrictive Permissions</title> <description> -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
