>From 3e533c3189779d0015d9bb29a1741adf2b47154b Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Fri, 19 Apr 2013 22:50:46 -0400 Subject: [PATCH 1/2] (resubmit) Ticket 396 - OVAL needed for file_ownership_library_dirs - Created OVAL - Updated XCCDF rule to reflect - Ensured all test_ref's were called out
[shawn@rhel6 checks]$ ./testcheck.py file_ownership_library_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_etc_skelssTK5P.xml Definition oval:scap-security-guide.testing:def:100: false Evaluation done. [shawn@rhel6 checks]$ su - Password: Last login: Wed Apr 17 05:58:32 EDT 2013 on pts/0 [root@rhel6 ~]# chown -R root /lib /lib64/ /usr/lib/ /usr/lib64/ /lib/modules/ [root@rhel6 ~]# exit logout [shawn@rhel6 checks]$ ./testcheck.py file_ownership_library_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_etc_skelPyCa24.xml Definition oval:scap-security-guide.testing:def:100: true Evaluation done. --- RHEL6/input/checks/file_ownership_library_dirs.xml | 148 ++++++++++++++++++++ RHEL6/input/system/permissions/files.xml | 2 +- 2 files changed, 149 insertions(+), 1 deletions(-) create mode 100644 RHEL6/input/checks/file_ownership_library_dirs.xml diff --git a/RHEL6/input/checks/file_ownership_library_dirs.xml b/RHEL6/input/checks/file_ownership_library_dirs.xml new file mode 100644 index 0000000..8b5f282 --- /dev/null +++ b/RHEL6/input/checks/file_ownership_library_dirs.xml @@ -0,0 +1,148 @@ +<def-group> + <definition class="compliance" id="file_ownership_etc_skel" version="1"> + <metadata> + <title>Verify that Shared Library Files Have Root Ownership</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and objects therein, are owned by root</description> + </metadata> + <criteria operator="AND"> + <criterion test_ref="test_ownership_lib_dir" /> + <criterion test_ref="test_ownership_lib64_dir" /> + <criterion test_ref="test_ownership_usr_lib_dir" /> + <criterion test_ref="test_ownership_usr_lib64_dir" /> + <criterion test_ref="test_ownership_lib_modules_dir" /> + <criterion test_ref="test_ownership_lib_files" /> + <criterion test_ref="test_ownership_lib64_files" /> + <criterion test_ref="test_ownership_usr_lib_files" /> + <criterion test_ref="test_ownership_usr_lib64_files" /> + <criterion test_ref="test_ownership_lib_modules_files" /> + </criteria> + </definition> + + <unix:file_test check="all" check_existence="none_exist" comment="/lib directories uid root" id="test_ownership_lib_dir" version="1"> + <unix:object object_ref="object_lib_dir" /> + <unix:state state_ref="state_owner_not_root" /> + </unix:file_test> + + <unix:file_test check="all" check_existence="none_exist" comment="/lib files uid root" id="test_ownership_lib_files" version="1"> + <unix:object object_ref="object_lib_files" /> + <unix:state state_ref="state_owner_not_root" /> + </unix:file_test> + + <unix:file_object comment="/lib directories" id="object_lib_dir" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/lib</unix:path> + <unix:filename xsi:nil="true" /> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_object comment="/lib files" id="object_lib_files" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/lib</unix:path> + <unix:filename operation="pattern match">^.*$</unix:filename> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_test check="all" check_existence="none_exist" comment="/lib64 directories uid root" id="test_ownership_lib64_dir" version="1"> + <unix:object object_ref="object_lib64_dir" /> + <unix:state state_ref="state_owner_not_root" /> + </unix:file_test> + + <unix:file_test check="all" check_existence="none_exist" comment="/lib64 files uid root" id="test_ownership_lib64_files" version="1"> + <unix:object object_ref="object_lib64_files" /> + <unix:state state_ref="state_owner_not_root" /> + </unix:file_test> + + <unix:file_object comment="/lib64 directories" id="object_lib64_dir" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/lib64</unix:path> + <unix:filename xsi:nil="true" /> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_object comment="/lib64 files" id="object_lib64_files" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/lib64</unix:path> + <unix:filename operation="pattern match">^.*$</unix:filename> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_test check="all" check_existence="none_exist" comment="/usr/lib directories uid root" id="test_ownership_usr_lib_dir" version="1"> + <unix:object object_ref="object_usr_lib_dir" /> + <unix:state state_ref="state_owner_not_root" /> + </unix:file_test> + + <unix:file_test check="all" check_existence="none_exist" comment="/usr/lib files uid root" id="test_ownership_usr_lib_files" version="1"> + <unix:object object_ref="object_usr_lib_files" /> + <unix:state state_ref="state_owner_not_root" /> + </unix:file_test> + + <unix:file_object comment="/usr/lib directories" id="object_usr_lib_dir" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/usr/lib</unix:path> + <unix:filename xsi:nil="true" /> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_object comment="/usr/lib files" id="object_usr_lib_files" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/usr/lib</unix:path> + <unix:filename operation="pattern match">^.*$</unix:filename> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_test check="all" check_existence="none_exist" comment="/usr/lib64 directories uid root" id="test_ownership_usr_lib64_dir" version="1"> + <unix:object object_ref="object_usr_lib64_dir" /> + <unix:state state_ref="state_owner_not_root" /> + </unix:file_test> + + <unix:file_test check="all" check_existence="none_exist" comment="/usr/lib64 files uid root" id="test_ownership_usr_lib64_files" version="1"> + <unix:object object_ref="object_usr_lib64_files" /> + <unix:state state_ref="state_owner_not_root" /> + </unix:file_test> + + <unix:file_object comment="/usr/lib64 directories" id="object_usr_lib64_dir" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/usr/lib64</unix:path> + <unix:filename xsi:nil="true" /> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_object comment="/usr/lib64 files" id="object_usr_lib64_files" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/usr/lib64</unix:path> + <unix:filename operation="pattern match">^.*$</unix:filename> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_test check="all" check_existence="none_exist" comment="/lib/modules directories uid root" id="test_ownership_lib_modules_dir" version="1"> + <unix:object object_ref="object_lib_modules_dir" /> + <unix:state state_ref="state_owner_not_root" /> + </unix:file_test> + + <unix:file_test check="all" check_existence="none_exist" comment="/lib/modules files uid root" id="test_ownership_lib_modules_files" version="1"> + <unix:object object_ref="object_lib_modules_files" /> + <unix:state state_ref="state_owner_not_root" /> + </unix:file_test> + + <unix:file_object comment="/lib/modules directories" id="object_lib_modules_dir" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/lib/modules</unix:path> + <unix:filename xsi:nil="true" /> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_object comment="/lib/modules files" id="object_lib_modules_files" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/lib/modules</unix:path> + <unix:filename operation="pattern match">^.*$</unix:filename> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_state id="state_owner_not_root" version="1" operator="OR"> +<!-- <unix:group_id datatype="int" operation="not equal">0</unix:group_id> --> + <unix:user_id datatype="int" operation="not equal">0</unix:user_id> + </unix:file_state> +</def-group> diff --git a/RHEL6/input/system/permissions/files.xml b/RHEL6/input/system/permissions/files.xml index 6a9c707..21af4ea 100644 --- a/RHEL6/input/system/permissions/files.xml +++ b/RHEL6/input/system/permissions/files.xml @@ -251,9 +251,9 @@ space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. </rationale> <ref nist="AC-6" disa="1499"/> +<oval id="file_ownership_library_dirs" /> </Rule> - <Rule id="file_permissions_binary_dirs" severity="medium"> <title>Verify that System Executables Have Restrictive Permissions</title> <description> -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
