>From d11ffa5b587f3ec35122c7541d8affcf376f880f Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Fri, 19 Apr 2013 23:25:16 -0400 Subject: [PATCH 2/2] Request for review - OVAL for file_permissions_library_dirs - unix:file_state trouble
I've been staring at this for awhile, and can't figure out why the results constantly return false: [root@rhel6 checks]# chmod -R 755 /lib/ /lib64/ /usr/lib/ /usr/lib64/ /lib/modules/ [root@rhel6 checks]# ./testcheck.py file_permissions_library_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_etc_skelm9KJNG.xml Definition oval:scap-security-guide.testing:def:100: false Evaluation done. Anyone have ideas? --- .../input/checks/file_permissions_library_dirs.xml | 149 ++++++++++++++++++++ RHEL6/input/system/permissions/files.xml | 1 + 2 files changed, 150 insertions(+), 0 deletions(-) create mode 100644 RHEL6/input/checks/file_permissions_library_dirs.xml diff --git a/RHEL6/input/checks/file_permissions_library_dirs.xml b/RHEL6/input/checks/file_permissions_library_dirs.xml new file mode 100644 index 0000000..0cbe682 --- /dev/null +++ b/RHEL6/input/checks/file_permissions_library_dirs.xml @@ -0,0 +1,149 @@ +<def-group> + <definition class="compliance" id="file_ownership_etc_skel" version="1"> + <metadata> + <title>Verify that Shared Library Files Have Restrictive Permissions</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and objects therein, are not group-writable + or world-writable.</description> + </metadata> + <criteria operator="AND"> + <criterion test_ref="test_perms_lib_dir" /> + <criterion test_ref="test_perms_lib64_dir" /> + <criterion test_ref="test_perms_usr_lib_dir" /> + <criterion test_ref="test_perms_usr_lib64_dir" /> + <criterion test_ref="test_perms_lib_modules_dir" /> + <criterion test_ref="test_perms_lib_files" /> + <criterion test_ref="test_perms_lib64_files" /> + <criterion test_ref="test_perms_usr_lib_files" /> + <criterion test_ref="test_perms_usr_lib64_files" /> + <criterion test_ref="test_perms_lib_modules_files" /> + </criteria> + </definition> + + <unix:file_test check="all" check_existence="none_exist" comment="/lib directories go-w" id="test_perms_lib_dir" version="1"> + <unix:object object_ref="object_lib_dir" /> + <unix:state state_ref="state_perms_nogroupwrite_noworldwrite" /> + </unix:file_test> + + <unix:file_test check="all" check_existence="none_exist" comment="/lib files go-w" id="test_perms_lib_files" version="1"> + <unix:object object_ref="object_lib_files" /> + <unix:state state_ref="state_perms_nogroupwrite_noworldwrite" /> + </unix:file_test> + + <unix:file_object comment="/lib directories" id="object_lib_dir" version="1"> + <unix:behaviors recurse="symlinks and directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/lib</unix:path> + <unix:filename xsi:nil="true" /> + <filter action="include">state_perms_nogroupwrite_noworldwrite</filter> + </unix:file_object> + + <unix:file_object comment="/lib files" id="object_lib_files" version="1"> + <unix:behaviors recurse="symlinks and directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/lib</unix:path> + <unix:filename operation="pattern match">^.*$</unix:filename> + <filter action="include">state_perms_nogroupwrite_noworldwrite</filter> + </unix:file_object> + + <unix:file_test check="all" check_existence="none_exist" comment="/lib64 directories go-w" id="test_perms_lib64_dir" version="1"> + <unix:object object_ref="object_lib64_dir" /> + <unix:state state_ref="state_perms_nogroupwrite_noworldwrite" /> + </unix:file_test> + + <unix:file_test check="all" check_existence="none_exist" comment="/lib64 files go-w" id="test_perms_lib64_files" version="1"> + <unix:object object_ref="object_lib64_files" /> + <unix:state state_ref="state_perms_nogroupwrite_noworldwrite" /> + </unix:file_test> + + <unix:file_object comment="/lib64 directories" id="object_lib64_dir" version="1"> + <unix:behaviors recurse="symlinks and directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/lib64</unix:path> + <unix:filename xsi:nil="true" /> + <filter action="include">state_perms_nogroupwrite_noworldwrite</filter> + </unix:file_object> + + <unix:file_object comment="/lib64 files" id="object_lib64_files" version="1"> + <unix:behaviors recurse="symlinks and directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/lib64</unix:path> + <unix:filename operation="pattern match">^.*$</unix:filename> + <filter action="include">state_perms_nogroupwrite_noworldwrite</filter> + </unix:file_object> + + <unix:file_test check="all" check_existence="none_exist" comment="/usr/lib directories go-w" id="test_perms_usr_lib_dir" version="1"> + <unix:object object_ref="object_usr_lib_dir" /> + <unix:state state_ref="state_perms_nogroupwrite_noworldwrite" /> + </unix:file_test> + + <unix:file_test check="all" check_existence="none_exist" comment="/usr/lib files go-w" id="test_perms_usr_lib_files" version="1"> + <unix:object object_ref="object_usr_lib_files" /> + <unix:state state_ref="state_perms_nogroupwrite_noworldwrite" /> + </unix:file_test> + + <unix:file_object comment="/usr/lib directories" id="object_usr_lib_dir" version="1"> + <unix:behaviors recurse="symlinks and directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/usr/lib</unix:path> + <unix:filename xsi:nil="true" /> + <filter action="include">state_perms_nogroupwrite_noworldwrite</filter> + </unix:file_object> + + <unix:file_object comment="/usr/lib files" id="object_usr_lib_files" version="1"> + <unix:behaviors recurse="symlinks and directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/usr/lib</unix:path> + <unix:filename operation="pattern match">^.*$</unix:filename> + <filter action="include">state_perms_nogroupwrite_noworldwrite</filter> + </unix:file_object> + + <unix:file_test check="all" check_existence="none_exist" comment="/usr/lib64 directories go-w" id="test_perms_usr_lib64_dir" version="1"> + <unix:object object_ref="object_usr_lib64_dir" /> + <unix:state state_ref="state_perms_nogroupwrite_noworldwrite" /> + </unix:file_test> + + <unix:file_test check="all" check_existence="none_exist" comment="/usr/lib64 files go-w" id="test_perms_usr_lib64_files" version="1"> + <unix:object object_ref="object_usr_lib64_files" /> + <unix:state state_ref="state_perms_nogroupwrite_noworldwrite" /> + </unix:file_test> + + <unix:file_object comment="/usr/lib64 directories" id="object_usr_lib64_dir" version="1"> + <unix:behaviors recurse="symlinks and directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/usr/lib64</unix:path> + <unix:filename xsi:nil="true" /> + <filter action="include">state_perms_nogroupwrite_noworldwrite</filter> + </unix:file_object> + + <unix:file_object comment="/usr/lib64 files" id="object_usr_lib64_files" version="1"> + <unix:behaviors recurse="symlinks and directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/usr/lib64</unix:path> + <unix:filename operation="pattern match">^.*$</unix:filename> + <filter action="include">state_perms_nogroupwrite_noworldwrite</filter> + </unix:file_object> + + <unix:file_test check="all" check_existence="none_exist" comment="/lib/modules directories go-w" id="test_perms_lib_modules_dir" version="1"> + <unix:object object_ref="object_lib_modules_dir" /> + <unix:state state_ref="state_perms_nogroupwrite_noworldwrite" /> + </unix:file_test> + + <unix:file_test check="all" check_existence="none_exist" comment="/lib/modules files go-w" id="test_perms_lib_modules_files" version="1"> + <unix:object object_ref="object_lib_modules_files" /> + <unix:state state_ref="state_perms_nogroupwrite_noworldwrite" /> + </unix:file_test> + + <unix:file_object comment="/lib/modules directories" id="object_lib_modules_dir" version="1"> + <unix:behaviors recurse="symlinks and directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/lib/modules</unix:path> + <unix:filename xsi:nil="true" /> + <filter action="include">state_perms_nogroupwrite_noworldwrite</filter> + </unix:file_object> + + <unix:file_object comment="/lib/modules files" id="object_lib_modules_files" version="1"> + <unix:behaviors recurse="symlinks and directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/lib/modules</unix:path> + <unix:filename operation="pattern match">^.*$</unix:filename> + <filter action="include">state_perms_nogroupwrite_noworldwrite</filter> + </unix:file_object> + + <unix:file_state id="state_perms_nogroupwrite_noworldwrite" version="1" operator="OR"> + <unix:gwrite datatype="boolean">true</unix:gwrite> + <unix:owrite datatype="boolean">true</unix:owrite> + </unix:file_state> +</def-group> diff --git a/RHEL6/input/system/permissions/files.xml b/RHEL6/input/system/permissions/files.xml index 21af4ea..1085fce 100644 --- a/RHEL6/input/system/permissions/files.xml +++ b/RHEL6/input/system/permissions/files.xml @@ -216,6 +216,7 @@ runtime. Restrictive permissions are necessary to protect the integrity of the s </rationale> <ref nist="AC-6" disa="1499"/> <tested by="DS" on="20121026"/> +<oval id="file_permissions_library_dirs" /> </Rule> <Rule id="file_ownership_library_dirs" severity="medium"> -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
