From e23ca121306946ebdda61228f1f8aafda43d13d0 Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Thu, 12 Sep 2013 17:18:27 +0200 Subject: [PATCH 2/8] Add FEDORA input/checks subdir content - Fedora-19 system detection and oval definitions for two gpgcheck related tests. Include Fedora CPE dictionary too.
Signed-off-by: Jan Lieskovsky <[email protected]> --- .../checks/ensure_gpgcheck_never_disabled.xml | 29 +++++++++++++++ FEDORA/input/checks/installed_OS_is_fedora19.xml | 41 ++++++++++++++++++++++ .../checks/platform/fedora-cpe-dictionary.xml | 10 ++++++ .../checks/yum_gpgcheck_global_activation.xml | 25 +++++++++++++ 4 files changed, 105 insertions(+) create mode 100644 FEDORA/input/checks/ensure_gpgcheck_never_disabled.xml create mode 100644 FEDORA/input/checks/installed_OS_is_fedora19.xml create mode 100644 FEDORA/input/checks/platform/fedora-cpe-dictionary.xml create mode 100644 FEDORA/input/checks/yum_gpgcheck_global_activation.xml diff --git a/FEDORA/input/checks/ensure_gpgcheck_never_disabled.xml b/FEDORA/input/checks/ensure_gpgcheck_never_disabled.xml new file mode 100644 index 0000000..5b7601f --- /dev/null +++ b/FEDORA/input/checks/ensure_gpgcheck_never_disabled.xml @@ -0,0 +1,29 @@ +<def-group> + <definition class="compliance" id="ensure_gpgcheck_never_disabled" + version="1"> + <metadata> + <title>Ensure gpgcheck Enabled For All Yum Package Repositories</title> + <affected family="unix"> + <platform>Fedora 19</platform> + </affected> + <description>Ensure all yum repositories utilize signature checking.</description> + <reference source="MED" ref_id="20130807" ref_url="test_attestation" /> + </metadata> + <criteria comment="ensure all yum repositories utilize signiature checking" operator="AND"> + <criterion comment="verify no gpgpcheck=0 present in /etc/yum.repos.d files" + test_ref="test_ensure_gpgcheck_never_disabled" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" check_existence="none_exist" + comment="check for existence of gpgcheck=0 in /etc/yum.repos.d/ files" + id="test_ensure_gpgcheck_never_disabled" version="1"> + <ind:object object_ref="obj_ensure_gpgcheck_never_disabled" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="obj_ensure_gpgcheck_never_disabled" + version="1"> + <ind:path>/etc/yum.repos.d</ind:path> + <ind:filename operation="pattern match">.*</ind:filename> + <ind:pattern operation="pattern match">^\s*gpgcheck\s*=\s*0\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/FEDORA/input/checks/installed_OS_is_fedora19.xml b/FEDORA/input/checks/installed_OS_is_fedora19.xml new file mode 100644 index 0000000..7e2e7ac --- /dev/null +++ b/FEDORA/input/checks/installed_OS_is_fedora19.xml @@ -0,0 +1,41 @@ +<def-group> + <definition class="inventory" + id="installed_OS_is_fedora19" version="1"> + <metadata> + <title>Fedora release 19 (Schrödinger's Cat)</title> + <affected family="unix"> + <platform>Fedora 19</platform> + </affected> + <reference ref_id="cpe:/o:fedoraproject:fedora:19" + source="CPE" /> + <description>The operating system installed on the system is + Fedora release 19 (Schrödinger's Cat)</description> + </metadata> + <criteria> + <criterion comment="Installed operating system is part of the unix family" + test_ref="test_unix_family" /> + <criterion comment="Fedora release 19 is installed" + test_ref="test_fedora_release" /> + </criteria> + </definition> + + <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="test_unix_family" version="1"> + <ind:object object_ref="obj_unix_family" /> + <ind:state state_ref="state_unix_family" /> + </ind:family_test> + <ind:family_state id="state_unix_family" version="1"> + <ind:family>unix</ind:family> + </ind:family_state> + <ind:family_object id="obj_unix_family" version="1" /> + + <linux:rpminfo_test check="all" check_existence="only_one_exists" comment="fedora-release is version 19" id="test_fedora_release" version="1"> + <linux:object object_ref="obj_fedora_release" /> + <linux:state state_ref="state_fedora_release" /> + </linux:rpminfo_test> + <linux:rpminfo_state id="state_fedora_release" version="1"> + <linux:version operation="pattern match">^19$</linux:version> + </linux:rpminfo_state> + <linux:rpminfo_object id="obj_fedora_release" version="1"> + <linux:name>fedora-release</linux:name> + </linux:rpminfo_object> +</def-group> diff --git a/FEDORA/input/checks/platform/fedora-cpe-dictionary.xml b/FEDORA/input/checks/platform/fedora-cpe-dictionary.xml new file mode 100644 index 0000000..b457e21 --- /dev/null +++ b/FEDORA/input/checks/platform/fedora-cpe-dictionary.xml @@ -0,0 +1,10 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd";> + <cpe-item name="cpe:/o:fedoraproject:fedora:19"> + <title xml:lang="en-us">Fedora release 19 (Schrödinger's Cat)</title> + <!-- the check references an OVAL file that contains an inventory definition --> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"; href="filename">installed_OS_is_fedora19</check> + </cpe-item> +</cpe-list> diff --git a/FEDORA/input/checks/yum_gpgcheck_global_activation.xml b/FEDORA/input/checks/yum_gpgcheck_global_activation.xml new file mode 100644 index 0000000..c2a73c6 --- /dev/null +++ b/FEDORA/input/checks/yum_gpgcheck_global_activation.xml @@ -0,0 +1,25 @@ +<def-group> + <definition class="compliance" id="yum_gpgcheck_global_activation" version="1"> + <metadata> + <title>Ensure Yum gpgcheck Globally Activated</title> + <affected family="unix"> + <platform>Fedora 19</platform> + </affected> + <description>The gpgcheck option should be used to ensure that checking + of an RPM package's signature always occurs prior to its + installation.</description> + <reference source="MED" ref_id="20130807" ref_url="test_attestation" /> + </metadata> + <criteria> + <criterion comment="check value of gpgcheck in /etc/yum.conf" test_ref="test_yum_gpgcheck_global_activation" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check value of gpgcheck in /etc/yum.conf" id="test_yum_gpgcheck_global_activation" version="1"> + <ind:object object_ref="object_yum_gpgcheck_global_activation" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_yum_gpgcheck_global_activation" comment="gpgcheck set in /etc/yum.conf" version="1"> + <ind:filepath>/etc/yum.conf</ind:filepath> + <ind:pattern operation="pattern match">^\s*gpgcheck\s*=\s*1\s*$</ind:pattern> + <ind:instance datatype="int" operation="equals">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> -- 1.7.11.7
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
