On 9/25/13 2:49 PM, Maura Dailey wrote:
Signed-off-by: Maura Dailey <[email protected]>
---
.../checks/accounts_dangerous_path_for_root.xml | 67
+++++++++++++-------
.../checks/accounts_root_path_dirs_no_write.xml | 59
+++++++++---------
2 files changed, 74 insertions(+), 52 deletions(-)
diff --git a/RHEL6/input/checks/accounts_dangerous_path_for_root.xml
b/RHEL6/input/checks/accounts_dangerous_path_for_root.xml
index efc4f0d..7e475c4 100644
--- a/RHEL6/input/checks/accounts_dangerous_path_for_root.xml
+++ b/RHEL6/input/checks/accounts_dangerous_path_for_root.xml
@@ -5,7 +5,9 @@
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
- <description>The environment variable PATH should be set
correctly for the root user.</description>
+ <description>The environment variable PATH should be set
correctly for
+ the root user.</description>
+ <reference source="MED" ref_id="20130925"
ref_url="test_attestation" />
</metadata>
<criteria comment="environment variable PATH contains dangerous
path" operator="AND">
<criterion comment="environment variable PATH starts with :
or ." test_ref="test_env_var_begins" />
@@ -16,50 +18,69 @@
<criterion comment="environment variable PATH doesn't contain
relative paths" test_ref="test_env_var_contains_relative_path" />
</criteria>
</definition>
- <ind:environmentvariable58_test check="none satisfy"
comment="environment variable PATH starts with : or ."
id="test_env_var_begins" version="1">
- <ind:object object_ref="object_env_var_path" />
+ <ind:environmentvariable58_object
id="object_accounts_dangerous_path_for_root"
+ version="1">
+ <ind:pid xsi:nil="true" datatype="int" />
+ <ind:name>PATH</ind:name>
+ </ind:environmentvariable58_object>
+ <ind:environmentvariable58_test check="none satisfy"
+ comment="environment variable PATH starts with : or ."
+ id="test_env_var_begins" version="1">
+ <ind:object object_ref="object_accounts_dangerous_path_for_root" />
<ind:state state_ref="state_begins_colon_period" />
</ind:environmentvariable58_test>
- <ind:environmentvariable58_test check="none satisfy"
comment="environment variable PATH contains : twice in a row"
id="test_env_var_contains_doublecolon" version="1">
- <ind:object object_ref="object_env_var_path" />
+ <ind:environmentvariable58_test check="none satisfy"
+ comment="environment variable PATH doesn't contain : twice in a row"
+ id="test_env_var_contains_doublecolon" version="1">
+ <ind:object object_ref="object_accounts_dangerous_path_for_root" />
<ind:state state_ref="state_contains_double_colon" />
</ind:environmentvariable58_test>
- <ind:environmentvariable58_test check="none satisfy"
comment="environment variable PATH contains . twice in a row"
id="test_env_var_contains_doubleperiod" version="1">
- <ind:object object_ref="object_env_var_path" />
+ <ind:environmentvariable58_test check="none satisfy"
+ comment="environment variable PATH doesn't contain . twice in a row"
+ id="test_env_var_contains_doubleperiod" version="1">
+ <ind:object object_ref="object_accounts_dangerous_path_for_root" />
<ind:state state_ref="state_contains_double_period" />
</ind:environmentvariable58_test>
- <ind:environmentvariable58_test check="none satisfy"
comment="environment variable PATH ends with : or ."
id="test_env_var_ends" version="1">
- <ind:object object_ref="object_env_var_path" />
+ <ind:environmentvariable58_test check="none satisfy"
+ comment="environment variable PATH ends with : or ."
id="test_env_var_ends"
+ version="1">
+ <ind:object object_ref="object_accounts_dangerous_path_for_root" />
<ind:state state_ref="state_ends_colon_period" />
</ind:environmentvariable58_test>
- <ind:environmentvariable58_test check="none satisfy"
comment="environment variable PATH starts with an absolute path /"
id="test_env_var_begins_slash" version="1">
- <ind:object object_ref="object_env_var_path" />
+ <ind:environmentvariable58_test check="none satisfy"
+ comment="environment variable PATH starts with an absolute path /"
+ id="test_env_var_begins_slash" version="1">
+ <ind:object object_ref="object_accounts_dangerous_path_for_root" />
<ind:state state_ref="state_begins_slash" />
</ind:environmentvariable58_test>
- <ind:environmentvariable58_test check="none satisfy"
comment="environment variable PATH contains relative paths"
id="test_env_var_contains_relative_path" version="1">
- <ind:object object_ref="object_env_var_path" />
+ <ind:environmentvariable58_test check="none satisfy"
+ comment="environment variable PATH contains relative paths"
+ id="test_env_var_contains_relative_path" version="1">
+ <ind:object object_ref="object_accounts_dangerous_path_for_root" />
<ind:state state_ref="state_contains_relative_path" />
</ind:environmentvariable58_test>
- <ind:environmentvariable58_object id="object_env_var_path"
version="1">
- <ind:pid xsi:nil="true" datatype="int" />
- <ind:name>PATH</ind:name>
- </ind:environmentvariable58_object>
- <ind:environmentvariable58_state comment="starts with colon or
period" id="state_begins_colon_period" version="1">
+ <ind:environmentvariable58_state comment="starts with colon or
period"
+ id="state_begins_colon_period" version="1">
<ind:value operation="pattern match">^[:\.]</ind:value>
</ind:environmentvariable58_state>
- <ind:environmentvariable58_state comment="colon twice in a row"
id="state_contains_double_colon" version="1">
+ <ind:environmentvariable58_state comment="colon twice in a row"
+ id="state_contains_double_colon" version="1">
<ind:value operation="pattern match">::</ind:value>
</ind:environmentvariable58_state>
- <ind:environmentvariable58_state comment="period twice in a row"
id="state_contains_double_period" version="1">
+ <ind:environmentvariable58_state comment="period twice in a row"
+ id="state_contains_double_period" version="1">
<ind:value operation="pattern match">\.\.</ind:value>
</ind:environmentvariable58_state>
- <ind:environmentvariable58_state comment="ends with colon or
period" id="state_ends_colon_period" version="1">
+ <ind:environmentvariable58_state comment="ends with colon or period"
+ id="state_ends_colon_period" version="1">
<ind:value operation="pattern match">[:\.]$</ind:value>
</ind:environmentvariable58_state>
- <ind:environmentvariable58_state comment="begins with a slash"
id="state_begins_slash" version="1">
+ <ind:environmentvariable58_state comment="begins with a slash"
+ id="state_begins_slash" version="1">
<ind:value operation="pattern match">^[^/]</ind:value>
</ind:environmentvariable58_state>
- <ind:environmentvariable58_state comment="elements begin with a
slash" id="state_contains_relative_path" version="1">
+ <ind:environmentvariable58_state comment="elements begin with a
slash"
+ id="state_contains_relative_path" version="1">
<ind:value operation="pattern match">[^\\]:[^/]</ind:value>
</ind:environmentvariable58_state>
</def-group>
Ack!
diff --git a/RHEL6/input/checks/accounts_root_path_dirs_no_write.xml
b/RHEL6/input/checks/accounts_root_path_dirs_no_write.xml
index d0a20d3..cf5c09d 100644
--- a/RHEL6/input/checks/accounts_root_path_dirs_no_write.xml
+++ b/RHEL6/input/checks/accounts_root_path_dirs_no_write.xml
@@ -1,6 +1,5 @@
<def-group>
- <definition class="compliance" id="accounts_root_path_dirs_no_write"
- version="1">
+ <definition class="compliance"
id="accounts_root_path_dirs_no_write" version="1">
<metadata>
<title>Write permissions are disabled for group and other in all
directories in Root's Path</title>
@@ -9,50 +8,52 @@
</affected>
<description>Check each directory in root's path and make use
it does not
grant write permission to group and other</description>
+ <reference source="MED" ref_id="20130925"
ref_url="test_attestation" />
</metadata>
- <criteria comment="Check that write permission to group and
other in root's path is denied"
- negate="true" operator="OR">
- <criterion comment="Check for write permission to group in
root's path"
- test_ref="test_accounts_root_path_dirs_no_write_group" />
- <criterion comment="Check for write permission to other in
root's path"
- test_ref="test_accounts_root_path_dirs_no_write_other" />
+ <criteria comment="Check that write permission to group and
other in root's path is denied" negate="true" operator="OR">
+ <criterion comment="Check for write permission to group in
root's path" test_ref="test_accounts_root_path_dirs_no_write_group" />
+ <criterion comment="Check for write permission to other in
root's path" test_ref="test_accounts_root_path_dirs_no_write_other" />
</criteria>
</definition>
+ <ind:environmentvariable58_object
id="object_accounts_root_path_dirs_no_write_pathenv" version="1">
+ <ind:pid xsi:nil="true" datatype="int" />
+ <ind:name>PATH</ind:name>
+ </ind:environmentvariable58_object>
+ <local_variable comment="Split the PATH on the : delimiter"
datatype="string"
+ id="var_accounts_root_path_dirs_no_write" version="1">
+ <split delimiter=":">
+ <object_component item_field="value"
+ object_ref="object_accounts_root_path_dirs_no_write_pathenv" />
+ </split>
+ </local_variable>
<unix:file_test check="all" check_existence="any_exist"
comment="Check that write permission to group in root's path is
denied"
id="test_accounts_root_path_dirs_no_write_group" version="1">
- <unix:object
object_ref="object_accounts_root_path_dirs_no_write" />
- <unix:state
state_ref="state_accounts_root_path_dirs_no_write_group" />
+ <unix:object
object_ref="object_accounts_root_path_dirs_no_write_group" />
</unix:file_test>
<unix:file_state comment="Group has write privilege"
id="state_accounts_root_path_dirs_no_write_group" version="1">
- <unix:gwrite datatype="boolean">1</unix:gwrite>
+ <unix:gwrite datatype="boolean">true</unix:gwrite>
</unix:file_state>
- <unix:file_object
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
- comment="root's PATH" id="object_accounts_root_path_dirs_no_write"
- version="1">
- <unix:path var_ref="var_accounts_root_path_dirs_no_write" />
+ <unix:file_object comment="root's PATH"
+ id="object_accounts_root_path_dirs_no_write_group" version="1">
+ <unix:path var_ref="var_accounts_root_path_dirs_no_write"
var_check="at least one" />
<unix:filename xsi:nil="true" />
+ <filter
action="include">state_accounts_root_path_dirs_no_write_group</filter>
</unix:file_object>
- <local_variable comment="Split the PATH on the : delimiter"
datatype="string"
- id="var_accounts_root_path_dirs_no_write" version="1">
- <split delimiter=":">
- <object_component item_field="value"
- object_ref="object_accounts_root_path_dirs_no_write_pathenv" />
- </split>
- </local_variable>
- <ind:environmentvariable_object
id="object_accounts_root_path_dirs_no_write_pathenv"
- version="1">
- <ind:name>PATH</ind:name>
- </ind:environmentvariable_object>
<unix:file_test check="all" check_existence="any_exist"
comment="Check that write permission to other in root's path is
denied"
id="test_accounts_root_path_dirs_no_write_other" version="1">
- <unix:object
object_ref="object_accounts_root_path_dirs_no_write" />
- <unix:state
state_ref="state_accounts_root_path_dirs_no_write_other" />
+ <unix:object
object_ref="object_accounts_root_path_dirs_no_write_other" />
</unix:file_test>
<unix:file_state comment="Other has write privilege"
id="state_accounts_root_path_dirs_no_write_other" version="1">
- <unix:owrite datatype="boolean">1</unix:owrite>
+ <unix:owrite datatype="boolean">true</unix:owrite>
</unix:file_state>
+ <unix:file_object comment="root's PATH"
+ id="object_accounts_root_path_dirs_no_write_other" version="1">
+ <unix:path var_ref="var_accounts_root_path_dirs_no_write"
var_check="at least one" />
+ <unix:filename xsi:nil="true" />
+ <filter
action="include">state_accounts_root_path_dirs_no_write_other</filter>
+ </unix:file_object>
</def-group>
I kept failing when testing this:
[root@SSG-RHEL6 checks]# ./testcheck.py
accounts_root_path_dirs_no_write.xml
Evaluating with OVAL tempfile :
/tmp/accounts_root_path_dirs_no_writePF9qcC.xml
Writing results to :
/tmp/accounts_root_path_dirs_no_writePF9qcC.xml-results
Definition oval:scap-security-guide.testing:def:198: false
Evaluation done.
[root@SSG-RHEL6 checks]# echo $PATH
/sbin:/bin:/usr/sbin:/usr/bin
[root@SSG-RHEL6 checks]# ll / | grep bin
dr-xr-xr-x. 2 root root 4096 Sep 6 19:50 bin
dr-xr-xr-x. 2 root root 12288 Sep 6 19:50 sbin
[root@SSG-RHEL6 checks]# ll /usr/ | grep bin
dr-xr-xr-x. 2 root root 32768 Sep 11 21:27 bin
dr-xr-xr-x. 2 root root 12288 Sep 15 22:06 sbin
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
