bin. The second was a criterion which had an extra letter so it ended up not performing one of the checks and missed files which were owned by a user other than root.

Caleb Cooper Tue, 01 Oct 2013 10:10:18 -0700

Signed-off-by: Caleb Cooper <[email protected]>
---
 RHEL6/input/checks/file_ownership_binary_dirs.xml |  162 +++++++++++++++++++++
 1 files changed, 162 insertions(+), 0 deletions(-)
 create mode 100644 RHEL6/input/checks/file_ownership_binary_dirs.xml


diff --git a/RHEL6/input/checks/file_ownership_binary_dirs.xml 
b/RHEL6/input/checks/file_ownership_binary_dirs.xml
new file mode 100644
index 0000000..602c720
--- /dev/null
+++ b/RHEL6/input/checks/file_ownership_binary_dirs.xml
@@ -0,0 +1,162 @@
+<def-group>
+  <definition class="compliance" id="file_ownership_binary_dirs" version="1">
+    <metadata>
+      <title>Verify that System Executables Have Root Ownership</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 6</platform>
+      </affected>
+      <description>Checks that /bin, /sbin, /usr/bin, /usr/sbin, 
/usr/local/bin, /usr/local/sbin and objects therein, are owned by 
root</description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="test_ownership_bin_dir" />
+      <criterion test_ref="test_ownership_sbin_dir" />
+      <criterion test_ref="test_ownership_usr_bin_dir" />
+      <criterion test_ref="test_ownership_usr_sbin_dir" />
+      <criterion test_ref="test_ownership_usr_local_bin_dir" />
+      <criterion test_ref="test_ownership_usr_local_bin_dir" />
+      <criterion test_ref="test_ownership_bin_files" />
+      <criterion test_ref="test_ownership_sbin_files" />
+      <criterion test_ref="test_ownership_usr_bin_files" />
+      <criterion test_ref="test_ownership_usr_sbin_files" />
+      <criterion test_ref="test_ownership_usr_local_bin_files" />
+      <criterion test_ref="test_ownership_usr_local_sbin_files" />
+    </criteria>
+  </definition>
+
+  <unix:file_test  check="all" check_existence="none_exist" comment="/bin 
directories uid root" id="test_ownership_bin_dir" version="1">
+    <unix:object object_ref="file_ownership_object_bin_dir" />
+  </unix:file_test>
+
+  <unix:file_test  check="all" check_existence="none_exist" comment="/bin 
files uid root" id="test_ownership_bin_files" version="1">
+    <unix:object object_ref="object_file_ownership_bin_files" />
+  </unix:file_test>
+
+  <unix:file_object comment="/bin directories" 
id="file_ownership_object_bin_dir" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" 
max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/bin</unix:path>
+    <unix:filename xsi:nil="true" />
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_object comment="/bin files" id="object_file_ownership_bin_files" 
version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" 
max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/bin</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+   <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_test  check="all" check_existence="none_exist" comment="/sbin 
directories uid root" id="test_ownership_sbin_dir" version="1">
+    <unix:object object_ref="object_file_ownership_sbin_dir" />
+  </unix:file_test>
+
+  <unix:file_test  check="all" check_existence="none_exist" comment="/sbin 
files uid root" id="test_ownership_sbin_files" version="1">
+    <unix:object object_ref="object_file_ownership_sbin_files" />
+  </unix:file_test>
+
+  <unix:file_object comment="/sbin directories" 
id="object_file_ownership_sbin_dir" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" 
max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/sbin</unix:path>
+    <unix:filename xsi:nil="true" />
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_object comment="/sbin files" 
id="object_file_ownership_sbin_files" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" 
max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/sbin</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_test  check="all" check_existence="none_exist" comment="/usr/bin 
directories uid root" id="test_ownership_usr_bin_dir" version="1">
+    <unix:object object_ref="object_file_ownership_usr_bin_dir" />
+  </unix:file_test>
+
+  <unix:file_test  check="all" check_existence="none_exist" comment="/usr/bin 
files uid root" id="test_ownership_usr_bin_files" version="1">
+    <unix:object object_ref="object_file_ownership_usr_bin_files" />
+  </unix:file_test>
+
+  <unix:file_object comment="/usr/bin directories" 
id="object_file_ownership_usr_bin_dir" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" 
max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/usr/bin</unix:path>
+    <unix:filename xsi:nil="true" />
+       <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_object comment="/usr/bin files" 
id="object_file_ownership_usr_bin_files" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" 
max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/usr/bin</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>  
+
+  <unix:file_test  check="all" check_existence="none_exist" comment="/usr/sbin 
directories uid root" id="test_ownership_usr_sbin_dir" version="1">
+    <unix:object object_ref="object_file_ownership_usr_sbin_dir" />
+  </unix:file_test>
+
+  <unix:file_test  check="all" check_existence="none_exist" comment="/usr/sbin 
files uid root" id="test_ownership_usr_sbin_files" version="1">
+    <unix:object object_ref="object_file_ownership_usr_sbin_files" />
+  </unix:file_test>
+
+  <unix:file_object comment="/usr/sbin directories" 
id="object_file_ownership_usr_sbin_dir" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" 
max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/usr/sbin</unix:path>
+    <unix:filename xsi:nil="true" />
+       <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_object comment="/usr/sbin files" 
id="object_file_ownership_usr_sbin_files" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" 
max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/usr/sbin</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_test  check="all" check_existence="none_exist" 
comment="/usr/local/bin directories uid root" 
id="test_ownership_usr_local_bin_dir" version="1">
+    <unix:object object_ref="object_file_ownership_usr_local_bin_dir" />
+  </unix:file_test>
+
+  <unix:file_test  check="all" check_existence="none_exist" 
comment="/usr/local/bin files uid root" id="test_ownership_usr_local_bin_files" 
version="1">
+    <unix:object object_ref="object_file_ownership_usr_local_bin_files" />
+  </unix:file_test>
+
+  <unix:file_object comment="/usr/local/bin directories" 
id="object_file_ownership_usr_local_bin_dir" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" 
max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/usr/local/bin</unix:path>
+    <unix:filename xsi:nil="true" />
+   <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_object comment="/usr/local/bin files" 
id="object_file_ownership_usr_local_bin_files" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" 
max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/usr/local/bin</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+  
+  <unix:file_test  check="all" check_existence="none_exist" 
comment="/usr/local/sbin directories uid root" 
id="test_ownership_usr_local_sbin_dir" version="1">
+    <unix:object object_ref="object_file_ownership_usr_local_sbin_dir" />
+  </unix:file_test>
+
+  <unix:file_test  check="all" check_existence="none_exist" 
comment="/usr/local/sbin files uid root" 
id="test_ownership_usr_local_sbin_files" version="1">
+    <unix:object object_ref="object_file_ownership_usr_local_sbin_files" />
+  </unix:file_test>
+
+  <unix:file_object comment="/usr/local/sbin directories" 
id="object_file_ownership_usr_local_sbin_dir" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" 
max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/usr/local/sbin</unix:path>
+    <unix:filename xsi:nil="true" />
+   <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_object comment="/usr/local/sbin files" 
id="object_file_ownership_usr_local_sbin_files" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" 
max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/usr/local/sbin</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_state id="state_owner_not_root" version="1" operator="OR">
+<!--    <unix:group_id datatype="int" operation="not equal">0</unix:group_id> 
-->
+    <unix:user_id datatype="int" operation="not equal">0</unix:user_id>
+  </unix:file_state>
+</def-group>
-- 
1.7.1

_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Reply via email to