Re: [PATCH] Fixed two typos in RHEL6/input/checks/file_ownership_binary_dirs.xml. The first was inside a comment and said the check was for /lib when really it was for /bin. The second was a criterion which had an extra letter so it ended up not performing one of the checks and missed files which were owned by a user other than root.

Wed, 02 Oct 2013 19:04:54 -0700 

On 10/1/13 1:09 PM, Caleb Cooper wrote:

+  <unix:file_test  check="all" check_existence="none_exist" comment="/usr/bin directories uid root" 
id="test_ownership_usr_bin_dir" version="1">
+    <unix:object object_ref="object_file_ownership_usr_bin_dir" />
+  </unix:file_test>
+
+  <unix:file_test  check="all" check_existence="none_exist" comment="/usr/bin files uid root" 
id="test_ownership_usr_bin_files" version="1">
+    <unix:object object_ref="object_file_ownership_usr_bin_files" />
+  </unix:file_test>
+
+  <unix:file_object comment="/usr/bin directories" id="object_file_ownership_usr_bin_dir" 
version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" 
recurse_file_system="all" />
+    <unix:path operation="equals">/usr/bin</unix:path>
+    <unix:filename xsi:nil="true" />
+       <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_object comment="/usr/bin files" id="object_file_ownership_usr_bin_files" 
version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" 
recurse_file_system="all" />
+    <unix:path operation="equals">/usr/bin</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_test  check="all" check_existence="none_exist" comment="/usr/sbin directories uid root" 
id="test_ownership_usr_sbin_dir" version="1">
+    <unix:object object_ref="object_file_ownership_usr_sbin_dir" />
+  </unix:file_test>
+
+  <unix:file_test  check="all" check_existence="none_exist" comment="/usr/sbin files uid root" 
id="test_ownership_usr_sbin_files" version="1">
+    <unix:object object_ref="object_file_ownership_usr_sbin_files" />
+  </unix:file_test>
+
+  <unix:file_object comment="/usr/sbin directories" id="object_file_ownership_usr_sbin_dir" 
version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" 
recurse_file_system="all" />
+    <unix:path operation="equals">/usr/sbin</unix:path>
+    <unix:filename xsi:nil="true" />
+       <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_object comment="/usr/sbin files" id="object_file_ownership_usr_sbin_files" 
version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" 
recurse_file_system="all" />
+    <unix:path operation="equals">/usr/sbin</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+


Fixed!

[shawn@SSG-RHEL6 checks]$ sudo bash

[root@SSG-RHEL6 checks]# DIRS="/bin /usr/bin /usr/local/bin /sbin 
/usr/sbin /usr/local/sbin"
[root@SSG-RHEL6 checks]# for dirPath in $DIRS; do find $dirPath \! -user 
root -exec chown root '{}' \;; done ; exit

[shawn@SSG-RHEL6 checks]$ sudo chown shawn:shawn /usr/bin/a2p
[shawn@SSG-RHEL6 checks]$ ./testcheck.py file_ownership_binary_dirs.xml
Evaluating with OVAL tempfile : /tmp/file_ownership_binary_dirsln84Oi.xml
Writing results to : /tmp/file_ownership_binary_dirsln84Oi.xml-results
Definition oval:scap-security-guide.testing:def:100: false
Evaluation done.

Please push!
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide






















					Reply via email to