>From 3233911e7590f11217cda50abbd734b149d314c2 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Sat, 26 Oct 2013 00:28:46 -0400 Subject: [PATCH 1/3] OVAL update for file_owner_etc_shadow - XCCDF/OVAL naming update, file_owner_etc_shadow => userowner_shadow_file - Added remediation script - filepath/filename OVAL tag
--- RHEL6/input/checks/file_owner_etc_shadow.xml | 33 ----------------------- RHEL6/input/checks/userowner_shadow_file.xml | 32 ++++++++++++++++++++++ RHEL6/input/fixes/bash/userowner_shadow_file.sh | 1 + RHEL6/input/system/permissions/files.xml | 2 +- 4 files changed, 34 insertions(+), 34 deletions(-) delete mode 100644 RHEL6/input/checks/file_owner_etc_shadow.xml create mode 100644 RHEL6/input/checks/userowner_shadow_file.xml create mode 100644 RHEL6/input/fixes/bash/userowner_shadow_file.sh diff --git a/RHEL6/input/checks/file_owner_etc_shadow.xml b/RHEL6/input/checks/file_owner_etc_shadow.xml deleted file mode 100644 index dc108c1..0000000 --- a/RHEL6/input/checks/file_owner_etc_shadow.xml +++ /dev/null @@ -1,33 +0,0 @@ -<def-group> - <definition class="compliance" - id="file_owner_etc_shadow" version="1"> - <metadata> - <title>Verify user who owns 'shadow' file</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The /etc/shadow file should be owned by the - appropriate user.</description> - <reference source="MED" ref_id="20130807" ref_url="test_attestation" /> - </metadata> - <criteria> - <criterion comment="Check file ownership of /etc/shadow" - test_ref="test_file_owner_etc_shadow" /> - </criteria> - </definition> - <unix:file_test check="all" check_existence="all_exist" - comment="Testing user ownership of /etc/shadow" - id="test_file_owner_etc_shadow" version="1"> - <unix:object object_ref="object_file_etc_shadow" /> - <unix:state state_ref="state_etc_shadow_uid_root" /> - </unix:file_test> - <unix:file_state id="state_etc_shadow_uid_root" - version="1"> - <unix:user_id datatype="int">0</unix:user_id> - </unix:file_state> - <unix:file_object comment="/etc/shadow" - id="object_file_etc_shadow" version="1"> - <unix:path>/etc</unix:path> - <unix:filename>shadow</unix:filename> - </unix:file_object> -</def-group> diff --git a/RHEL6/input/checks/userowner_shadow_file.xml b/RHEL6/input/checks/userowner_shadow_file.xml new file mode 100644 index 0000000..4ef23c4 --- /dev/null +++ b/RHEL6/input/checks/userowner_shadow_file.xml @@ -0,0 +1,32 @@ +<def-group> + <definition class="compliance" + id="userowner_shadow_file" version="1"> + <metadata> + <title>Verify user who owns 'shadow' file</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>The /etc/shadow file should be owned by the + appropriate user.</description> + <reference source="MED" ref_id="20130807" ref_url="test_attestation" /> + </metadata> + <criteria> + <criterion comment="Check file ownership of /etc/shadow" + test_ref="test_userowner_shadow_file" /> + </criteria> + </definition> + <unix:file_test check="all" check_existence="all_exist" + comment="Testing user ownership of /etc/shadow" + id="test_userowner_shadow_file" version="1"> + <unix:object object_ref="object_file_etc_shadow" /> + <unix:state state_ref="state_etc_shadow_uid_root" /> + </unix:file_test> + <unix:file_state id="state_etc_shadow_uid_root" + version="1"> + <unix:user_id datatype="int">0</unix:user_id> + </unix:file_state> + <unix:file_object comment="/etc/shadow" + id="object_file_etc_shadow" version="1"> + <unix:filepath>/etc/shadow</unix:filepath> + </unix:file_object> +</def-group> diff --git a/RHEL6/input/fixes/bash/userowner_shadow_file.sh b/RHEL6/input/fixes/bash/userowner_shadow_file.sh new file mode 100644 index 0000000..40ca701 --- /dev/null +++ b/RHEL6/input/fixes/bash/userowner_shadow_file.sh @@ -0,0 +1 @@ +chown root /etc/shadow diff --git a/RHEL6/input/system/permissions/files.xml b/RHEL6/input/system/permissions/files.xml index 16b7618..77cc19d 100644 --- a/RHEL6/input/system/permissions/files.xml +++ b/RHEL6/input/system/permissions/files.xml @@ -27,7 +27,7 @@ critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.</rationale> <ident cce="26947-2" /> -<oval id="file_owner_etc_shadow" /> +<oval id="userowner_shadow_file" /> <ref nist="AC-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
