>From c3c70926bc063e7d82d94daecf59e22cfcbd658b Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Sat, 26 Oct 2013 00:36:24 -0400 Subject: [PATCH 2/3] OVAL + bash remediation update for groupowner_shadow_file - XCCDF/OVAL naming, file_groupowner_etc_shadow => groupowner_shadow_file - Added bash remediation
--- RHEL6/input/checks/file_groupowner_etc_shadow.xml | 29 --------------------- RHEL6/input/checks/groupowner_shadow_file.xml | 29 +++++++++++++++++++++ RHEL6/input/fixes/bash/groupowner_shadow_file.sh | 1 + RHEL6/input/system/permissions/files.xml | 2 +- 4 files changed, 31 insertions(+), 30 deletions(-) delete mode 100644 RHEL6/input/checks/file_groupowner_etc_shadow.xml create mode 100644 RHEL6/input/checks/groupowner_shadow_file.xml create mode 100644 RHEL6/input/fixes/bash/groupowner_shadow_file.sh diff --git a/RHEL6/input/checks/file_groupowner_etc_shadow.xml b/RHEL6/input/checks/file_groupowner_etc_shadow.xml deleted file mode 100644 index 579e1d8..0000000 --- a/RHEL6/input/checks/file_groupowner_etc_shadow.xml +++ /dev/null @@ -1,29 +0,0 @@ -<def-group> - <definition class="compliance" id="file_groupowner_etc_shadow" version="1"> - <metadata> - <title>Verify group who owns 'shadow' file</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The /etc/shadow file should be owned by the appropriate - group.</description> - <reference source="swells" ref_id="20130918" ref_url="test_attestation" /> - </metadata> - <criteria> - <criterion test_ref="test_groupowner_etc_shadow" /> - </criteria> - </definition> - <unix:file_test check="all" check_existence="all_exist" - comment="Testing group ownership /etc/shadow" id="test_groupowner_etc_shadow" - version="1"> - <unix:object object_ref="object_file_groupowner_etc_shadow" /> - <unix:state state_ref="state_file_groupowner_etc_shadow" /> - </unix:file_test> - <unix:file_state id="state_file_groupowner_etc_shadow" version="1"> - <unix:group_id datatype="int">0</unix:group_id> - </unix:file_state> - <unix:file_object comment="/etc/shadow" - id="object_file_groupowner_etc_shadow" version="1"> - <unix:filepath>/etc/shadow</unix:filepath> - </unix:file_object> -</def-group> diff --git a/RHEL6/input/checks/groupowner_shadow_file.xml b/RHEL6/input/checks/groupowner_shadow_file.xml new file mode 100644 index 0000000..d7423cc --- /dev/null +++ b/RHEL6/input/checks/groupowner_shadow_file.xml @@ -0,0 +1,29 @@ +<def-group> + <definition class="compliance" id="groupowner_shadow_file" version="1"> + <metadata> + <title>Verify group who owns 'shadow' file</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>The /etc/shadow file should be owned by the appropriate + group.</description> + <reference source="swells" ref_id="20130918" ref_url="test_attestation" /> + </metadata> + <criteria> + <criterion test_ref="test_groupowner_etc_shadow" /> + </criteria> + </definition> + <unix:file_test check="all" check_existence="all_exist" + comment="Testing group ownership /etc/shadow" id="test_groupowner_etc_shadow" + version="1"> + <unix:object object_ref="object_groupowner_shadow_file" /> + <unix:state state_ref="state_groupowner_shadow_file" /> + </unix:file_test> + <unix:file_state id="state_groupowner_shadow_file" version="1"> + <unix:group_id datatype="int">0</unix:group_id> + </unix:file_state> + <unix:file_object comment="/etc/shadow" + id="object_groupowner_shadow_file" version="1"> + <unix:filepath>/etc/shadow</unix:filepath> + </unix:file_object> +</def-group> diff --git a/RHEL6/input/fixes/bash/groupowner_shadow_file.sh b/RHEL6/input/fixes/bash/groupowner_shadow_file.sh new file mode 100644 index 0000000..f65ada7 --- /dev/null +++ b/RHEL6/input/fixes/bash/groupowner_shadow_file.sh @@ -0,0 +1 @@ +chgrp root /etc/shadow diff --git a/RHEL6/input/system/permissions/files.xml b/RHEL6/input/system/permissions/files.xml index 77cc19d..55e2c17 100644 --- a/RHEL6/input/system/permissions/files.xml +++ b/RHEL6/input/system/permissions/files.xml @@ -39,7 +39,7 @@ which could weaken the system security posture.</rationale> <rationale>The <tt>/etc/shadow</tt> file stores password hashes. Protection of this file is critical for system security.</rationale> <ident cce="26967-0" /> -<oval id="file_groupowner_etc_shadow" /> +<oval id="groupowner_shadow_file" /> <ref nist="AC-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
