----- Original Message ----- > From: "Shawn Wells" <[email protected]> > To: [email protected] > Sent: Sunday, December 8, 2013 8:21:23 PM > Subject: Re: [PATCH] [Fedora] OVAL checks for file_ownership_library_dirs, > file_permissions_binary_dirs, and > file_ownership_binary_dirs > > On 12/6/13, 12:20 PM, Jan Lieskovsky wrote: > > > > This patch adds the following to Fedora (all three are rewritten / > simplified versions of existing RHEL-6 OVAL checks): > * OVAL check for Verify that Shared Library Files Have Root Ownership > * OVAL check for Verify that System Executables Have Restrictive Permissions > * OVAL check for Verify that System Executables Have Root Ownership > > While all three from the provided OVAL checks could be placed into shared > directory, for now will keep them under Fedora input directory till > there's support for XSLT platform rewrite transformation in shared etc. > > When their times come, they can be moved to shared together with > platforms attestations (past testing on RHEL-6 too). > > Passed basic sanity testing on Fedora. > > Please review (mainly if existing RHEL-6 ones could be > possibly replaced with these). > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Technologies Team > > Ack.
Thanks, Shawn. > > I applied this locally, copied the OVAL into shared/, rm'd the RHEL6 version, > soft linked shared into RHEL6/input/checks, then updated the platform tag to > be: > > > <affected family="unix"> > <platform>Fedora 19</platform> > <platform>Red Hat Enterprise Linux 6</platform> > </affected> Yes, this is another way we could go instead of doing automated XSLT transform -- have platform fixed for RHEL6 (and upcoming RHEL 7) and latest Fedora (this would require a patch once per half year updating it). > > Ran 'make content' on RHEL6, and the scan worked correctly. IMO there's no > need to wait until the XSLT is complete as this could get us moving forward. > Don't particularly have a strong opinion on it though, so whatever you think > is best! Yeah, tested on RHEL-6 too, and they worked. So pushed to shared directory: https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=a51845ed0240542457cf1aafe2228b577b37d3c6 For now added only Fedora 19 as platform (RHEL6 will be added post the RHEL-6 RPM build enhanced and scripts equipped with attestations). Right now need to focus on preparing new Fedora releases, but as soon as they are done, will have a look on enhancing shared functionality (for now we could go with multiple platform rows, and add just for presence of attestations during the build). Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > > > > > > > 0001-Fedora-Add-OVAL-check-for-Verify-that-Shared-Library.patch > From 02e08662c6d02f58e6a053492f87c436eb5b851a Mon Sep 17 00:00:00 2001 > From: Jan Lieskovsky <[email protected]> Date: Fri, 6 Dec 2013 17:52:25 > +0100 > Subject: [PATCH] [Fedora] Add OVAL check for Verify that Shared Library Files > Have Root Ownership [Fedora] Add OVAL check for Verify that System > Executables Have Restrictive Permissions [Fedora] Add OVAL check for Verify > that System Executables Have Root Ownership > > Signed-off-by: Jan Lieskovsky <[email protected]> --- > Fedora/input/checks/file_ownership_binary_dirs.xml | 47 > ++++++++++++++++++++++ > .../input/checks/file_ownership_library_dirs.xml | 45 > +++++++++++++++++++++ > .../input/checks/file_permissions_binary_dirs.xml | 40 ++++++++++++++++++ > Fedora/input/system/permissions/files.xml | 6 +-- > Fedora/scap-security-guide.spec | 7 +++- > 5 files changed, 141 insertions(+), 4 deletions(-) > create mode 100644 Fedora/input/checks/file_ownership_binary_dirs.xml > create mode 100644 Fedora/input/checks/file_ownership_library_dirs.xml > create mode 100644 Fedora/input/checks/file_permissions_binary_dirs.xml > > diff --git a/Fedora/input/checks/file_ownership_binary_dirs.xml > b/Fedora/input/checks/file_ownership_binary_dirs.xml > new file mode 100644 > index 0000000..b6d0eec > --- /dev/null > +++ b/Fedora/input/checks/file_ownership_binary_dirs.xml > @@ -0,0 +1,47 @@ > +<def-group> > + <definition class="compliance" id="file_ownership_binary_dirs" > version="1"> > + <metadata> > + <title>Verify that System Executables Have Root Ownership</title> > + <affected family="unix"> > + <platform>Fedora 19</platform> > + </affected> > + <description> > + Checks that /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, > + /usr/local/sbin, and objects therein, are owned by root. > + </description> > + </metadata> > + <criteria operator="AND"> > + <criterion test_ref="test_ownership_binary_directories" /> > + <criterion test_ref="test_ownership_binary_files" /> > + </criteria> > + </definition> > + > + <unix:file_test check="all" check_existence="none_exist" comment="binary > directories uid root" id="test_ownership_binary_directories" version="1"> > + <unix:object object_ref="object_file_ownership_binary_directories" /> > + </unix:file_test> > + > + <unix:file_test check="all" check_existence="none_exist" comment="binary > files uid root" id="test_ownership_binary_files" version="1"> > + <unix:object object_ref="object_file_ownership_binary_files" /> > + </unix:file_test> > + > + <unix:file_object comment="binary directories" > id="object_file_ownership_binary_directories" version="1"> > + <!-- Check that /bin, /sbin, /usr/sbin, /usr/sbin, /usr/local/bin, and > + /usr/local/sbin directories belong to user with uid 0 (root) --> > + <unix:path operation="pattern match">^\/( | s)bin | > ^\/usr\/(|local\/)(|s)bin</unix:path> > + <unix:filename xsi:nil="true" /> > + <filter action="include">state_owner_binaries_not_root</filter> > + </unix:file_object> > + > + <unix:file_object comment="binary files" > id="object_file_ownership_binary_files" version="1"> > + <!-- Check that files within /bin, /sbin, /usr/bin, /usr/sbin, > /usr/local/bin, and > + /usr/local/sbin directories belong to user with uid 0 (root) --> > + <unix:path operation="pattern match">^\/( | s)bin | > ^\/usr\/(|local\/)(|s)bin</unix:path> > + <unix:filename operation="pattern match">^.*$</unix:filename> > + <filter action="include">state_owner_binaries_not_root</filter> > + </unix:file_object> > + > + <unix:file_state id="state_owner_binaries_not_root" version="1" > operator="OR"> > + <unix:user_id datatype="int" operation="not equal">0</unix:user_id> > + </unix:file_state> > + > +</def-group> > diff --git a/Fedora/input/checks/file_ownership_library_dirs.xml > b/Fedora/input/checks/file_ownership_library_dirs.xml > new file mode 100644 > index 0000000..09c408e > --- /dev/null > +++ b/Fedora/input/checks/file_ownership_library_dirs.xml > @@ -0,0 +1,45 @@ > +<def-group> > + <definition class="compliance" id="file_ownership_library_dirs" > version="1"> > + <metadata> > + <title>Verify that Shared Library Files Have Root Ownership</title> > + <affected family="unix"> > + <platform>Fedora 19</platform> > + </affected> > + <description> > + Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and > + objects therein, are owned by root. > + </description> > + </metadata> > + <criteria operator="AND"> > + <criterion test_ref="test_ownership_lib_dir" /> > + <criterion test_ref="test_ownership_lib_files" /> > + </criteria> > + </definition> > + > + <unix:file_test check="all" check_existence="none_exist" comment="library > directories uid root" id="test_ownership_lib_dir" version="1"> > + <unix:object object_ref="object_file_ownership_lib_dir" /> > + </unix:file_test> > + > + <unix:file_test check="all" check_existence="none_exist" comment="library > files uid root" id="test_ownership_lib_files" version="1"> > + <unix:object object_ref="object_file_ownership_lib_files" /> > + </unix:file_test> > + > + <unix:file_object comment="library directories" > id="object_file_ownership_lib_dir" version="1"> > + <!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories > belong to user with uid 0 (root) --> > + <unix:path operation="pattern > match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path> > + <unix:filename xsi:nil="true" /> > + <filter action="include">state_owner_libraries_not_root</filter> > + </unix:file_object> > + > + <unix:file_object comment="library files" > id="object_file_ownership_lib_files" version="1"> > + <!-- Check that files within /lib, /lib64, /usr/lib, and /usr/lib64 > directories belong to user with uid 0 (root) --> > + <unix:path operation="pattern > match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path> > + <unix:filename operation="pattern match">^.*$</unix:filename> > + <filter action="include">state_owner_libraries_not_root</filter> > + </unix:file_object> > + > + <unix:file_state id="state_owner_libraries_not_root" version="1"> > + <unix:user_id datatype="int" operation="not equal">0</unix:user_id> > + </unix:file_state> > + > +</def-group> > diff --git a/Fedora/input/checks/file_permissions_binary_dirs.xml > b/Fedora/input/checks/file_permissions_binary_dirs.xml > new file mode 100644 > index 0000000..22e5a39 > --- /dev/null > +++ b/Fedora/input/checks/file_permissions_binary_dirs.xml > @@ -0,0 +1,40 @@ > +<def-group> > + <definition class="compliance" id="file_permissions_binary_dirs" > version="1"> > + <metadata> > + <title>Verify that System Executables Have Restrictive > Permissions</title> > + <affected family="unix"> > + <platform>Fedora 19</platform> > + </affected> > + <description> > + Checks that binary files under /bin, /sbin, /usr/bin, /usr/sbin, > + /usr/local/bin, and /usr/local/sbin, are not group-writable or > world-writable. > + </description> > + </metadata> > + <criteria operator="AND"> > + <criterion test_ref="test_perms_binary_files" /> > + </criteria> > + </definition> > + > + <unix:file_test check="all" check_existence="none_exist" comment="binary > files go-w" id="test_perms_binary_files" version="1"> > + <unix:object object_ref="object_file_permissions_binary_files" /> > + </unix:file_test> > + > + <unix:file_object comment="binary files" > id="object_file_permissions_binary_files" version="1"> > + <!-- Check that binary files under /bin, /sbin, /usr/bin, /usr/sbin, > /usr/local/bin, > + and /usr/local/sbin directories have safe permissions (go-w) --> > + <unix:path operation="pattern match">^\/( | s)bin | > ^\/usr\/(|local\/)(|s)bin</unix:path> > + <unix:filename operation="pattern match">^.*$</unix:filename> > + <filter > action="include">state_perms_binary_files_nogroupwrite_noworldwrite</filter> > + <filter action="exclude">state_perms_binary_files_symlink</filter> > + </unix:file_object> > + > + <unix:file_state id="state_perms_binary_files_nogroupwrite_noworldwrite" > version="1" operator="OR"> > + <unix:gwrite datatype="boolean">true</unix:gwrite> > + <unix:owrite datatype="boolean">true</unix:owrite> > + </unix:file_state> > + > + <unix:file_state id="state_perms_binary_files_symlink" version="1"> > + <unix:type operation="equals">symbolic link</unix:type> > + </unix:file_state> > + > +</def-group> > diff --git a/Fedora/input/system/permissions/files.xml > b/Fedora/input/system/permissions/files.xml > index a9bfd93..5d0e507 100644 > --- a/Fedora/input/system/permissions/files.xml > +++ b/Fedora/input/system/permissions/files.xml > @@ -55,7 +55,7 @@ space of processes (including privileged ones) or of the > kernel itself at > runtime. Proper ownership is necessary to protect the integrity of the > system. > </rationale> > <ref nist="AC-6" disa="1499"/> > -<!-- <oval id="file_ownership_library_dirs" /> --> > +<oval id="file_ownership_library_dirs" /> > </Rule> > > <Rule id="file_permissions_binary_dirs" severity="medium"> > @@ -78,7 +78,7 @@ services, and restrictive permissions are necessary to > ensure execution of > these programs cannot be co-opted. > </rationale> > <ref nist="AC-6" disa="1499"/> > -<!-- <oval id="file_permissions_binary_dirs" /> --> > +<oval id="file_permissions_binary_dirs" /> > </Rule> > > <Rule id="file_ownership_binary_dirs" severity="medium"> > @@ -100,7 +100,7 @@ than root, correct its ownership with the following > command: > services, and restrictive permissions are necessary to ensure that their > execution of these programs cannot be co-opted. > </rationale> > -<!-- <oval id="file_ownership_binary_dirs" /> --> > +<oval id="file_ownership_binary_dirs" /> > <ref nist="AC-6" disa="1499"/> > </Rule> > > diff --git a/Fedora/scap-security-guide.spec > b/Fedora/scap-security-guide.spec > index 63057ec..e27fc53 100644 > --- a/Fedora/scap-security-guide.spec > +++ b/Fedora/scap-security-guide.spec > @@ -5,7 +5,7 @@ > # file one level up - in the main scap-security-guide directory (instead of > # this one). > > -%global fedorassgversion 4.rc10 > +%global fedorassgversion 4.rc11 > > Name: scap-security-guide > Version: 0.1.%{fedorassgversion} > @@ -54,6 +54,11 @@ cp -a Fedora/input/auxiliary/scap-security-guide.8 > %{buildroot}%{_mandir}/en/man > %doc Fedora/LICENSE Fedora/output/ssg-fedora-guide.html > > %changelog > +* Fri Dec 06 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc11-1 > +- OVAL check for Verify that Shared Library Files Have Root Ownership > +- OVAL check for Verify that System Executables Have Restrictive Permissions > +- OVAL check for Verify that System Executables Have Root Ownership > + > * Thu Dec 05 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc10-1 > - Shared OVAL check for Verify that Shared Library Files Have Restrictive > Permissions > -- > 1.8.3.1 > > > -- > Shawn Wells > Director, Innovation Programs [email protected] | 443.534.0130 > @shawndwells > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
