>From 5fbabba380e4fe733cd02dd587b26970bbd4db6c Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Mon, 23 Dec 2013 02:23:39 -0500 Subject: [PATCH 07/25] Added selinux_policytype to shared/ && RHEL7 - Moved RHEL6 selinux_policytype to shared/ - Tested on RHEL7, updated CPE
RHEL7 TESTING: [root@localhost checks]# var_selinux_policy_name=targeted; export var_selinux_policy_name [root@localhost checks]# grep SELINUXTYPE /etc/selinux/config SELINUXTYPE=targeted [root@localhost checks]# ./testcheck.py selinux_policytype.xml external_variable with id : var_selinux_policy_name Evaluating with OVAL tempfile : /tmp/selinux_policytype4eSntq.xml Writing results to : /tmp/selinux_policytype4eSntq.xml-results Definition oval:scap-security-guide.testing:def:108: true Evaluation done. [root@localhost checks]# sed -i 's/SELINUXTYPE=targeted/SELINUXTYPE=broke/g' /etc/selinux/config [root@localhost checks]# ./testcheck.py selinux_policytype.xml external_variable with id : var_selinux_policy_name Evaluating with OVAL tempfile : /tmp/selinux_policytypeJEpli8.xml Writing results to : /tmp/selinux_policytypeJEpli8.xml-results Definition oval:scap-security-guide.testing:def:108: false Evaluation done. [root@localhost checks]# sed -i 's/SELINUXTYPE=broke/SELINUXTYPE=targeted/g' /etc/selinux/config [root@localhost checks]# ./testcheck.py selinux_policytype.xml external_variable with id : var_selinux_policy_name Evaluating with OVAL tempfile : /tmp/selinux_policytypeJ_opH3.xml Writing results to : /tmp/selinux_policytypeJ_opH3.xml-results Definition oval:scap-security-guide.testing:def:108: true Evaluation done. Signed-off-by: Shawn Wells <[email protected]> --- :100644 120000 9880ad3... 76cce8a... T RHEL/6/input/checks/selinux_policytype.xml :000000 120000 0000000... 76cce8a... A RHEL/7/input/checks/selinux_policytype.xml :000000 100644 0000000... 47ee99c... A shared/oval/selinux_policytype.xml RHEL/6/input/checks/selinux_policytype.xml | 37 +---------------------------- RHEL/7/input/checks/selinux_policytype.xml | 1 + shared/oval/selinux_policytype.xml | 38 ++++++++++++++++++++++++++++++ 3 files changed, 40 insertions(+), 36 deletions(-) diff --git a/RHEL/6/input/checks/selinux_policytype.xml b/RHEL/6/input/checks/selinux_policytype.xml deleted file mode 100644 index 9880ad3..0000000 --- a/RHEL/6/input/checks/selinux_policytype.xml +++ /dev/null @@ -1,36 +0,0 @@ -<def-group> - <definition class="compliance" id="selinux_policytype" version="1"> - <metadata> - <title>Enable SELinux</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The SELinux policy should be set appropriately.</description> - <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> - </metadata> - <criteria> - <criterion test_ref="test_selinux_policy" /> - </criteria> - </definition> - - <ind:textfilecontent54_test check="all" check_existence="all_exist" - comment="Tests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file" - id="test_selinux_policy" version="1"> - <ind:object object_ref="obj_selinux_policy" /> - <ind:state state_ref="state_selinux_policy" /> - </ind:textfilecontent54_test> - - <ind:textfilecontent54_state id="state_selinux_policy" version="1"> - <ind:subexpression operation="equals" var_check="all" - var_ref="var_selinux_policy_name" /> - </ind:textfilecontent54_state> - - <external_variable comment="External variable: name of selinux policy in /etc/selinux/config" - datatype="string" id="var_selinux_policy_name" version="1" /> - - <ind:textfilecontent54_object id="obj_selinux_policy" version="1"> - <ind:filepath>/etc/selinux/config</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*)</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/RHEL/6/input/checks/selinux_policytype.xml b/RHEL/6/input/checks/selinux_policytype.xml new file mode 120000 index 0000000..76cce8a --- /dev/null +++ b/RHEL/6/input/checks/selinux_policytype.xml @@ -0,0 +1 @@ +../../../../shared/oval/selinux_policytype.xml \ No newline at end of file diff --git a/RHEL/7/input/checks/selinux_policytype.xml b/RHEL/7/input/checks/selinux_policytype.xml new file mode 120000 index 0000000..76cce8a --- /dev/null +++ b/RHEL/7/input/checks/selinux_policytype.xml @@ -0,0 +1 @@ +../../../../shared/oval/selinux_policytype.xml \ No newline at end of file diff --git a/shared/oval/selinux_policytype.xml b/shared/oval/selinux_policytype.xml new file mode 100644 index 0000000..47ee99c --- /dev/null +++ b/shared/oval/selinux_policytype.xml @@ -0,0 +1,38 @@ +<def-group> + <definition class="compliance" id="selinux_policytype" version="1"> + <metadata> + <title>Enable SELinux</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description>The SELinux policy should be set appropriately.</description> + <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> + <!-- RHEL7 <reference source="SDW" ref_id="20131222" ref_url="test_attestation" /> --> + </metadata> + <criteria> + <criterion test_ref="test_selinux_policy" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" + comment="Tests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file" + id="test_selinux_policy" version="1"> + <ind:object object_ref="obj_selinux_policy" /> + <ind:state state_ref="state_selinux_policy" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_state id="state_selinux_policy" version="1"> + <ind:subexpression operation="equals" var_check="all" + var_ref="var_selinux_policy_name" /> + </ind:textfilecontent54_state> + + <external_variable comment="External variable: name of selinux policy in /etc/selinux/config" + datatype="string" id="var_selinux_policy_name" version="1" /> + + <ind:textfilecontent54_object id="obj_selinux_policy" version="1"> + <ind:filepath>/etc/selinux/config</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*)</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
