>From db4268b80b4c5a5b8fbd750a27c240e07ec49abc Mon Sep 17 00:00:00 2001
From: Shawn Wells <[email protected]>
Date: Fri, 27 Dec 2013 02:50:50 -0500
Subject: [PATCH 27/31] shared/file_permissions_binary_dirs --> RHEL6 & RHEL7
- Linked shared/file_permissions_binary_dirs to rhel6 & rhel7 after testing
- Updated CPE info
- Created symlinks
---
.../input/checks/file_permissions_binary_dirs.xml | 116 +--------------------
.../input/checks/file_permissions_binary_dirs.xml | 1 +
shared/oval/file_permissions_binary_dirs.xml | 2 +
3 files changed, 4 insertions(+), 115 deletions(-)
mode change 100644 => 120000
RHEL/6/input/checks/file_permissions_binary_dirs.xml
create mode 120000 RHEL/7/input/checks/file_permissions_binary_dirs.xml
diff --git a/RHEL/6/input/checks/file_permissions_binary_dirs.xml
b/RHEL/6/input/checks/file_permissions_binary_dirs.xml
deleted file mode 100644
index 1b16414..0000000
--- a/RHEL/6/input/checks/file_permissions_binary_dirs.xml
+++ /dev/null
@@ -1,115 +0,0 @@
-<def-group>
- <definition class="compliance" id="file_permissions_binary_dirs" version="1">
- <metadata>
- <title>Verify that System Executables Have Restrictive
Permissions</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>Checks that /bin, /usr/bin, /usr/local/bin, /sbin,
/usr/sbin, /usr/local/sbin, and objects therein,
- are not group-writable or world-writable.</description>
- <reference source="swells" ref_id="20130928" ref_url="test_attestation"/>
- </metadata>
- <criteria operator="AND">
- <criterion test_ref="test_perms_bin_files" />
- <criterion test_ref="test_perms_usr_bin_files" />
- <criterion test_ref="test_perms_usr_local_bin_files" />
- <criterion test_ref="test_perms_sbin_files" />
- <criterion test_ref="test_perms_usr_sbin_files" />
- <criterion test_ref="test_perms_usr_local_sbin_files" />
- </criteria>
- </definition>
-
-<!-- /bin directory and file tests -->
- <unix:file_test check="all" check_existence="none_exist" comment="/bin files
go-w" id="test_perms_bin_files" version="1">
- <unix:object object_ref="object_file_permissions_bin_files" />
- </unix:file_test>
-
- <unix:file_object comment="/bin files"
id="object_file_permissions_bin_files" version="1">
- <unix:behaviors recurse="symlinks and directories"
recurse_direction="down" max_depth="-1" recurse_file_system="all" />
- <unix:path operation="equals">/bin</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>
- <filter action="exclude">state_symlink</filter>
- </unix:file_object>
-<!-- end /bin directory and file tests -->
-
-<!-- /usr/bin directory and file tests -->
- <unix:file_test check="all" check_existence="none_exist" comment="/usr/bin
files go-w" id="test_perms_usr_bin_files" version="1">
- <unix:object object_ref="object_file_permissions_usr_bin_files" />
- </unix:file_test>
-
- <unix:file_object comment="/usr/bin files"
id="object_file_permissions_usr_bin_files" version="1">
- <unix:behaviors recurse="symlinks and directories"
recurse_direction="down" max_depth="-1" recurse_file_system="all" />
- <unix:path operation="equals">/usr/bin</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>
- <filter action="exclude">state_symlink</filter>
- </unix:file_object>
-<!-- end /usr/bin directory and file tests -->
-
-<!-- /usr/local/bin directory and file tests -->
- <unix:file_test check="all" check_existence="none_exist"
comment="/usr/local/bin files go-w" id="test_perms_usr_local_bin_files"
version="1">
- <unix:object object_ref="object_file_permissions_usr_local_bin_files" />
- </unix:file_test>
-
- <unix:file_object comment="/usr/local/bin files"
id="object_file_permissions_usr_local_bin_files" version="1">
- <unix:behaviors recurse="symlinks and directories"
recurse_direction="down" max_depth="-1" recurse_file_system="all" />
- <unix:path operation="equals">/usr/local/bin</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>
- <filter action="exclude">state_symlink</filter>
- </unix:file_object>
-<!-- end /usr/local/bin directory and file tests -->
-
-<!-- /sbin directory and file tests -->
- <unix:file_test check="all" check_existence="none_exist" comment="/sbin
files go-w" id="test_perms_sbin_files" version="1">
- <unix:object object_ref="object_file_permissions_sbin_files" />
- </unix:file_test>
-
- <unix:file_object comment="/sbin files"
id="object_file_permissions_sbin_files" version="1">
- <unix:behaviors recurse="symlinks and directories"
recurse_direction="down" max_depth="-1" recurse_file_system="all" />
- <unix:path operation="equals">/sbin</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>
- <filter action="exclude">state_symlink</filter>
- </unix:file_object>
-<!-- end /sbin directory and file tests -->
-
-<!-- /usr/sbin directory and file tests -->
- <unix:file_test check="all" check_existence="none_exist" comment="/usr/sbin
files go-w" id="test_perms_usr_sbin_files" version="1">
- <unix:object object_ref="object_file_permissions_usr_sbin_files" />
- </unix:file_test>
-
- <unix:file_object comment="/usr/sbin files"
id="object_file_permissions_usr_sbin_files" version="1">
- <unix:behaviors recurse="symlinks and directories"
recurse_direction="down" max_depth="-1" recurse_file_system="all" />
- <unix:path operation="equals">/usr/sbin</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>
- <filter action="exclude">state_symlink</filter>
- </unix:file_object>
-<!-- end /usr/sbin directory and file tests -->
-
-<!-- /usr/local/sbin directory and file tests -->
- <unix:file_test check="all" check_existence="none_exist"
comment="/usr/local/sbin files go-w" id="test_perms_usr_local_sbin_files"
version="1">
- <unix:object object_ref="object_file_permissions_usr_local_sbin_files" />
- </unix:file_test>
-
- <unix:file_object comment="/usr/local/sbin files"
id="object_file_permissions_usr_local_sbin_files" version="1">
- <unix:behaviors recurse="symlinks and directories"
recurse_direction="down" max_depth="-1" recurse_file_system="all" />
- <unix:path operation="equals">/usr/local/sbin</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>
- <filter action="exclude">state_symlink</filter>
- </unix:file_object>
-<!-- end /usr/local/sbin directory and file tests -->
-
- <unix:file_state id="state_symlink" version="1">
- <unix:type operation="equals">symbolic link</unix:type>
- </unix:file_state>
-
- <unix:file_state id="state_perms_nogroupwrite_noworldwrite" version="1"
operator="OR">
- <unix:gwrite datatype="boolean">true</unix:gwrite>
- <unix:owrite datatype="boolean">true</unix:owrite>
- </unix:file_state>
-
-</def-group>
diff --git a/RHEL/6/input/checks/file_permissions_binary_dirs.xml
b/RHEL/6/input/checks/file_permissions_binary_dirs.xml
new file mode 120000
index 0000000..981cebb
--- /dev/null
+++ b/RHEL/6/input/checks/file_permissions_binary_dirs.xml
@@ -0,0 +1 @@
+../../../../shared/oval/file_permissions_binary_dirs.xml
\ No newline at end of file
diff --git a/RHEL/7/input/checks/file_permissions_binary_dirs.xml
b/RHEL/7/input/checks/file_permissions_binary_dirs.xml
new file mode 120000
index 0000000..981cebb
--- /dev/null
+++ b/RHEL/7/input/checks/file_permissions_binary_dirs.xml
@@ -0,0 +1 @@
+../../../../shared/oval/file_permissions_binary_dirs.xml
\ No newline at end of file
diff --git a/shared/oval/file_permissions_binary_dirs.xml
b/shared/oval/file_permissions_binary_dirs.xml
index 22e5a39..2bf6bdd 100644
--- a/shared/oval/file_permissions_binary_dirs.xml
+++ b/shared/oval/file_permissions_binary_dirs.xml
@@ -4,6 +4,8 @@
<title>Verify that System Executables Have Restrictive
Permissions</title>
<affected family="unix">
<platform>Fedora 19</platform>
+ <platform>Red Hat Enterprise Linux 6</platform>
+ <platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>
Checks that binary files under /bin, /sbin, /usr/bin, /usr/sbin,
--
1.8.3.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
