>From 3fc59f1d94a1fbcae730d6f83f52a1fec0647c51 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Fri, 27 Dec 2013 02:18:15 -0500 Subject: [PATCH 21/31] Moved file_permissions_etc_passwd to shared/
- Tested on RHEL7, updated CPE - Moved check to shared/ --- .../6/input/checks/file_permissions_etc_passwd.xml | 48 +--------------------- .../7/input/checks/file_permissions_etc_passwd.xml | 1 + shared/oval/file_permissions_etc_passwd.xml | 47 +++++++++++++++++++++ 3 files changed, 49 insertions(+), 47 deletions(-) mode change 100644 => 120000 RHEL/6/input/checks/file_permissions_etc_passwd.xml create mode 120000 RHEL/7/input/checks/file_permissions_etc_passwd.xml create mode 100644 shared/oval/file_permissions_etc_passwd.xml diff --git a/RHEL/6/input/checks/file_permissions_etc_passwd.xml b/RHEL/6/input/checks/file_permissions_etc_passwd.xml deleted file mode 100644 index 624baa9..0000000 --- a/RHEL/6/input/checks/file_permissions_etc_passwd.xml +++ /dev/null @@ -1,47 +0,0 @@ -<def-group> - <!-- THIS FILE IS GENERATED by create_permission_checks.py. DO NOT EDIT. --> - <definition class="compliance" id="file_permissions_etc_passwd" version="1"> - <metadata> - <title>Verify /etc/passwd Permissions</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>This test makes sure that /etc/passwd is owned by 0, group owned by 0, and has mode 0644. If - the target file or directory has an extended ACL then it will fail the mode check.</description> - <reference source="swells" ref_id="20130831" ref_url="test_attestation"/> - </metadata> - <criteria> - <criterion test_ref="test_etc_passwd" /> - </criteria> - </definition> - <unix:file_test check="all" check_existence="all_exist" comment="/etc/passwd mode and ownership" id="test_etc_passwd" version="1"> - <unix:object object_ref="object_etc_passwd" /> - <unix:state state_ref="_etc_passwd_state_uid_0" /> - <unix:state state_ref="_etc_passwd_state_gid_0" /> - <unix:state state_ref="_etc_passwd_state_mode_0644" /> - </unix:file_test> - <unix:file_object comment="/etc/passwd" id="object_etc_passwd" version="1"> - <unix:path>/etc</unix:path> - <unix:filename>passwd</unix:filename> - </unix:file_object> - <unix:file_state id="_etc_passwd_state_uid_0" version="1"> - <unix:user_id datatype="int" operation="equals">0</unix:user_id> - </unix:file_state> - <unix:file_state id="_etc_passwd_state_gid_0" version="1"> - <unix:group_id datatype="int" operation="equals">0</unix:group_id> - </unix:file_state> - <unix:file_state id="_etc_passwd_state_mode_0644" version="1"> - <unix:suid datatype="boolean">false</unix:suid> - <unix:sgid datatype="boolean">false</unix:sgid> - <unix:sticky datatype="boolean">false</unix:sticky> - <unix:uread datatype="boolean">true</unix:uread> - <unix:uwrite datatype="boolean">true</unix:uwrite> - <unix:uexec datatype="boolean">false</unix:uexec> - <unix:gread datatype="boolean">true</unix:gread> - <unix:gwrite datatype="boolean">false</unix:gwrite> - <unix:gexec datatype="boolean">false</unix:gexec> - <unix:oread datatype="boolean">true</unix:oread> - <unix:owrite datatype="boolean">false</unix:owrite> - <unix:oexec datatype="boolean">false</unix:oexec> - </unix:file_state> -</def-group> diff --git a/RHEL/6/input/checks/file_permissions_etc_passwd.xml b/RHEL/6/input/checks/file_permissions_etc_passwd.xml new file mode 120000 index 0000000..e96d76c --- /dev/null +++ b/RHEL/6/input/checks/file_permissions_etc_passwd.xml @@ -0,0 +1 @@ +../../../../shared/oval/file_permissions_etc_passwd.xml \ No newline at end of file diff --git a/RHEL/7/input/checks/file_permissions_etc_passwd.xml b/RHEL/7/input/checks/file_permissions_etc_passwd.xml new file mode 120000 index 0000000..e96d76c --- /dev/null +++ b/RHEL/7/input/checks/file_permissions_etc_passwd.xml @@ -0,0 +1 @@ +../../../../shared/oval/file_permissions_etc_passwd.xml \ No newline at end of file diff --git a/shared/oval/file_permissions_etc_passwd.xml b/shared/oval/file_permissions_etc_passwd.xml new file mode 100644 index 0000000..7bddac9 --- /dev/null +++ b/shared/oval/file_permissions_etc_passwd.xml @@ -0,0 +1,47 @@ +<def-group> + <!-- THIS FILE IS GENERATED by create_permission_checks.py. DO NOT EDIT. --> + <definition class="compliance" id="file_permissions_etc_passwd" version="1"> + <metadata> + <title>Verify /etc/passwd Permissions</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description>This test makes sure that /etc/passwd is owned by 0, group owned by 0, and has mode 0644. If + the target file or directory has an extended ACL then it will fail the mode check.</description> + <reference source="swells" ref_id="20130831" ref_url="test_attestation"/> + </metadata> + <criteria> + <criterion test_ref="test_etc_passwd" /> + </criteria> + </definition> + <unix:file_test check="all" check_existence="all_exist" comment="/etc/passwd mode and ownership" id="test_etc_passwd" version="1"> + <unix:object object_ref="object_etc_passwd" /> + <unix:state state_ref="_etc_passwd_state_uid_0" /> + <unix:state state_ref="_etc_passwd_state_gid_0" /> + <unix:state state_ref="_etc_passwd_state_mode_0644" /> + </unix:file_test> + <unix:file_object comment="/etc/passwd" id="object_etc_passwd" version="1"> + <unix:filepath>/etc/passwd</unix:filepath> + </unix:file_object> + <unix:file_state id="_etc_passwd_state_uid_0" version="1"> + <unix:user_id datatype="int" operation="equals">0</unix:user_id> + </unix:file_state> + <unix:file_state id="_etc_passwd_state_gid_0" version="1"> + <unix:group_id datatype="int" operation="equals">0</unix:group_id> + </unix:file_state> + <unix:file_state id="_etc_passwd_state_mode_0644" version="1"> + <unix:suid datatype="boolean">false</unix:suid> + <unix:sgid datatype="boolean">false</unix:sgid> + <unix:sticky datatype="boolean">false</unix:sticky> + <unix:uread datatype="boolean">true</unix:uread> + <unix:uwrite datatype="boolean">true</unix:uwrite> + <unix:uexec datatype="boolean">false</unix:uexec> + <unix:gread datatype="boolean">true</unix:gread> + <unix:gwrite datatype="boolean">false</unix:gwrite> + <unix:gexec datatype="boolean">false</unix:gexec> + <unix:oread datatype="boolean">true</unix:oread> + <unix:owrite datatype="boolean">false</unix:owrite> + <unix:oexec datatype="boolean">false</unix:oexec> + </unix:file_state> +</def-group> -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
