Ack (thanks Rodney!) -- Shawn Wells Director, Innovation Programs [email protected] | 443.534.0130 @shawndwells
> On Jan 28, 2014, at 10:34 AM, "Rodney L. Mercer" <[email protected]> wrote: > > Shawn, > > Due to the change in directory structure, RHEL6 vs. RHEL/{6,7}, I was > not able to “git push” this modification into the project, so I > performed another "git commit" after a fresh "git clone" > > I need a "re-ack" please and I will promptly "git push" > See > https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-January/004879.html > for the original ack. > Rodney. > ------- > > Based on comments and recommendations from the following thread, I've > submitted a patch to fix CCE-27032-2 no_files_unowned_by_user.xml > https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-July/003627.html > > This only checks /etc/passwd and not any other authorization databases. > > > 8<==================== > > > From a03058b43bd3aec3c8c02c34911f7d5751b7b796 Mon Sep 17 00:00:00 2001 > From: Rodney Mercer <[email protected]> > Date: Tue, 28 Jan 2014 15:01:58 +0000 > Subject: [PATCH] modified completely broken no_files_unowned_by_user.xml > to properly check all files on the system to make sure that they are > owned by a user that resides in /etc/passwd. > > --- > RHEL/6/input/checks/no_files_unowned_by_user.xml | 51 > ++++++++++++---------- > 1 files changed, 28 insertions(+), 23 deletions(-) > > diff --git a/RHEL/6/input/checks/no_files_unowned_by_user.xml > b/RHEL/6/input/checks/no_files_unowned_by_user.xml > index a73183a..f3f1276 100644 > --- a/RHEL/6/input/checks/no_files_unowned_by_user.xml > +++ b/RHEL/6/input/checks/no_files_unowned_by_user.xml > @@ -1,38 +1,43 @@ > <def-group> > - <definition class="compliance" > - id="no_files_unowned_by_user" version="1"> > + <definition class="compliance" id="no_files_unowned_by_user" > version="1"> > <metadata> > <title>Find files unowned by a user</title> > <affected family="unix"> > <platform>Red Hat Enterprise Linux 6</platform> > </affected> > - <description>All files should be owned by a > - user</description> > + <description>All files should be owned by a user</description> > + <reference source="rmercer" ref_id="20131218" > ref_url="test_attestation" /> > </metadata> > <criteria> > - <criterion comment="Check all files and make sure they are owned > by a user" > - negate="true" > - test_ref="test_20050" /> > + <criterion comment="Check all files and make sure they are owned > by a user" test_ref="no_files_unowned_by_user_test" /> > </criteria> > </definition> > - <unix:file_test > xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"; > - check="all" comment="files with no user owner" > - id="test_20050" version="1"> > - <notes> > - <note>This will enumerate all files on local > - partitions</note> > - </notes> > - <unix:object object_ref="obj_20022" /> > - <unix:state state_ref="state_20050" /> > - </unix:file_test> > - <unix:file_state comment="Executables with suid set" > - id="state_20050" version="1"> > - <unix:user_id datatype="int">0</unix:user_id> > + > + <unix:file_state id="file_permissions_unowned_userid_list_match" > version="1"> > + <unix:user_id var_check="at least one" > var_ref="file_permissions_unowned_userid_list" datatype="int" /> > </unix:file_state> > - <unix:file_object comment="all local files" > - id="obj_20022" version="1"> > - <unix:behaviors recurse="symlinks and directories" > recurse_file_system="local" /> > + > + <local_variable id="file_permissions_unowned_userid_list" > comment="List of valid user ids" datatype="int" version="1"> > + <object_component item_field="subexpression" > object_ref="file_permissions_unowned_userid_list_object" /> > + </local_variable> > + > + <ind:textfilecontent54_object > id="file_permissions_unowned_userid_list_object" version="1"> > + <ind:filepath>/etc/passwd</ind:filepath> > + <ind:pattern operation="pattern > match">^[^:]+:[^:]+:([\d]+):[\d]+:[^:]*:[^:]+:[^:]*$</ind:pattern> > + <ind:instance operation="greater than or equal" > datatype="int">1</ind:instance> > + </ind:textfilecontent54_object> > + > + <unix:file_object comment="all local files" > id="file_permissions_unowned_object" version="1"> > + <unix:behaviors recurse="symlinks and directories" > recurse_direction="down" recurse_file_system="local" /> > <unix:path>/</unix:path> > <unix:filename operation="pattern match">.*</unix:filename> > + <filter > action="exclude">file_permissions_unowned_userid_list_match</filter> > </unix:file_object> > + > + <unix:file_test > xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"; > + check="all" check_existence="none_exist" comment="Check user ids on > all files on the system" > + id="no_files_unowned_by_user_test" version="1"> > + <unix:object object_ref="file_permissions_unowned_object" /> > + </unix:file_test> > </def-group> > + > -- > 1.7.1 > > > > > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
