Another change pointed out by Tomas Heinrich originally to be
intended against USGCB content, but it's applicable against SSG
content too, thus this post.
When checking /etc/passwd it's still possible (though hopefully
not so likely these days) administrators would keep the hashed password
versions in /etc/passwd file directly (probably like a temporary
output / result of pwunconv utility run?) instead of storing them
in /etc/shadow file (like recommended by another rule).
Current / existing OVAL check implementation expects (allows) only one character
('x') to be present at the second column of /etc/passwd (where password
entries are intended to be stored).
But in case, /etc/passwd contains direct hashed password entries, the
current implementation succeeds for non-root users having UID 0 (IOW
succeeds for cases when there are more users with UID 0), even when
it should fail.
The proposed change modifies the particular regular expression to allow /
accept also cases where password is longer than just one character, thus
changes the original (regex) form from:
^(?!root:)[^:]*:[^:]:0
to:
^(?!root:)[^:]*:[^:]*:0
Besides this change it modifies the reading of the related comments (they
to be more appropriate).
Also uses this opportunity to use the shared/ OVAL check version for
this rule also for Fedora content (tested on Fedora).
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
From e61d055801e14865e4565ac64f68ac849b9f2c70 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <[email protected]>
Date: Mon, 3 Mar 2014 15:26:17 +0100
Subject: [PATCH] [shared] When checking /etc/passwd file for presence of
non-root usernames having UID 0 consider also case where hashed passwords can
be stored directly in /etc/passwd file.
[Fedora] Use shared version of the 'UID 0 Belongs Only To Root' check.
Signed-off-by: Jan Lieskovsky <[email protected]>
---
.../input/checks/accounts_no_uid_except_zero.xml | 23 +---------------------
shared/oval/accounts_no_uid_except_zero.xml | 8 +++++---
2 files changed, 6 insertions(+), 25 deletions(-)
mode change 100644 => 120000 Fedora/input/checks/accounts_no_uid_except_zero.xml
diff --git a/Fedora/input/checks/accounts_no_uid_except_zero.xml b/Fedora/input/checks/accounts_no_uid_except_zero.xml
deleted file mode 100644
index 731ffee..0000000
--- a/Fedora/input/checks/accounts_no_uid_except_zero.xml
+++ /dev/null
@@ -1,22 +0,0 @@
-<def-group>
- <definition class="compliance" id="accounts_no_uid_except_zero" version="1">
- <metadata>
- <title>UID 0 Belongs Only To Root</title>
- <affected family="unix">
- <platform>Fedora 19</platform>
- </affected>
- <description>Only the root account should be assigned a user id of 0.</description>
- </metadata>
- <criteria>
- <criterion comment="tests for reg exp ^[^r][^o][^o][^t].*:0 in /etc/passwd file" test_ref="test_accounts_no_uid_except_root" />
- </criteria>
- </definition>
- <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="tests for reg exp ^[^r][^o][^o][^t].*:0 in /etc/passwd file" id="test_accounts_no_uid_except_root" version="1">
- <ind:object object_ref="object_accounts_no_uid_except_root" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_accounts_no_uid_except_root" version="1">
- <ind:filepath>/etc/passwd</ind:filepath>
- <ind:pattern operation="pattern match">^(?!root:)[^:]*:[^:]:0</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-</def-group>
diff --git a/Fedora/input/checks/accounts_no_uid_except_zero.xml b/Fedora/input/checks/accounts_no_uid_except_zero.xml
new file mode 120000
index 0000000..0cb08ba
--- /dev/null
+++ b/Fedora/input/checks/accounts_no_uid_except_zero.xml
@@ -0,0 +1 @@
+../../../shared/oval/accounts_no_uid_except_zero.xml
\ No newline at end of file
diff --git a/shared/oval/accounts_no_uid_except_zero.xml b/shared/oval/accounts_no_uid_except_zero.xml
index 024f052..6e06ab9 100644
--- a/shared/oval/accounts_no_uid_except_zero.xml
+++ b/shared/oval/accounts_no_uid_except_zero.xml
@@ -5,20 +5,22 @@
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
+ <platform>Fedora 20</platform>
</affected>
<description>Only the root account should be assigned a user id of 0.</description>
<reference source="MED" ref_id="20130807" ref_url="test_attestation" />
+ <!-- Fedora 20: <reference source="JL" ref_id="20140303" ref_url="test_attestation" /> -->
</metadata>
<criteria>
- <criterion comment="tests for reg exp ^[^r][^o][^o][^t].*:0 in /etc/passwd file" test_ref="test_accounts_no_uid_except_root" />
+ <criterion comment="tests that there are no accounts with UID 0 except root in the /etc/passwd file" test_ref="test_accounts_no_uid_except_root" />
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="tests for reg exp ^[^r][^o][^o][^t].*:0 in /etc/passwd file" id="test_accounts_no_uid_except_root" version="1">
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="test that there are no accounts with UID 0 except root in the /etc/passwd file" id="test_accounts_no_uid_except_root" version="1">
<ind:object object_ref="object_accounts_no_uid_except_root" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_accounts_no_uid_except_root" version="1">
<ind:filepath>/etc/passwd</ind:filepath>
- <ind:pattern operation="pattern match">^(?!root:)[^:]*:[^:]:0</ind:pattern>
+ <ind:pattern operation="pattern match">^(?!root:)[^:]*:[^:]*:0</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
--
1.8.3.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
