On 3/3/14, 9:52 AM, Jan Lieskovsky wrote:
Another change pointed out by Tomas Heinrich originally to be intended against USGCB content, but it's applicable against SSG content too, thus this post.When checking /etc/passwd it's still possible (though hopefully not so likely these days) administrators would keep the hashed password versions in /etc/passwd file directly (probably like a temporary output / result of pwunconv utility run?) instead of storing them in /etc/shadow file (like recommended by another rule). Current / existing OVAL check implementation expects (allows) only one character ('x') to be present at the second column of /etc/passwd (where password entries are intended to be stored). But in case, /etc/passwd contains direct hashed password entries, the current implementation succeeds for non-root users having UID 0 (IOW succeeds for cases when there are more users with UID 0), even when it should fail. The proposed change modifies the particular regular expression to allow / accept also cases where password is longer than just one character, thus changes the original (regex) form from: ^(?!root:)[^:]*:[^:]:0 to: ^(?!root:)[^:]*:[^:]*:0 Besides this change it modifies the reading of the related comments (they to be more appropriate). Also uses this opportunity to use the shared/ OVAL check version for this rule also for Fedora content (tested on Fedora). Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team 0001-shared-When-checking-etc-passwd-file-for-presence-of.patch From e61d055801e14865e4565ac64f68ac849b9f2c70 Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky<[email protected]> Date: Mon, 3 Mar 2014 15:26:17 +0100 Subject: [PATCH] [shared] When checking /etc/passwd file for presence of non-root usernames having UID 0 consider also case where hashed passwords can be stored directly in /etc/passwd file. [Fedora] Use shared version of the 'UID 0 Belongs Only To Root' check. Signed-off-by: Jan Lieskovsky<[email protected]> --- .../input/checks/accounts_no_uid_except_zero.xml | 23 +--------------------- shared/oval/accounts_no_uid_except_zero.xml | 8 +++++--- 2 files changed, 6 insertions(+), 25 deletions(-) mode change 100644 => 120000 Fedora/input/checks/accounts_no_uid_except_zero.xml diff --git a/Fedora/input/checks/accounts_no_uid_except_zero.xml b/Fedora/input/checks/accounts_no_uid_except_zero.xml deleted file mode 100644 index 731ffee..0000000 --- a/Fedora/input/checks/accounts_no_uid_except_zero.xml +++ /dev/null @@ -1,22 +0,0 @@ -<def-group> - <definition class="compliance" id="accounts_no_uid_except_zero" version="1"> - <metadata> - <title>UID 0 Belongs Only To Root</title> - <affected family="unix"> - <platform>Fedora 19</platform> - </affected> - <description>Only the root account should be assigned a user id of 0.</description> - </metadata> - <criteria> - <criterion comment="tests for reg exp ^[^r][^o][^o][^t].*:0 in /etc/passwd file" test_ref="test_accounts_no_uid_except_root" /> - </criteria> - </definition> - <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="tests for reg exp ^[^r][^o][^o][^t].*:0 in /etc/passwd file" id="test_accounts_no_uid_except_root" version="1"> - <ind:object object_ref="object_accounts_no_uid_except_root" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="object_accounts_no_uid_except_root" version="1"> - <ind:filepath>/etc/passwd</ind:filepath> - <ind:pattern operation="pattern match">^(?!root:)[^:]*:[^:]:0</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/Fedora/input/checks/accounts_no_uid_except_zero.xml b/Fedora/input/checks/accounts_no_uid_except_zero.xml new file mode 120000 index 0000000..0cb08ba --- /dev/null +++ b/Fedora/input/checks/accounts_no_uid_except_zero.xml @@ -0,0 +1 @@ +../../../shared/oval/accounts_no_uid_except_zero.xml \ No newline at end of file diff --git a/shared/oval/accounts_no_uid_except_zero.xml b/shared/oval/accounts_no_uid_except_zero.xml index 024f052..6e06ab9 100644 --- a/shared/oval/accounts_no_uid_except_zero.xml +++ b/shared/oval/accounts_no_uid_except_zero.xml @@ -5,20 +5,22 @@ <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> <platform>Red Hat Enterprise Linux 7</platform> + <platform>Fedora 20</platform> </affected> <description>Only the root account should be assigned a user id of 0.</description> <reference source="MED" ref_id="20130807" ref_url="test_attestation" /> + <!-- Fedora 20: <reference source="JL" ref_id="20140303" ref_url="test_attestation" /> --> </metadata> <criteria> - <criterion comment="tests for reg exp ^[^r][^o][^o][^t].*:0 in /etc/passwd file" test_ref="test_accounts_no_uid_except_root" /> + <criterion comment="tests that there are no accounts with UID 0 except root in the /etc/passwd file" test_ref="test_accounts_no_uid_except_root" /> </criteria> </definition> - <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="tests for reg exp ^[^r][^o][^o][^t].*:0 in /etc/passwd file" id="test_accounts_no_uid_except_root" version="1"> + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="test that there are no accounts with UID 0 except root in the /etc/passwd file" id="test_accounts_no_uid_except_root" version="1"> <ind:object object_ref="object_accounts_no_uid_except_root" /> </ind:textfilecontent54_test> <ind:textfilecontent54_object id="object_accounts_no_uid_except_root" version="1"> <ind:filepath>/etc/passwd</ind:filepath> - <ind:pattern operation="pattern match">^(?!root:)[^:]*:[^:]:0</ind:pattern> + <ind:pattern operation="pattern match">^(?!root:)[^:]*:[^:]*:0</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group> -- 1.8.3.1
ack
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
