[PATCH] [RHEL/6] Add heading regex anchor to cups_disable_browsing OVAL check

Thu, 06 Mar 2014 06:30:08 -0800 

Hello folks,

  based on 
https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-March/005065.html
this patch adds heading regex anchor support for cups_disable_browsing OVAL 
check
(dedicated separate post to this patch, because just adding ^[\s]* to the two 
config file
directives isn't sufficient. See below for further explanation).

Besides adding ^[\s]* prefix to Browsing and BrowseAllow directives, it was also
necessary not to negate the meaning of second test, because since in the new / 
modified
scenario, only cups config rows starting with Browsing / BrowseAllow (not 
prefixed
with a comment) are returned as success, what could happen with unmodified 
criteria
evaluation is the following:

Suppose case Browsing would be turned off:

  Browsing Off

and BrowseAllow would contain 'none', but it would be commented out (possibly 
containing
another comment behind none), e.g.

  # BrowseAllow none # Some another comment here

Check for 'BrowseAllow[\s]+(?!none)' would return false, it's negation true. 
AND-ing both
results (true for Browsing Off) and true for the negation would return true / 
pass as a
result. => This patch removes the negation, and returns true only for case both 
of:

  Browsing Off
  BrowseAllow none

are present in the configuration file (possibly suffixed with some comments). 
For remaining
alternatives it returns false / fail OVAL result.

Has been tested on RHEL-6 and seems to be working properly.

Please review.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team

P.S.: Patch re-news also test_attestation on RHEL-6 and updates OVAL tests / 
objects versions
      to indicate the second version.

From daf5294fc7023b7d89e43ddb9ec8db8d6452f38f Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <[email protected]>
Date: Thu, 6 Mar 2014 15:12:21 +0100
Subject: [PATCH] [RHEL/6] Add heading regex anchor to cups_disable_browsing
 OVAL check (also renew test_attestation, test / object version numbers and
 don't negate the second test -- see explanation on mailing list for further
 details)

Signed-off-by: Jan Lieskovsky <[email protected]>
---
 RHEL/6/input/checks/cups_disable_browsing.xml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/RHEL/6/input/checks/cups_disable_browsing.xml b/RHEL/6/input/checks/cups_disable_browsing.xml
index cadd68a..e882cd1 100644
--- a/RHEL/6/input/checks/cups_disable_browsing.xml
+++ b/RHEL/6/input/checks/cups_disable_browsing.xml
@@ -11,35 +11,35 @@
       broadcasts and add and configure these printers for immediate use. By
       disabling this browsing capability, the machine will no longer generate
       or receive such broadcasts.</description>
-      <reference source="MED" ref_id="20131119" ref_url="test_attestation" />
+      <reference source="JL" ref_id="20140306" ref_url="test_attestation" />
     </metadata>
     <criteria operator="AND">
       <criterion comment="Ensure remote printer browsing is off"
       test_ref="test_cups_disable_browsing_browsing_off" />
       <criterion comment="Ensure no incoming printer information packets are allowed"
-      test_ref="test_cups_disable_browsing_browseallow" negate="true" />
+      test_ref="test_cups_disable_browsing_browseallow" />
     </criteria>
   </definition>
 
   <ind:textfilecontent54_test check="all" check_existence="all_exist"
   comment="Disable Browsing" id="test_cups_disable_browsing_browsing_off"
-  version="1">
+  version="2">
     <ind:object object_ref="obj_cups_disable_browsing_browsing_off" />
   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="obj_cups_disable_browsing_browsing_off" version="1">
+  <ind:textfilecontent54_object id="obj_cups_disable_browsing_browsing_off" version="2">
     <ind:filepath>/etc/cups/cupsd.conf</ind:filepath>
-    <ind:pattern operation="pattern match">Browsing[\s]+(?:Off|No)</ind:pattern>
+    <ind:pattern operation="pattern match">^[\s]*Browsing[\s]+(?:Off|No)</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
   <ind:textfilecontent54_test check="all" check_existence="all_exist"
   comment="Do not allow incoming printer information packets"
-  id="test_cups_disable_browsing_browseallow" version="1">
+  id="test_cups_disable_browsing_browseallow" version="2">
     <ind:object object_ref="obj_cups_disable_browsing_browseallow" />
   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="obj_cups_disable_browsing_browseallow" version="1">
+  <ind:textfilecontent54_object id="obj_cups_disable_browsing_browseallow" version="2">
     <ind:filepath>/etc/cups/cupsd.conf</ind:filepath>
-    <ind:pattern operation="pattern match">BrowseAllow[\s]+(?!none)</ind:pattern>
+    <ind:pattern operation="pattern match">^[\s]*BrowseAllow[\s]+(?:none)</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 </def-group>
-- 
1.8.3.1


_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Reply via email to