----- Original Message ----- > From: "Shawn Wells" <[email protected]> > To: [email protected] > Sent: Friday, March 7, 2014 4:50:32 AM > Subject: Re: [PATCH] [RHEL/6] Add heading regex anchor to > cups_disable_browsing OVAL check > > On 3/6/14, 9:29 AM, Jan Lieskovsky wrote: > > > > Hello folks, > > based on > > https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-March/005065.html > this patch adds heading regex anchor support for cups_disable_browsing > OVAL check > (dedicated separate post to this patch, because just adding ^[\s]* to the two > config file > directives isn't sufficient. See below for further explanation). > > Besides adding ^[\s]* prefix to Browsing and BrowseAllow directives, it was > also > necessary not to negate the meaning of second test, because since in the new > / modified > scenario, only cups config rows starting with Browsing / BrowseAllow (not > prefixed > with a comment) are returned as success, what could happen with unmodified > criteria > evaluation is the following: > > Suppose case Browsing would be turned off: > > Browsing Off > > and BrowseAllow would contain 'none', but it would be commented out (possibly > containing > another comment behind none), e.g. > > # BrowseAllow none # Some another comment here > > Check for 'BrowseAllow[\s]+(?!none)' would return false, it's negation true. > AND-ing both > results (true for Browsing Off) and true for the negation would return true / > pass as a > result. => This patch removes the negation, and returns true only for case > both of: > > Browsing Off > BrowseAllow none > > are present in the configuration file (possibly suffixed with some comments). > For remaining > alternatives it returns false / fail OVAL result. > > Has been tested on RHEL-6 and seems to be working properly. > > Please review. > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Technologies Team > > P.S.: Patch re-news also test_attestation on RHEL-6 and updates OVAL tests / > objects versions > to indicate the second version. > > 0001-RHEL-6-Add-heading-regex-anchor-to-cups_disable_brow.patch > From daf5294fc7023b7d89e43ddb9ec8db8d6452f38f Mon Sep 17 00:00:00 2001 > From: Jan Lieskovsky <[email protected]> Date: Thu, 6 Mar 2014 15:12:21 > +0100 > Subject: [PATCH] [RHEL/6] Add heading regex anchor to cups_disable_browsing > OVAL check (also renew test_attestation, test / object version numbers and > don't negate the second test -- see explanation on mailing list for further > details) > > Signed-off-by: Jan Lieskovsky <[email protected]> --- > RHEL/6/input/checks/cups_disable_browsing.xml | 16 ++++++++-------- > 1 file changed, 8 insertions(+), 8 deletions(-) > > diff --git a/RHEL/6/input/checks/cups_disable_browsing.xml > b/RHEL/6/input/checks/cups_disable_browsing.xml > index cadd68a..e882cd1 100644 > --- a/RHEL/6/input/checks/cups_disable_browsing.xml > +++ b/RHEL/6/input/checks/cups_disable_browsing.xml > @@ -11,35 +11,35 @@ > broadcasts and add and configure these printers for immediate use. By > disabling this browsing capability, the machine will no longer > generate > or receive such broadcasts.</description> > - <reference source="MED" ref_id="20131119" ref_url="test_attestation" > /> > + <reference source="JL" ref_id="20140306" ref_url="test_attestation" /> > </metadata> > <criteria operator="AND"> > <criterion comment="Ensure remote printer browsing is off" > test_ref="test_cups_disable_browsing_browsing_off" /> > <criterion comment="Ensure no incoming printer information packets are > allowed" > - test_ref="test_cups_disable_browsing_browseallow" negate="true" /> > + test_ref="test_cups_disable_browsing_browseallow" /> > </criteria> > </definition> > > <ind:textfilecontent54_test check="all" check_existence="all_exist" > comment="Disable Browsing" id="test_cups_disable_browsing_browsing_off" > - version="1"> > + version="2"> > <ind:object object_ref="obj_cups_disable_browsing_browsing_off" /> > </ind:textfilecontent54_test> > - <ind:textfilecontent54_object id="obj_cups_disable_browsing_browsing_off" > version="1"> > + <ind:textfilecontent54_object id="obj_cups_disable_browsing_browsing_off" > version="2"> > <ind:filepath>/etc/cups/cupsd.conf</ind:filepath> > - <ind:pattern operation="pattern > match">Browsing[\s]+(?:Off|No)</ind:pattern> > + <ind:pattern operation="pattern > match">^[\s]*Browsing[\s]+(?:Off|No)</ind:pattern> > <ind:instance datatype="int">1</ind:instance> > </ind:textfilecontent54_object> > > <ind:textfilecontent54_test check="all" check_existence="all_exist" > comment="Do not allow incoming printer information packets" > - id="test_cups_disable_browsing_browseallow" version="1"> > + id="test_cups_disable_browsing_browseallow" version="2"> > <ind:object object_ref="obj_cups_disable_browsing_browseallow" /> > </ind:textfilecontent54_test> > - <ind:textfilecontent54_object id="obj_cups_disable_browsing_browseallow" > version="1"> > + <ind:textfilecontent54_object id="obj_cups_disable_browsing_browseallow" > version="2"> > <ind:filepath>/etc/cups/cupsd.conf</ind:filepath> > - <ind:pattern operation="pattern > match">BrowseAllow[\s]+(?!none)</ind:pattern> > + <ind:pattern operation="pattern > match">^[\s]*BrowseAllow[\s]+(?:none)</ind:pattern> > <ind:instance datatype="int">1</ind:instance> > </ind:textfilecontent54_object> > </def-group> > -- > 1.8.3.1 > > > IIRC, we inherited this from RHEL5 USGCB. Tomas Heinrich might want a heads > up.
Thanks, Shawn. Right, good catch. Noted (and will propose usgcb patch later too). > > ack Thank you, pushed. Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
