Patch summary:

    [shared] Move disable_prelink OVAL check to shared
    [shared] disable_prelink: Allow spaces around PRELINKING=no expression
    [shared] disable_prelink: Allow comments
    [Fedora] Start using shared version
    [RHEL/6] The same

Patch details:

Based on definition in /etc/cron.daily/prelink:
  
  #!/bin/sh

  . /etc/sysconfig/prelink
  ...

the /etc/sysconfig/prelink file should follow the syntax / format recognized
by Bash scripts (i.e. no spaces allowed around the '=' character, comments 
starting with
#, whitespace ignored etc.).

Based on that modify the definition of disable_prelink.xml OVAL check it to
support this format (IOW allow it to pass also in case like:

  \tPRELINKING=no\t# This setting should disable prelinking

).

Besides that move RHEL/6/ and Fedora disable_prelink.xml version to shared/ 
directory.
Update script versioning and test attestations.

The change tested on both RHEL-6 and Fedora systems and seems to be working 
properly.

Please review.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
From 775c821de7f10d28018332659baa90fb891968ee Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <[email protected]>
Date: Thu, 13 Mar 2014 17:19:43 +0100
Subject: [PATCH] [shared] Move disable_prelink OVAL check to shared [shared]
 disable_prelink: Allow spaces around PRELINKING=no expression [shared]
 disable_prelink: Allow comments [Fedora] Start using shared version [RHEL/6]
 The same

Signed-off-by: Jan Lieskovsky <[email protected]>
---
 Fedora/input/checks/disable_prelink.xml | 32 +-------------------------------
 RHEL/6/input/checks/disable_prelink.xml | 26 +-------------------------
 shared/oval/disable_prelink.xml         | 32 ++++++++++++++++++++++++++++++++
 3 files changed, 34 insertions(+), 56 deletions(-)
 mode change 100644 => 120000 Fedora/input/checks/disable_prelink.xml
 mode change 100644 => 120000 RHEL/6/input/checks/disable_prelink.xml
 create mode 100644 shared/oval/disable_prelink.xml

diff --git a/Fedora/input/checks/disable_prelink.xml b/Fedora/input/checks/disable_prelink.xml
deleted file mode 100644
index aadf296..0000000
--- a/Fedora/input/checks/disable_prelink.xml
+++ /dev/null
@@ -1,31 +0,0 @@
-<def-group>
-  <definition class="compliance" id="disable_prelink" version="1">
-    <metadata>
-      <title>Disable Prelinking</title>
-      <affected family="unix">
-        <platform>Fedora 19</platform>
-      </affected>
-      <description>The prelinking feature can interfere with the operation of
-      checksum integrity tools (e.g. AIDE), mitigates the protection provided
-      by ASLR, and requires additional CPU cycles by software upgrades.
-      </description>
-    </metadata>
-    <criteria>
-      <criterion comment="Ensure prelinking is disabled" test_ref="test_prelinking_no" />
-    </criteria>
-  </definition>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-   comment="Tests whether prelinking is disabled"
-   id="test_prelinking_no" version="1">
-
-    <ind:object object_ref="obj_prelinking_no" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="obj_prelinking_no" version="1">
-    <ind:filepath>/etc/sysconfig/prelink</ind:filepath>
-    <ind:pattern operation="pattern match">^PRELINKING=no$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-</def-group>
diff --git a/Fedora/input/checks/disable_prelink.xml b/Fedora/input/checks/disable_prelink.xml
new file mode 120000
index 0000000..903a3d1
--- /dev/null
+++ b/Fedora/input/checks/disable_prelink.xml
@@ -0,0 +1 @@
+../../../shared/oval/disable_prelink.xml
\ No newline at end of file
diff --git a/RHEL/6/input/checks/disable_prelink.xml b/RHEL/6/input/checks/disable_prelink.xml
deleted file mode 100644
index 56a399d..0000000
--- a/RHEL/6/input/checks/disable_prelink.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<def-group>
-  <definition class="compliance" id="disable_prelink" version="1">
-    <metadata>
-      <title>Disable Prelinking</title>
-      <affected family="unix">
-        <platform>Red Hat Enterprise Linux 6</platform>
-      </affected>
-      <description>The prelinking feature can interfere with the operation of AIDE, because it changes binaries. </description>
-      <reference source="cdcooper" ref_id="20131110" ref_url="test_attestation" />
-    </metadata>
-    <criteria>
-      <criterion comment="Ensure prelinking is diabled" test_ref="test_prelinking_no" />
-    </criteria>
-  </definition>
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-  comment="Tests whether prelinking is disabled"
-  id="test_prelinking_no" version="1">
-    <ind:object object_ref="obj_prelinking_no" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="obj_prelinking_no" version="1">
-    <ind:filepath>/etc/sysconfig/prelink</ind:filepath>
-    <ind:pattern operation="pattern match">^PRELINKING=no$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-</def-group>
diff --git a/RHEL/6/input/checks/disable_prelink.xml b/RHEL/6/input/checks/disable_prelink.xml
new file mode 120000
index 0000000..3a99a0b
--- /dev/null
+++ b/RHEL/6/input/checks/disable_prelink.xml
@@ -0,0 +1 @@
+../../../../shared/oval/disable_prelink.xml
\ No newline at end of file
diff --git a/shared/oval/disable_prelink.xml b/shared/oval/disable_prelink.xml
new file mode 100644
index 0000000..7243656
--- /dev/null
+++ b/shared/oval/disable_prelink.xml
@@ -0,0 +1,32 @@
+<def-group>
+  <definition class="compliance" id="disable_prelink" version="2">
+    <metadata>
+      <title>Disable Prelinking</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 6</platform>
+        <platform>Fedora 20</platform>
+      </affected>
+      <description>The prelinking feature can interfere with the operation of
+      checksum integrity tools (e.g. AIDE), mitigates the protection provided
+      by ASLR, and requires additional CPU cycles by software upgrades.
+      </description>
+      <reference source="JL" ref_id="20140313" ref_url="test_attestation" />
+      <!-- Fedora 20: <reference source="JL" ref_id="20140313" ref_url="test_attestation" /> -->
+    </metadata>
+    <criteria>
+      <criterion comment="Ensure prelinking is disabled" test_ref="test_prelinking_no" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+  comment="Tests whether prelinking is disabled"
+  id="test_prelinking_no" version="1">
+    <ind:object object_ref="obj_prelinking_no" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_prelinking_no" version="2">
+    <ind:filepath>/etc/sysconfig/prelink</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*PRELINKING=no[\s]*</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>
-- 
1.8.3.1

_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Reply via email to