Patch summary:
[shared] Move disable_prelink OVAL check to shared
[shared] disable_prelink: Allow spaces around PRELINKING=no expression
[shared] disable_prelink: Allow comments
[Fedora] Start using shared version
[RHEL/6] The same
Patch details:
Based on definition in /etc/cron.daily/prelink:
#!/bin/sh
. /etc/sysconfig/prelink
...
the /etc/sysconfig/prelink file should follow the syntax / format recognized
by Bash scripts (i.e. no spaces allowed around the '=' character, comments
starting with
#, whitespace ignored etc.).
Based on that modify the definition of disable_prelink.xml OVAL check it to
support this format (IOW allow it to pass also in case like:
\tPRELINKING=no\t# This setting should disable prelinking
).
Besides that move RHEL/6/ and Fedora disable_prelink.xml version to shared/
directory.
Update script versioning and test attestations.
The change tested on both RHEL-6 and Fedora systems and seems to be working
properly.
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
From 775c821de7f10d28018332659baa90fb891968ee Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <[email protected]>
Date: Thu, 13 Mar 2014 17:19:43 +0100
Subject: [PATCH] [shared] Move disable_prelink OVAL check to shared [shared]
disable_prelink: Allow spaces around PRELINKING=no expression [shared]
disable_prelink: Allow comments [Fedora] Start using shared version [RHEL/6]
The same
Signed-off-by: Jan Lieskovsky <[email protected]>
---
Fedora/input/checks/disable_prelink.xml | 32 +-------------------------------
RHEL/6/input/checks/disable_prelink.xml | 26 +-------------------------
shared/oval/disable_prelink.xml | 32 ++++++++++++++++++++++++++++++++
3 files changed, 34 insertions(+), 56 deletions(-)
mode change 100644 => 120000 Fedora/input/checks/disable_prelink.xml
mode change 100644 => 120000 RHEL/6/input/checks/disable_prelink.xml
create mode 100644 shared/oval/disable_prelink.xml
diff --git a/Fedora/input/checks/disable_prelink.xml b/Fedora/input/checks/disable_prelink.xml
deleted file mode 100644
index aadf296..0000000
--- a/Fedora/input/checks/disable_prelink.xml
+++ /dev/null
@@ -1,31 +0,0 @@
-<def-group>
- <definition class="compliance" id="disable_prelink" version="1">
- <metadata>
- <title>Disable Prelinking</title>
- <affected family="unix">
- <platform>Fedora 19</platform>
- </affected>
- <description>The prelinking feature can interfere with the operation of
- checksum integrity tools (e.g. AIDE), mitigates the protection provided
- by ASLR, and requires additional CPU cycles by software upgrades.
- </description>
- </metadata>
- <criteria>
- <criterion comment="Ensure prelinking is disabled" test_ref="test_prelinking_no" />
- </criteria>
- </definition>
-
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="Tests whether prelinking is disabled"
- id="test_prelinking_no" version="1">
-
- <ind:object object_ref="obj_prelinking_no" />
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object id="obj_prelinking_no" version="1">
- <ind:filepath>/etc/sysconfig/prelink</ind:filepath>
- <ind:pattern operation="pattern match">^PRELINKING=no$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-
-</def-group>
diff --git a/Fedora/input/checks/disable_prelink.xml b/Fedora/input/checks/disable_prelink.xml
new file mode 120000
index 0000000..903a3d1
--- /dev/null
+++ b/Fedora/input/checks/disable_prelink.xml
@@ -0,0 +1 @@
+../../../shared/oval/disable_prelink.xml
\ No newline at end of file
diff --git a/RHEL/6/input/checks/disable_prelink.xml b/RHEL/6/input/checks/disable_prelink.xml
deleted file mode 100644
index 56a399d..0000000
--- a/RHEL/6/input/checks/disable_prelink.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<def-group>
- <definition class="compliance" id="disable_prelink" version="1">
- <metadata>
- <title>Disable Prelinking</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>The prelinking feature can interfere with the operation of AIDE, because it changes binaries. </description>
- <reference source="cdcooper" ref_id="20131110" ref_url="test_attestation" />
- </metadata>
- <criteria>
- <criterion comment="Ensure prelinking is diabled" test_ref="test_prelinking_no" />
- </criteria>
- </definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="Tests whether prelinking is disabled"
- id="test_prelinking_no" version="1">
- <ind:object object_ref="obj_prelinking_no" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_prelinking_no" version="1">
- <ind:filepath>/etc/sysconfig/prelink</ind:filepath>
- <ind:pattern operation="pattern match">^PRELINKING=no$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-</def-group>
diff --git a/RHEL/6/input/checks/disable_prelink.xml b/RHEL/6/input/checks/disable_prelink.xml
new file mode 120000
index 0000000..3a99a0b
--- /dev/null
+++ b/RHEL/6/input/checks/disable_prelink.xml
@@ -0,0 +1 @@
+../../../../shared/oval/disable_prelink.xml
\ No newline at end of file
diff --git a/shared/oval/disable_prelink.xml b/shared/oval/disable_prelink.xml
new file mode 100644
index 0000000..7243656
--- /dev/null
+++ b/shared/oval/disable_prelink.xml
@@ -0,0 +1,32 @@
+<def-group>
+ <definition class="compliance" id="disable_prelink" version="2">
+ <metadata>
+ <title>Disable Prelinking</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ <platform>Fedora 20</platform>
+ </affected>
+ <description>The prelinking feature can interfere with the operation of
+ checksum integrity tools (e.g. AIDE), mitigates the protection provided
+ by ASLR, and requires additional CPU cycles by software upgrades.
+ </description>
+ <reference source="JL" ref_id="20140313" ref_url="test_attestation" />
+ <!-- Fedora 20: <reference source="JL" ref_id="20140313" ref_url="test_attestation" /> -->
+ </metadata>
+ <criteria>
+ <criterion comment="Ensure prelinking is disabled" test_ref="test_prelinking_no" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="Tests whether prelinking is disabled"
+ id="test_prelinking_no" version="1">
+ <ind:object object_ref="obj_prelinking_no" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_prelinking_no" version="2">
+ <ind:filepath>/etc/sysconfig/prelink</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*PRELINKING=no[\s]*</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
--
1.8.3.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
