On 4/22/14, 11:23 AM, Renshaw, Richard /c wrote:
In my particular case, it would fail the ‘file_ownership_library_dirs’
CCE-27424-1, test by finding this file:
528273 12 -rwsr-xr-x 1 abrt abrt 9904 Aug 13 2013
/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache
Patched ssg-rhel6-oval.xml to include a / at the end of the directory
in the pattern match
--- orig.ssg-rhel6-oval.xml 2014-04-22 10:14:05.181639519 -0500
+++ ssg-rhel6-oval.xml 2014-04-22 10:15:26.376636705 -0500
@@ -10573,13 +10573,13 @@
</linux:rpminfo_object>
<unix:file_object comment="library directories" id="oval:ssg:obj:1862"
version="1">
<!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories
belong to user with uid 0 (root) -->
- <unix:path operation="pattern
match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
+ <unix:path operation="pattern
match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
<unix:filename xsi:nil="true"/>
<filter action="include">oval:ssg:ste:2182</filter>
</unix:file_object>
<unix:file_object comment="library files" id="oval:ssg:obj:1863"
version="1">
<!-- Check that files within /lib, /lib64, /usr/lib, and /usr/lib64
directories belong to user with uid 0 (root) -->
- <unix:path operation="pattern
match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
+ <unix:path operation="pattern
match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
<unix:filename operation="pattern match">^.*$</unix:filename>
<filter action="include">oval:ssg:ste:2182</filter>
</unix:file_object>
Verified it passes on my test system.
Thanks,
Rick Renshaw
I'm able to replicate:
$ sudo ./testcheck.py file_ownership_library_dirs.xml
$ sudo vim /tmp/file_ownership_library_dirs4UFZxe.xml-results
......
<system_data>
<unix-sys:file_item id="1300351" status="exists">
<unix-sys:filepath>/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache</unix-sys:filepath>
<unix-sys:path>/usr/libexec</unix-sys:path>
As Rick called out, /usr/libexec is artificially being scanned.
$ sudo ./testcheck.py file_ownership_library_dirs.xml
Evaluating with OVAL tempfile : /tmp/file_ownership_library_dirsKSd7er.xml
Writing results to : /tmp/file_ownership_library_dirsKSd7er.xml-results
Definition oval:scap-security-guide.testing:def:100: true
Evaluation done.
Acking and pushing this patch:
https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=55b5ec008650ead4249edc6305196326aa09b2fd
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
