----- Original Message ----- > From: "Paul Tittle" <[email protected]> > To: [email protected] > Sent: Wednesday, May 21, 2014 3:03:23 PM > Subject: [PATCH] exclude /sys from search in world_writeable_files
Thank you for the patch, Paul. Sample stats: Unpatched: ---------- # time oscap oval eval --id oval:ssg:def:1086 ssg-rhel6-oval.xml Definition oval:ssg:def:1086: true Evaluation done. real 0m8.423s user 0m7.060s sys 0m1.330s Patched: -------- # time oscap oval eval --id oval:ssg:def:1086 ssg-rhel6-patched-oval.xml Definition oval:ssg:def:1086: true Evaluation done. real 0m8.370s user 0m6.982s sys 0m1.352s Have also checked RHEL/6's make, main make succeeded after applying the patch, and (related) check can be still performed with the freshly build & installed rpm. ACK for this change. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > --- > ...ile_permissions_unauthorized_world_writable.xml | 5 +++++ > 1 files changed, 5 insertions(+), 0 deletions(-) > > diff --git > a/RHEL/6/input/checks/file_permissions_unauthorized_world_writable.xml > b/RHEL/6/input/checks/file_permissions_unauthorized_world_writable.xml > index c3d4c8a..b6624c4 100644 > --- a/RHEL/6/input/checks/file_permissions_unauthorized_world_writable.xml > +++ b/RHEL/6/input/checks/file_permissions_unauthorized_world_writable.xml > @@ -23,8 +23,10 @@ > <unix:path operation="equals">/</unix:path> > <unix:filename operation="pattern match">^.*$</unix:filename> > <filter > action="include">state_file_permissions_unauthorized_world_write</filter> > + <!-- don't search /proc, /sys, and some special files from /selinux --> > <filter > > action="exclude">state_file_permissions_unauthorized_world_write_exclude_special_selinux_files</filter> > <filter > > action="exclude">state_file_permissions_unauthorized_world_write_exclude_proc</filter> > + <filter > action="exclude">state_file_permissions_unauthorized_world_write_exclude_sys</filter> > </unix:file_object> > <unix:file_state id="state_file_permissions_unauthorized_world_write" > version="1"> > <unix:type operation="equals">regular</unix:type> > @@ -36,4 +38,7 @@ > <unix:file_state > id="state_file_permissions_unauthorized_world_write_exclude_proc" > version="1"> > <unix:filepath operation="pattern match">^/proc/.*$</unix:filepath> > </unix:file_state> > + <unix:file_state > id="state_file_permissions_unauthorized_world_write_exclude_sys" > version="1"> > + <unix:filepath operation="pattern match">^/sys/.*$</unix:filepath> > + </unix:file_state> > </def-group> > -- > 1.7.1 > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
