----- Original Message ----- > From: "Shawn Wells" <[email protected]> > To: [email protected] > Sent: Thursday, June 26, 2014 8:25:43 PM > Subject: Re: [PATCH] [RHEL/6] Delete unused > file_permissions_boot_grub_grub_conf.xml OVAL check [RHEL/6] Small > changes in file_permissions_grub_conf.xml > > > On 6/25/14, 1:02 PM, Jan Lieskovsky wrote: > > > > 1) This patch deletes the unused file_permissions_boot_grub_grub_conf.xml > OVAL > check (since file_permissions_grub_conf.xml one is used instead of it). > > 2) Also updates file_permissions_grub_conf.xml - replace path+filename with > filepath element & add test_attestation. > > Tested on RHEL-6, and seems to be working properly. > > Please review. > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Technologies Team > > 0001-RHEL-6-Delete-unused-file_permissions_boot_grub_grub.patch > From f2c47c7c4f757f25d9e2a37266ecb4d078980dc7 Mon Sep 17 00:00:00 2001 > From: Jan Lieskovsky <[email protected]> Date: Wed, 25 Jun 2014 18:53:37 > +0200 > Subject: [PATCH] [RHEL/6] Delete unused > file_permissions_boot_grub_grub_conf.xml OVAL check > (file_permissions_grub_conf.xml is used instead) > > [RHEL/6] file_permissions_grub_conf.xml: > * replace path+filename with filepath > * equip with test_attestation > > Signed-off-by: Jan Lieskovsky <[email protected]> --- > .../file_permissions_boot_grub_grub_conf.xml | 47 > ---------------------- > RHEL/6/input/checks/file_permissions_grub_conf.xml | 6 +-- > 2 files changed, 3 insertions(+), 50 deletions(-) > delete mode 100644 > RHEL/6/input/checks/file_permissions_boot_grub_grub_conf.xml > > diff --git a/RHEL/6/input/checks/file_permissions_boot_grub_grub_conf.xml > b/RHEL/6/input/checks/file_permissions_boot_grub_grub_conf.xml > deleted file mode 100644 > index da0afec..0000000 > --- a/RHEL/6/input/checks/file_permissions_boot_grub_grub_conf.xml > +++ /dev/null > @@ -1,47 +0,0 @@ > -<def-group> > - <!-- THIS FILE IS GENERATED by create_permission_checks.py. DO NOT EDIT. > --> > - <definition class="compliance" id="file_permissions_boot_grub_grub_conf" > version="1"> > - <metadata> > - <title>Verify /boot/grub/grub.conf Permissions</title> > - <affected family="unix"> > - <platform>Red Hat Enterprise Linux 6</platform> > - </affected> > - <description>This test makes sure that /boot/grub/grub.conf is owned > by 0, group owned by 0, and has mode 0600. If > - the target file or directory has an extended ACL then it will fail the > mode check.</description> > - <reference source="swells" ref_id="20130831" > ref_url="test_attestation"/> > - </metadata> > - <criteria> > - <criterion test_ref="test_boot_grub_grub_conf" /> > - </criteria> > - </definition> > - <unix:file_test check="all" check_existence="all_exist" > comment="/boot/grub/grub.conf mode and ownership" > id="test_boot_grub_grub_conf" version="1"> > - <unix:object object_ref="object_boot_grub_grub_conf" /> > - <unix:state state_ref="_boot_grub_grub_conf_state_uid_0" /> > - <unix:state state_ref="_boot_grub_grub_conf_state_gid_0" /> > - <unix:state state_ref="_boot_grub_grub_conf_state_mode_0600" /> > - </unix:file_test> > - <unix:file_object comment="/boot/grub/grub.conf" > id="object_boot_grub_grub_conf" version="1"> > - <unix:path>/boot/grub</unix:path> > - <unix:filename>grub.conf</unix:filename> > - </unix:file_object> > - <unix:file_state id="_boot_grub_grub_conf_state_uid_0" version="1"> > - <unix:user_id datatype="int" operation="equals">0</unix:user_id> > - </unix:file_state> > - <unix:file_state id="_boot_grub_grub_conf_state_gid_0" version="1"> > - <unix:group_id datatype="int" operation="equals">0</unix:group_id> > - </unix:file_state> > - <unix:file_state id="_boot_grub_grub_conf_state_mode_0600" version="1"> > - <unix:suid datatype="boolean">false</unix:suid> > - <unix:sgid datatype="boolean">false</unix:sgid> > - <unix:sticky datatype="boolean">false</unix:sticky> > - <unix:uread datatype="boolean">true</unix:uread> > - <unix:uwrite datatype="boolean">true</unix:uwrite> > - <unix:uexec datatype="boolean">false</unix:uexec> > - <unix:gread datatype="boolean">false</unix:gread> > - <unix:gwrite datatype="boolean">false</unix:gwrite> > - <unix:gexec datatype="boolean">false</unix:gexec> > - <unix:oread datatype="boolean">false</unix:oread> > - <unix:owrite datatype="boolean">false</unix:owrite> > - <unix:oexec datatype="boolean">false</unix:oexec> > - </unix:file_state> > -</def-group> > diff --git a/RHEL/6/input/checks/file_permissions_grub_conf.xml > b/RHEL/6/input/checks/file_permissions_grub_conf.xml > index 3347a8b..3dc48db 100644 > --- a/RHEL/6/input/checks/file_permissions_grub_conf.xml > +++ b/RHEL/6/input/checks/file_permissions_grub_conf.xml > @@ -6,6 +6,7 @@ > <platform>Red Hat Enterprise Linux 6</platform> > </affected> > <description>File permissions for /boot/grub/grub.conf should be set > to 0600 (or stronger).</description> > + <reference source="JL" ref_id="RHEL6_20140625" > ref_url="test_attestation"/> > </metadata> > <criteria> > <criterion test_ref="test_file_permissions_grub_conf" /> > @@ -17,9 +18,8 @@ > <unix:state state_ref="state_file_permissions_grub_conf" /> > </unix:file_test> > > - <unix:file_object comment="/boot/grub/grub.conf" > id="object_file_permissions_grub_conf" version="1"> > - <unix:path>/boot/grub</unix:path> > - <unix:filename>grub.conf</unix:filename> > + <unix:file_object comment="/boot/grub/grub.conf" > id="object_file_permissions_grub_conf" version="2"> > + <unix:filepath>/boot/grub/grub.conf</unix:filepath> > </unix:file_object> > > <unix:file_state id="state_file_permissions_grub_conf" version="2"> > -- > 1.8.3.1 > > ack
Thanks, pushed. Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > > -- > Shawn Wells > Director, Innovation Programs [email protected] | 443.534.0130 > @shawndwells > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
