[PATCH 1/9] OVAL signoff for accounts_no_shelllogin_for_systemaccounts OVAL signoff: accounts_no_shelllogin_for_systemaccounts
by Shawn Wells
From: Shawn Wells <shawn(a)redhat.com>
TESTING:
[user@redhat-thing-1 checks]$ grep ftp /etc/passwd
ftp:x:14:50:FTP User:/var/ftp:/bin/bash
[user@redhat-thing-1 checks]$ ./testcheck.py accounts_no_shelllogin_for_systemaccounts.xml
Evaluating with OVAL tempfile : /tmp/accounts_no_shelllogin_for_systemaccountszRaZw9.xml
Writing results to : /tmp/accounts_no_shelllogin_for_systemaccountszRaZw9.xml-results
Definition oval:scap-security-guide.testing:def:104: false
Evaluation done.
[user@redhat-thing-1 checks]$ grep ftp /etc/passwd
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
[user@redhat-thing-1 checks]$ ./testcheck.py accounts_no_shelllogin_for_systemaccounts.xml
Evaluating with OVAL tempfile : /tmp/accounts_no_shelllogin_for_systemaccountsn0AVoG.xml
Writing results to : /tmp/accounts_no_shelllogin_for_systemaccountsn0AVoG.xml-results
Definition oval:scap-security-guide.testing:def:104: true
Evaluation done.
[user@redhat-thing-1 checks]$ vim accounts_no_shelllogin_for_systemaccounts.xml
[user@redhat-thing-1 checks]$ ./testcheck.py accounts_no_shelllogin_for_systemaccounts.xml
Evaluating with OVAL tempfile : /tmp/accounts_no_shelllogin_for_systemaccountsiUXzmf.xml
Writing results to : /tmp/accounts_no_shelllogin_for_systemaccountsiUXzmf.xml-results
Definition oval:scap-security-guide.testing:def:104: true
Evaluation done.
---
.../accounts_no_shelllogin_for_systemaccounts.xml | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/checks/accounts_no_shelllogin_for_systemaccounts.xml b/RHEL6/input/checks/accounts_no_shelllogin_for_systemaccounts.xml
index 966f75b..ff17b6e 100644
--- a/RHEL6/input/checks/accounts_no_shelllogin_for_systemaccounts.xml
+++ b/RHEL6/input/checks/accounts_no_shelllogin_for_systemaccounts.xml
@@ -6,6 +6,7 @@
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The root account is the only system account that should have a login shell.</description>
+ <reference source="swells" ref_id="20130918" ref_url="test_attestation" />
</metadata>
<criteria>
<criterion comment="tests for the presence of login shells (not /sbin/nologin) for system accounts in /etc/passwd file" test_ref="test_accounts_no_shelllogin_for_systemaccounts" />
@@ -15,8 +16,7 @@
<ind:object object_ref="object_accounts_no_shelllogin_for_systemaccounts" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_accounts_no_shelllogin_for_systemaccounts" version="1">
- <ind:path>/etc</ind:path>
- <ind:filename>passwd</ind:filename>
+ <ind:filepath>/etc/passwd</ind:filepath>
<ind:pattern operation="pattern match">^(?!root).*:x:[\d]*:0*([0-9]{1,2}|[1-4][0-9]{2}):[^:]*:[^:]*:(?!\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt).*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
--
1.7.1
10 years, 7 months
[PATCH 0/2] Additional OVAL testing and cleanup
by David Smith
This patch set includes:
1) Cleanup of OVAL and XCCDF naming issues that were discovered by verify-input-sanity.py,
2) A number of testrefs added to OVAL checks after testing.
David Smith (2):
corrected naming mismatch issues picked up by verify-input-sanity
added testrefs to a number of OVAL checks
.../accounts_password_minclass_login_defs.xml | 2 +-
.../accounts_passwords_pam_fail_interval.xml | 2 +-
RHEL6/input/checks/disable_users_coredumps.xml | 2 +-
.../mount_option_nodev_remote_filesystems.xml | 1 +
.../mount_option_nosuid_remote_filesystems.xml | 1 +
RHEL6/input/checks/no_files_unowned_by_user.xml | 2 +-
RHEL6/input/checks/service_autofs_disabled.xml | 1 +
.../input/checks/service_avahi-daemon_disabled.xml | 1 +
RHEL6/input/checks/service_crond_enabled.xml | 1 +
RHEL6/input/checks/service_ntpd_enabled.xml | 1 +
RHEL6/input/checks/service_ntpdate_disabled.xml | 1 +
RHEL6/input/checks/service_oddjobd_disabled.xml | 1 +
RHEL6/input/checks/service_postfix_enabled.xml | 1 +
RHEL6/input/checks/service_qpidd_disabled.xml | 1 +
RHEL6/input/checks/service_rdisc_disabled.xml | 1 +
RHEL6/input/checks/service_ypbind_disabled.xml | 1 +
RHEL6/input/system/accounts/banners.xml | 1 -
RHEL6/input/system/accounts/pam.xml | 2 +-
RHEL6/input/system/logging.xml | 1 -
RHEL6/input/system/permissions/files.xml | 2 +-
20 files changed, 18 insertions(+), 8 deletions(-)
10 years, 7 months
[PATCH] More testrefs, this time for mount_option_tmp checks
by Maura Dailey
More outstanding testrefs that should be committed!
---
RHEL6/input/checks/mount_option_tmp_nodev.xml | 11 +++++++----
RHEL6/input/checks/mount_option_tmp_noexec.xml | 14 +++++++++-----
RHEL6/input/checks/mount_option_tmp_nosuid.xml | 13 ++++++++-----
3 files changed, 24 insertions(+), 14 deletions(-)
diff --git a/RHEL6/input/checks/mount_option_tmp_nodev.xml b/RHEL6/input/checks/mount_option_tmp_nodev.xml
index d741d29..fdd2420 100644
--- a/RHEL6/input/checks/mount_option_tmp_nodev.xml
+++ b/RHEL6/input/checks/mount_option_tmp_nodev.xml
@@ -6,14 +6,16 @@
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>Legitimate character and block devices should not exist
- within temporary directories like /tmp. The nodev mount option should
- be specified for /tmp.</description>
+ within temporary directories like /tmp. The nodev mount option should be
+ specified for /tmp.</description>
+ <reference source="MED" ref_id="20130821" ref_url="test_attestation" />
</metadata>
<criteria>
<criterion comment="nodev on /tmp" test_ref="test_nodev_tmp" />
</criteria>
</definition>
- <linux:partition_test check="all" check_existence="all_exist" id="test_nodev_tmp" version="1" comment="nodev on /tmp">
+ <linux:partition_test check="all" check_existence="all_exist"
+ id="test_nodev_tmp" version="1" comment="nodev on /tmp">
<linux:object object_ref="object_tmp_nodev_partition" />
<linux:state state_ref="state_tmp_nodev" />
</linux:partition_test>
@@ -21,6 +23,7 @@
<linux:mount_point>/tmp</linux:mount_point>
</linux:partition_object>
<linux:partition_state id="state_tmp_nodev" version="1">
- <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nodev</linux:mount_options>
+ <linux:mount_options datatype="string" entity_check="at least one"
+ operation="equals">nodev</linux:mount_options>
</linux:partition_state>
</def-group>
diff --git a/RHEL6/input/checks/mount_option_tmp_noexec.xml b/RHEL6/input/checks/mount_option_tmp_noexec.xml
index d0593f8..76d8192 100644
--- a/RHEL6/input/checks/mount_option_tmp_noexec.xml
+++ b/RHEL6/input/checks/mount_option_tmp_noexec.xml
@@ -5,15 +5,18 @@
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
- <description>It can be dangerous to allow the execution of binaries
- from world-writable temporary storage directories such as /tmp.
- The noexec mount option prevents binaries from being executed out of /tmp.</description>
+ <description>It can be dangerous to allow the execution of binaries from
+ world-writable temporary storage directories such as /tmp. The noexec
+ mount option prevents binaries from being executed out of
+ /tmp.</description>
+ <reference source="MED" ref_id="20130821" ref_url="test_attestation" />
</metadata>
<criteria>
<criterion comment="noexec on /tmp" test_ref="test_noexec_tmp" />
</criteria>
</definition>
- <linux:partition_test check="all" check_existence="all_exist" id="test_noexec_tmp" version="1" comment="noexec on /tmp">
+ <linux:partition_test check="all" check_existence="all_exist"
+ id="test_noexec_tmp" version="1" comment="noexec on /tmp">
<linux:object object_ref="object_tmp_noexec_partition" />
<linux:state state_ref="state_tmp_noexec" />
</linux:partition_test>
@@ -21,6 +24,7 @@
<linux:mount_point>/tmp</linux:mount_point>
</linux:partition_object>
<linux:partition_state id="state_tmp_noexec" version="1">
- <linux:mount_options datatype="string" entity_check="at least one" operation="equals">noexec</linux:mount_options>
+ <linux:mount_options datatype="string" entity_check="at least one"
+ operation="equals">noexec</linux:mount_options>
</linux:partition_state>
</def-group>
diff --git a/RHEL6/input/checks/mount_option_tmp_nosuid.xml b/RHEL6/input/checks/mount_option_tmp_nosuid.xml
index 6477a21..b3d88c9 100644
--- a/RHEL6/input/checks/mount_option_tmp_nosuid.xml
+++ b/RHEL6/input/checks/mount_option_tmp_nosuid.xml
@@ -5,15 +5,17 @@
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
- <description>The nosuid mount option should be set for temporary
- storage partitions such as /tmp. The suid/sgid permissions
- should not be required in these world-writable directories.</description>
+ <description>The nosuid mount option should be set for temporary storage
+ partitions such as /tmp. The suid/sgid permissions should not be required
+ in these world-writable directories.</description>
+ <reference source="MED" ref_id="20130821" ref_url="test_attestation" />
</metadata>
<criteria>
<criterion comment="nosuid on /tmp" test_ref="test_nosuid_tmp" />
</criteria>
</definition>
- <linux:partition_test check="all" check_existence="all_exist" id="test_nosuid_tmp" version="1" comment="nosuid on /tmp">
+ <linux:partition_test check="all" check_existence="all_exist"
+ id="test_nosuid_tmp" version="1" comment="nosuid on /tmp">
<linux:object object_ref="object_tmp_nosuid_partition" />
<linux:state state_ref="state_tmp_nosuid" />
</linux:partition_test>
@@ -21,6 +23,7 @@
<linux:mount_point>/tmp</linux:mount_point>
</linux:partition_object>
<linux:partition_state id="state_tmp_nosuid" version="1">
- <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nosuid</linux:mount_options>
+ <linux:mount_options datatype="string" entity_check="at least one"
+ operation="equals">nosuid</linux:mount_options>
</linux:partition_state>
</def-group>
--
1.7.1
10 years, 7 months
[PATCH] Adding testrefs to mount_option_dev_shm_* checks, all appear to function correctly.
by Maura Dailey
Pushing out some checks I tested a little while back. I've verified that no other changes were made on the mailing list.
- Maura Dailey
---
RHEL6/input/checks/mount_option_dev_shm_nodev.xml | 7 +++++--
RHEL6/input/checks/mount_option_dev_shm_noexec.xml | 14 +++++++++-----
RHEL6/input/checks/mount_option_dev_shm_nosuid.xml | 13 ++++++++-----
3 files changed, 22 insertions(+), 12 deletions(-)
diff --git a/RHEL6/input/checks/mount_option_dev_shm_nodev.xml b/RHEL6/input/checks/mount_option_dev_shm_nodev.xml
index 09b69b6..f00b9e9 100644
--- a/RHEL6/input/checks/mount_option_dev_shm_nodev.xml
+++ b/RHEL6/input/checks/mount_option_dev_shm_nodev.xml
@@ -8,12 +8,14 @@
<description>Legitimate character and block devices should not exist
within temporary directories like /dev/shm. The nodev mount option should
be specified for /dev/shm.</description>
+ <reference source="MED" ref_id="20130820" ref_url="test_attestation" />
</metadata>
<criteria>
<criterion comment="nodev on /dev/shm" test_ref="test_nodev_dev_shm" />
</criteria>
</definition>
- <linux:partition_test check="all" check_existence="all_exist" id="test_nodev_dev_shm" version="1" comment="nodev on /dev/shm">
+ <linux:partition_test check="all" check_existence="all_exist"
+ id="test_nodev_dev_shm" version="1" comment="nodev on /dev/shm">
<linux:object object_ref="object_dev_shm_partition_nodev" />
<linux:state state_ref="state_dev_shm_nodev" />
</linux:partition_test>
@@ -21,6 +23,7 @@
<linux:mount_point>/dev/shm</linux:mount_point>
</linux:partition_object>
<linux:partition_state id="state_dev_shm_nodev" version="1">
- <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nodev</linux:mount_options>
+ <linux:mount_options datatype="string" entity_check="at least one"
+ operation="equals">nodev</linux:mount_options>
</linux:partition_state>
</def-group>
diff --git a/RHEL6/input/checks/mount_option_dev_shm_noexec.xml b/RHEL6/input/checks/mount_option_dev_shm_noexec.xml
index 25ac4fb..825f761 100644
--- a/RHEL6/input/checks/mount_option_dev_shm_noexec.xml
+++ b/RHEL6/input/checks/mount_option_dev_shm_noexec.xml
@@ -5,15 +5,18 @@
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
- <description>It can be dangerous to allow the execution of binaries
- from world-writable temporary storage directories such as /dev/shm.
- The noexec mount option prevents binaries from being executed out of /dev/shm.</description>
+ <description>It can be dangerous to allow the execution of binaries from
+ world-writable temporary storage directories such as /dev/shm. The noexec
+ mount option prevents binaries from being executed out of
+ /dev/shm.</description>
+ <reference source="MED" ref_id="20130821" ref_url="test_attestation" />
</metadata>
<criteria>
<criterion comment="noexec on /dev/shm" test_ref="test_noexec_dev_shm" />
</criteria>
</definition>
- <linux:partition_test check="all" check_existence="all_exist" id="test_noexec_dev_shm" version="1" comment="noexec on /dev/shm">
+ <linux:partition_test check="all" check_existence="all_exist"
+ id="test_noexec_dev_shm" version="1" comment="noexec on /dev/shm">
<linux:object object_ref="object_dev_shm_partition_noexec" />
<linux:state state_ref="state_dev_shm_noexec" />
</linux:partition_test>
@@ -21,6 +24,7 @@
<linux:mount_point>/dev/shm</linux:mount_point>
</linux:partition_object>
<linux:partition_state id="state_dev_shm_noexec" version="1">
- <linux:mount_options datatype="string" entity_check="at least one" operation="equals">noexec</linux:mount_options>
+ <linux:mount_options datatype="string" entity_check="at least one"
+ operation="equals">noexec</linux:mount_options>
</linux:partition_state>
</def-group>
diff --git a/RHEL6/input/checks/mount_option_dev_shm_nosuid.xml b/RHEL6/input/checks/mount_option_dev_shm_nosuid.xml
index e7c517d..2bc1463 100644
--- a/RHEL6/input/checks/mount_option_dev_shm_nosuid.xml
+++ b/RHEL6/input/checks/mount_option_dev_shm_nosuid.xml
@@ -5,15 +5,17 @@
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
- <description>The nosuid mount option should be set for temporary
- storage partitions such as /dev/shm. The suid/sgid permissions
- should not be required in these world-writable directories.</description>
+ <description>The nosuid mount option should be set for temporary storage
+ partitions such as /dev/shm. The suid/sgid permissions should not be
+ required in these world-writable directories.</description>
+ <reference source="MED" ref_id="20130821" ref_url="test_attestation" />
</metadata>
<criteria>
<criterion comment="nosuid on /dev/shm" test_ref="test_nosuid_dev_shm" />
</criteria>
</definition>
- <linux:partition_test check="all" check_existence="all_exist" id="test_nosuid_dev_shm" version="1" comment="nosuid on /dev/shm">
+ <linux:partition_test check="all" check_existence="all_exist"
+ id="test_nosuid_dev_shm" version="1" comment="nosuid on /dev/shm">
<linux:object object_ref="object_dev_shm_partition_nosuid" />
<linux:state state_ref="state_dev_shm_nosuid" />
</linux:partition_test>
@@ -21,6 +23,7 @@
<linux:mount_point>/dev/shm</linux:mount_point>
</linux:partition_object>
<linux:partition_state id="state_dev_shm_nosuid" version="1">
- <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nosuid</linux:mount_options>
+ <linux:mount_options datatype="string" entity_check="at least one"
+ operation="equals">nosuid</linux:mount_options>
</linux:partition_state>
</def-group>
--
1.7.1
10 years, 7 months