From 273fca22af9e24a42da94bbf92a64af4e3082a13 Mon Sep 17 00:00:00 2001 From: Shawn Wells <shawn@redhat.com> Date: Fri, 27 Sep 2013 15:59:58 -0400 Subject: [PATCH 1/8] OVAL signoff: accounts_dangerous_path_for_root TESTING: [root@SSG-RHEL6 checks]# find /lib -perm /022 -type f ; find /lib64/ -perm /022 -type f ; find /usr/lib -perm /022 -type f ; find /usr/lib64 -perm /022 -type f [root@SSG-RHEL6 checks]# ./testcheck.py file_permissions_library_dirs.xml Evaluating with OVAL tempfile : /tmp/file_permissions_library_dirstUlHnu.xml Writing results to : /tmp/file_permissions_library_dirstUlHnu.xml-results Definition oval:scap-security-guide.testing:def:207: true Evaluation done. [root@SSG-RHEL6 checks]# chmod go+w /lib64/libacl.so.1 [root@SSG-RHEL6 checks]# ./testcheck.py file_permissions_library_dirs.xml Evaluating with OVAL tempfile : /tmp/file_permissions_library_dirstTWqp5.xml Writing results to : /tmp/file_permissions_library_dirstTWqp5.xml-results Definition oval:scap-security-guide.testing:def:207: false Evaluation done. --- .../checks/accounts_dangerous_path_for_root.xml | 67 +++++++++++++------- 1 files changed, 44 insertions(+), 23 deletions(-) diff --git a/RHEL6/input/checks/accounts_dangerous_path_for_root.xml b/RHEL6/input/checks/accounts_dangerous_path_for_root.xml index efc4f0d..7e475c4 100644 --- a/RHEL6/input/checks/accounts_dangerous_path_for_root.xml +++ b/RHEL6/input/checks/accounts_dangerous_path_for_root.xml @@ -5,7 +5,9 @@ <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>The environment variable PATH should be set correctly for the root user.</description> + <description>The environment variable PATH should be set correctly for + the root user.</description> + <reference source="MED" ref_id="20130925" ref_url="test_attestation" /> </metadata> <criteria comment="environment variable PATH contains dangerous path" operator="AND"> <criterion comment="environment variable PATH starts with : or ." test_ref="test_env_var_begins" /> @@ -16,50 +18,69 @@ <criterion comment="environment variable PATH doesn't contain relative paths" test_ref="test_env_var_contains_relative_path" /> </criteria> </definition> - <ind:environmentvariable58_test check="none satisfy" comment="environment variable PATH starts with : or ." id="test_env_var_begins" version="1"> - <ind:object object_ref="object_env_var_path" /> + <ind:environmentvariable58_object id="object_accounts_dangerous_path_for_root" + version="1"> + <ind:pid xsi:nil="true" datatype="int" /> + <ind:name>PATH</ind:name> + </ind:environmentvariable58_object> + <ind:environmentvariable58_test check="none satisfy" + comment="environment variable PATH starts with : or ." + id="test_env_var_begins" version="1"> + <ind:object object_ref="object_accounts_dangerous_path_for_root" /> <ind:state state_ref="state_begins_colon_period" /> </ind:environmentvariable58_test> - <ind:environmentvariable58_test check="none satisfy" comment="environment variable PATH contains : twice in a row" id="test_env_var_contains_doublecolon" version="1"> - <ind:object object_ref="object_env_var_path" /> + <ind:environmentvariable58_test check="none satisfy" + comment="environment variable PATH doesn't contain : twice in a row" + id="test_env_var_contains_doublecolon" version="1"> + <ind:object object_ref="object_accounts_dangerous_path_for_root" /> <ind:state state_ref="state_contains_double_colon" /> </ind:environmentvariable58_test> - <ind:environmentvariable58_test check="none satisfy" comment="environment variable PATH contains . twice in a row" id="test_env_var_contains_doubleperiod" version="1"> - <ind:object object_ref="object_env_var_path" /> + <ind:environmentvariable58_test check="none satisfy" + comment="environment variable PATH doesn't contain . twice in a row" + id="test_env_var_contains_doubleperiod" version="1"> + <ind:object object_ref="object_accounts_dangerous_path_for_root" /> <ind:state state_ref="state_contains_double_period" /> </ind:environmentvariable58_test> - <ind:environmentvariable58_test check="none satisfy" comment="environment variable PATH ends with : or ." id="test_env_var_ends" version="1"> - <ind:object object_ref="object_env_var_path" /> + <ind:environmentvariable58_test check="none satisfy" + comment="environment variable PATH ends with : or ." id="test_env_var_ends" + version="1"> + <ind:object object_ref="object_accounts_dangerous_path_for_root" /> <ind:state state_ref="state_ends_colon_period" /> </ind:environmentvariable58_test> - <ind:environmentvariable58_test check="none satisfy" comment="environment variable PATH starts with an absolute path /" id="test_env_var_begins_slash" version="1"> - <ind:object object_ref="object_env_var_path" /> + <ind:environmentvariable58_test check="none satisfy" + comment="environment variable PATH starts with an absolute path /" + id="test_env_var_begins_slash" version="1"> + <ind:object object_ref="object_accounts_dangerous_path_for_root" /> <ind:state state_ref="state_begins_slash" /> </ind:environmentvariable58_test> - <ind:environmentvariable58_test check="none satisfy" comment="environment variable PATH contains relative paths" id="test_env_var_contains_relative_path" version="1"> - <ind:object object_ref="object_env_var_path" /> + <ind:environmentvariable58_test check="none satisfy" + comment="environment variable PATH contains relative paths" + id="test_env_var_contains_relative_path" version="1"> + <ind:object object_ref="object_accounts_dangerous_path_for_root" /> <ind:state state_ref="state_contains_relative_path" /> </ind:environmentvariable58_test> - <ind:environmentvariable58_object id="object_env_var_path" version="1"> - <ind:pid xsi:nil="true" datatype="int" /> - <ind:name>PATH</ind:name> - </ind:environmentvariable58_object> - <ind:environmentvariable58_state comment="starts with colon or period" id="state_begins_colon_period" version="1"> + <ind:environmentvariable58_state comment="starts with colon or period" + id="state_begins_colon_period" version="1"> <ind:value operation="pattern match">^[:\.]</ind:value> </ind:environmentvariable58_state> - <ind:environmentvariable58_state comment="colon twice in a row" id="state_contains_double_colon" version="1"> + <ind:environmentvariable58_state comment="colon twice in a row" + id="state_contains_double_colon" version="1"> <ind:value operation="pattern match">::</ind:value> </ind:environmentvariable58_state> - <ind:environmentvariable58_state comment="period twice in a row" id="state_contains_double_period" version="1"> + <ind:environmentvariable58_state comment="period twice in a row" + id="state_contains_double_period" version="1"> <ind:value operation="pattern match">\.\.</ind:value> </ind:environmentvariable58_state> - <ind:environmentvariable58_state comment="ends with colon or period" id="state_ends_colon_period" version="1"> + <ind:environmentvariable58_state comment="ends with colon or period" + id="state_ends_colon_period" version="1"> <ind:value operation="pattern match">[:\.]$</ind:value> </ind:environmentvariable58_state> - <ind:environmentvariable58_state comment="begins with a slash" id="state_begins_slash" version="1"> + <ind:environmentvariable58_state comment="begins with a slash" + id="state_begins_slash" version="1"> <ind:value operation="pattern match">^[^/]</ind:value> </ind:environmentvariable58_state> - <ind:environmentvariable58_state comment="elements begin with a slash" id="state_contains_relative_path" version="1"> + <ind:environmentvariable58_state comment="elements begin with a slash" + id="state_contains_relative_path" version="1"> <ind:value operation="pattern match">[^\\]:[^/]</ind:value> </ind:environmentvariable58_state> </def-group>-- 1.7.1