>From 7450369eaaa2f6cf1c4581454653eefcb19f3e52 Mon Sep 17 00:00:00 2001
From: Shawn Wells <shawn@redhat.com>
Date: Sat, 28 Sep 2013 15:37:15 -0400
Subject: [PATCH 5/8] New OVAL: file_permissions_binary_dirs
 - net-new OVAL, though based off file_permissions_libary*
 - Added remediation script
 - Mapped XCCDF to OVAL
 - OVAL signoff

---
 .../input/checks/file_permissions_binary_dirs.xml  |  115 ++++++++++++++++++++
 .../fixes/bash/file_permissions_binary_dirs.sh     |    4 +
 RHEL6/input/system/permissions/files.xml           |    1 +
 3 files changed, 120 insertions(+), 0 deletions(-)
 create mode 100644 RHEL6/input/checks/file_permissions_binary_dirs.xml
 create mode 100644 RHEL6/input/fixes/bash/file_permissions_binary_dirs.sh

diff --git a/RHEL6/input/checks/file_permissions_binary_dirs.xml b/RHEL6/input/checks/file_permissions_binary_dirs.xml
new file mode 100644
index 0000000..1b16414
--- /dev/null
+++ b/RHEL6/input/checks/file_permissions_binary_dirs.xml
@@ -0,0 +1,115 @@
+<def-group>
+  <definition class="compliance" id="file_permissions_binary_dirs" version="1">
+    <metadata>
+      <title>Verify that System Executables Have Restrictive Permissions</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 6</platform>
+      </affected>
+      <description>Checks that /bin, /usr/bin, /usr/local/bin, /sbin, /usr/sbin, /usr/local/sbin, and objects therein,
+      are not group-writable or world-writable.</description>
+      <reference source="swells" ref_id="20130928" ref_url="test_attestation"/>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="test_perms_bin_files" />
+      <criterion test_ref="test_perms_usr_bin_files" />
+      <criterion test_ref="test_perms_usr_local_bin_files" />
+      <criterion test_ref="test_perms_sbin_files" />
+      <criterion test_ref="test_perms_usr_sbin_files" />
+      <criterion test_ref="test_perms_usr_local_sbin_files" />
+    </criteria>
+  </definition>
+
+<!-- /bin directory and file tests -->
+  <unix:file_test check="all" check_existence="none_exist" comment="/bin files go-w" id="test_perms_bin_files" version="1">
+    <unix:object object_ref="object_file_permissions_bin_files" />
+  </unix:file_test>
+
+  <unix:file_object comment="/bin files" id="object_file_permissions_bin_files" version="1">
+    <unix:behaviors recurse="symlinks and directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/bin</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>
+    <filter action="exclude">state_symlink</filter>
+  </unix:file_object>
+<!-- end /bin directory and file tests -->
+
+<!-- /usr/bin directory and file tests -->
+  <unix:file_test check="all" check_existence="none_exist" comment="/usr/bin files go-w" id="test_perms_usr_bin_files" version="1">
+    <unix:object object_ref="object_file_permissions_usr_bin_files" />
+  </unix:file_test>
+
+  <unix:file_object comment="/usr/bin files" id="object_file_permissions_usr_bin_files" version="1">
+    <unix:behaviors recurse="symlinks and directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/usr/bin</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>
+    <filter action="exclude">state_symlink</filter>
+  </unix:file_object>
+<!-- end /usr/bin directory and file tests -->
+
+<!-- /usr/local/bin directory and file tests -->
+  <unix:file_test check="all" check_existence="none_exist" comment="/usr/local/bin files go-w" id="test_perms_usr_local_bin_files" version="1">
+    <unix:object object_ref="object_file_permissions_usr_local_bin_files" />
+  </unix:file_test>
+                          
+  <unix:file_object comment="/usr/local/bin files" id="object_file_permissions_usr_local_bin_files" version="1">
+    <unix:behaviors recurse="symlinks and directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/usr/local/bin</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>
+    <filter action="exclude">state_symlink</filter>
+  </unix:file_object>
+<!-- end /usr/local/bin directory and file tests -->
+
+<!-- /sbin directory and file tests -->
+  <unix:file_test check="all" check_existence="none_exist" comment="/sbin files go-w" id="test_perms_sbin_files" version="1">
+    <unix:object object_ref="object_file_permissions_sbin_files" />
+  </unix:file_test>
+          
+  <unix:file_object comment="/sbin files" id="object_file_permissions_sbin_files" version="1">
+    <unix:behaviors recurse="symlinks and directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/sbin</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>
+    <filter action="exclude">state_symlink</filter>
+  </unix:file_object>
+<!-- end /sbin directory and file tests -->
+
+<!-- /usr/sbin directory and file tests -->
+  <unix:file_test check="all" check_existence="none_exist" comment="/usr/sbin files go-w" id="test_perms_usr_sbin_files" version="1">
+    <unix:object object_ref="object_file_permissions_usr_sbin_files" />
+  </unix:file_test>
+          
+  <unix:file_object comment="/usr/sbin files" id="object_file_permissions_usr_sbin_files" version="1">
+    <unix:behaviors recurse="symlinks and directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/usr/sbin</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>
+    <filter action="exclude">state_symlink</filter>
+  </unix:file_object>
+<!-- end /usr/sbin directory and file tests -->
+
+<!-- /usr/local/sbin directory and file tests -->
+  <unix:file_test check="all" check_existence="none_exist" comment="/usr/local/sbin files go-w" id="test_perms_usr_local_sbin_files" version="1">
+    <unix:object object_ref="object_file_permissions_usr_local_sbin_files" />
+  </unix:file_test>
+            
+  <unix:file_object comment="/usr/local/sbin files" id="object_file_permissions_usr_local_sbin_files" version="1">
+    <unix:behaviors recurse="symlinks and directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/usr/local/sbin</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>
+    <filter action="exclude">state_symlink</filter>
+  </unix:file_object>
+<!-- end /usr/local/sbin directory and file tests -->
+
+  <unix:file_state id="state_symlink" version="1">
+    <unix:type operation="equals">symbolic link</unix:type>
+  </unix:file_state>
+
+  <unix:file_state id="state_perms_nogroupwrite_noworldwrite" version="1" operator="OR">
+    <unix:gwrite datatype="boolean">true</unix:gwrite>
+    <unix:owrite datatype="boolean">true</unix:owrite>
+  </unix:file_state>
+
+</def-group>
diff --git a/RHEL6/input/fixes/bash/file_permissions_binary_dirs.sh b/RHEL6/input/fixes/bash/file_permissions_binary_dirs.sh
new file mode 100644
index 0000000..8eeca3e
--- /dev/null
+++ b/RHEL6/input/fixes/bash/file_permissions_binary_dirs.sh
@@ -0,0 +1,4 @@
+DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin"
+for dirPath in $DIRS; do
+	find $dirPath -perm /022 -exec chmod go-w '{}' \;
+done
diff --git a/RHEL6/input/system/permissions/files.xml b/RHEL6/input/system/permissions/files.xml
index 5a4f616..7d4add9 100644
--- a/RHEL6/input/system/permissions/files.xml
+++ b/RHEL6/input/system/permissions/files.xml
@@ -291,6 +291,7 @@ and restrictive permissions are necessary to ensure execution of these programs
 cannot be co-opted.
 </rationale>
 <ref nist="AC-6" disa="1499"/>
+<oval id="file_permissions_binary_dirs" />
 </Rule>
 
 <Rule id="file_ownership_binary_dirs" severity="medium">
-- 
1.7.1