Thanks for these, please push!
On Wed, Sep 18, 2013 at 11:53 AM, Maura Dailey <maura(a)eclipse.ncsc.mil>wrote:
Pushing out some checks I tested a little while back. I've
verified that
no other changes were made on the mailing list.
- Maura Dailey
---
RHEL6/input/checks/mount_option_dev_shm_nodev.xml | 7 +++++--
RHEL6/input/checks/mount_option_dev_shm_noexec.xml | 14 +++++++++-----
RHEL6/input/checks/mount_option_dev_shm_nosuid.xml | 13 ++++++++-----
3 files changed, 22 insertions(+), 12 deletions(-)
diff --git a/RHEL6/input/checks/mount_option_dev_shm_nodev.xml
b/RHEL6/input/checks/mount_option_dev_shm_nodev.xml
index 09b69b6..f00b9e9 100644
--- a/RHEL6/input/checks/mount_option_dev_shm_nodev.xml
+++ b/RHEL6/input/checks/mount_option_dev_shm_nodev.xml
@@ -8,12 +8,14 @@
<description>Legitimate character and block devices should not exist
within temporary directories like /dev/shm. The nodev mount option
should
be specified for /dev/shm.</description>
+ <reference source="MED" ref_id="20130820"
ref_url="test_attestation" />
</metadata>
<criteria>
<criterion comment="nodev on /dev/shm"
test_ref="test_nodev_dev_shm" />
</criteria>
</definition>
- <linux:partition_test check="all" check_existence="all_exist"
id="test_nodev_dev_shm" version="1" comment="nodev on
/dev/shm">
+ <linux:partition_test check="all" check_existence="all_exist"
+ id="test_nodev_dev_shm" version="1" comment="nodev on
/dev/shm">
<linux:object object_ref="object_dev_shm_partition_nodev" />
<linux:state state_ref="state_dev_shm_nodev" />
</linux:partition_test>
@@ -21,6 +23,7 @@
<linux:mount_point>/dev/shm</linux:mount_point>
</linux:partition_object>
<linux:partition_state id="state_dev_shm_nodev"
version="1">
- <linux:mount_options datatype="string" entity_check="at least
one"
operation="equals">nodev</linux:mount_options>
+ <linux:mount_options datatype="string" entity_check="at least
one"
+ operation="equals">nodev</linux:mount_options>
</linux:partition_state>
</def-group>
diff --git a/RHEL6/input/checks/mount_option_dev_shm_noexec.xml
b/RHEL6/input/checks/mount_option_dev_shm_noexec.xml
index 25ac4fb..825f761 100644
--- a/RHEL6/input/checks/mount_option_dev_shm_noexec.xml
+++ b/RHEL6/input/checks/mount_option_dev_shm_noexec.xml
@@ -5,15 +5,18 @@
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
- <description>It can be dangerous to allow the execution of binaries
- from world-writable temporary storage directories such as /dev/shm.
- The noexec mount option prevents binaries from being executed out
of /dev/shm.</description>
+ <description>It can be dangerous to allow the execution of binaries
from
+ world-writable temporary storage directories such as /dev/shm. The
noexec
+ mount option prevents binaries from being executed out of
+ /dev/shm.</description>
+ <reference source="MED" ref_id="20130821"
ref_url="test_attestation" />
</metadata>
<criteria>
<criterion comment="noexec on /dev/shm"
test_ref="test_noexec_dev_shm" />
</criteria>
</definition>
- <linux:partition_test check="all" check_existence="all_exist"
id="test_noexec_dev_shm" version="1" comment="noexec on
/dev/shm">
+ <linux:partition_test check="all" check_existence="all_exist"
+ id="test_noexec_dev_shm" version="1" comment="noexec on
/dev/shm">
<linux:object object_ref="object_dev_shm_partition_noexec" />
<linux:state state_ref="state_dev_shm_noexec" />
</linux:partition_test>
@@ -21,6 +24,7 @@
<linux:mount_point>/dev/shm</linux:mount_point>
</linux:partition_object>
<linux:partition_state id="state_dev_shm_noexec"
version="1">
- <linux:mount_options datatype="string" entity_check="at least
one"
operation="equals">noexec</linux:mount_options>
+ <linux:mount_options datatype="string" entity_check="at least
one"
+ operation="equals">noexec</linux:mount_options>
</linux:partition_state>
</def-group>
diff --git a/RHEL6/input/checks/mount_option_dev_shm_nosuid.xml
b/RHEL6/input/checks/mount_option_dev_shm_nosuid.xml
index e7c517d..2bc1463 100644
--- a/RHEL6/input/checks/mount_option_dev_shm_nosuid.xml
+++ b/RHEL6/input/checks/mount_option_dev_shm_nosuid.xml
@@ -5,15 +5,17 @@
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
- <description>The nosuid mount option should be set for temporary
- storage partitions such as /dev/shm. The suid/sgid permissions
- should not be required in these world-writable
directories.</description>
+ <description>The nosuid mount option should be set for temporary
storage
+ partitions such as /dev/shm. The suid/sgid permissions should not be
+ required in these world-writable directories.</description>
+ <reference source="MED" ref_id="20130821"
ref_url="test_attestation" />
</metadata>
<criteria>
<criterion comment="nosuid on /dev/shm"
test_ref="test_nosuid_dev_shm" />
</criteria>
</definition>
- <linux:partition_test check="all" check_existence="all_exist"
id="test_nosuid_dev_shm" version="1" comment="nosuid on
/dev/shm">
+ <linux:partition_test check="all" check_existence="all_exist"
+ id="test_nosuid_dev_shm" version="1" comment="nosuid on
/dev/shm">
<linux:object object_ref="object_dev_shm_partition_nosuid" />
<linux:state state_ref="state_dev_shm_nosuid" />
</linux:partition_test>
@@ -21,6 +23,7 @@
<linux:mount_point>/dev/shm</linux:mount_point>
</linux:partition_object>
<linux:partition_state id="state_dev_shm_nosuid"
version="1">
- <linux:mount_options datatype="string" entity_check="at least
one"
operation="equals">nosuid</linux:mount_options>
+ <linux:mount_options datatype="string" entity_check="at least
one"
+ operation="equals">nosuid</linux:mount_options>
</linux:partition_state>
</def-group>
--
1.7.1
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide