>From 154b1aed6de0628abb37c7848cd174a1175cdef2 Mon Sep 17 00:00:00 2001
From: Shawn Wells <shawn@redhat.com>
Date: Wed, 17 Apr 2013 05:47:18 -0400
Subject: [PATCH] Ticket 396: Created OVAL for file_ownership_library_dirs
 - Created OVAL
 - Updated XCCDF rule to reflect

Testing:
[root@rhel6 checks]# chown shawn /lib/modules/2.6.32-*
[root@rhel6 checks]# ./testcheck.py file_ownership_library_dirs.xml
Evaluating with OVAL tempfile : /tmp/file_ownership_etc_skelaqFW7F.xml
Definition oval:scap-security-guide.testing:def:106: false
Evaluation done.
[root@rhel6 checks]# chown root /lib/modules/2.6.32-*
[root@rhel6 checks]# ./testcheck.py file_ownership_library_dirs.xml
Evaluating with OVAL tempfile : /tmp/file_ownership_etc_skelOvly_8.xml
Definition oval:scap-security-guide.testing:def:106: true
Evaluation done.
---
 RHEL6/input/checks/file_ownership_library_dirs.xml |  140 ++++++++++++++++++++
 RHEL6/input/system/permissions/files.xml           |    2 +-
 2 files changed, 141 insertions(+), 1 deletions(-)
 create mode 100644 RHEL6/input/checks/file_ownership_library_dirs.xml

diff --git a/RHEL6/input/checks/file_ownership_library_dirs.xml b/RHEL6/input/checks/file_ownership_library_dirs.xml
new file mode 100644
index 0000000..e68ec20
--- /dev/null
+++ b/RHEL6/input/checks/file_ownership_library_dirs.xml
@@ -0,0 +1,140 @@
+<def-group>
+  <definition class="compliance" id="file_ownership_etc_skel" version="1">
+    <metadata>
+      <title>Verify that Shared Library Files Have Root Ownership</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 6</platform>
+      </affected>
+      <description>Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and objects therein, are owned by root</description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="test_ownership_lib_dir" />
+      <criterion test_ref="test_ownership_lib_files" />
+    </criteria>
+  </definition>
+
+  <unix:file_test check="all" check_existence="none_exist" comment="/lib directories uid root" id="test_ownership_lib_dir" version="1">
+    <unix:object object_ref="object_lib_dir" />
+    <unix:state state_ref="state_owner_not_root" />
+  </unix:file_test>
+
+  <unix:file_test check="all" check_existence="none_exist" comment="/lib files uid root" id="test_ownership_lib_files" version="1">
+    <unix:object object_ref="object_lib_files" />
+    <unix:state state_ref="state_owner_not_root" />
+  </unix:file_test>
+
+  <unix:file_object comment="/lib directories" id="object_lib_dir" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/lib</unix:path>
+    <unix:filename xsi:nil="true" />
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_object comment="/lib files" id="object_lib_files" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/lib</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_test check="all" check_existence="none_exist" comment="/lib64 directories uid root" id="test_ownership_lib64_dir" version="1">
+    <unix:object object_ref="object_lib64_dir" />
+    <unix:state state_ref="state_owner_not_root" />
+  </unix:file_test>
+
+  <unix:file_test check="all" check_existence="none_exist" comment="/lib64 files uid root" id="test_ownership_lib64_files" version="1">
+    <unix:object object_ref="object_lib64_files" />
+    <unix:state state_ref="state_owner_not_root" />
+  </unix:file_test>
+
+  <unix:file_object comment="/lib64 directories" id="object_lib64_dir" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/lib64</unix:path>
+    <unix:filename xsi:nil="true" />
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_object comment="/lib64 files" id="object_lib64_files" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/lib64</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_test check="all" check_existence="none_exist" comment="/usr/lib directories uid root" id="test_ownership_usr_lib_dir" version="1">
+    <unix:object object_ref="object_usr_lib_dir" />
+    <unix:state state_ref="state_owner_not_root" />
+  </unix:file_test>
+
+  <unix:file_test check="all" check_existence="none_exist" comment="/usr/lib files uid root" id="test_ownership_usr_lib_files" version="1">
+    <unix:object object_ref="object_usr_lib_files" />
+    <unix:state state_ref="state_owner_not_root" />
+  </unix:file_test>
+
+  <unix:file_object comment="/usr/lib directories" id="object_usr_lib_dir" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/usr/lib</unix:path>
+    <unix:filename xsi:nil="true" />
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_object comment="/usr/lib files" id="object_usr_lib_files" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/usr/lib</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>  
+
+  <unix:file_test check="all" check_existence="none_exist" comment="/usr/lib64 directories uid root" id="test_ownership_usr_lib64_dir" version="1">
+    <unix:object object_ref="object_usr_lib64_dir" />
+    <unix:state state_ref="state_owner_not_root" />
+  </unix:file_test>
+
+  <unix:file_test check="all" check_existence="none_exist" comment="/usr/lib64 files uid root" id="test_ownership_usr_lib64_files" version="1">
+    <unix:object object_ref="object_usr_lib64_files" />
+    <unix:state state_ref="state_owner_not_root" />
+  </unix:file_test>
+
+  <unix:file_object comment="/usr/lib64 directories" id="object_usr_lib64_dir" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/usr/lib64</unix:path>
+    <unix:filename xsi:nil="true" />
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_object comment="/usr/lib64 files" id="object_usr_lib64_files" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/usr/lib64</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_test check="all" check_existence="none_exist" comment="/lib/modules directories uid root" id="test_ownership_lib_modules_dir" version="1">
+    <unix:object object_ref="object_lib_modules_dir" />
+    <unix:state state_ref="state_owner_not_root" />
+  </unix:file_test>
+
+  <unix:file_test check="all" check_existence="none_exist" comment="/lib/modules files uid root" id="test_ownership_lib_modules_files" version="1">
+    <unix:object object_ref="object_lib_modules_files" />
+    <unix:state state_ref="state_owner_not_root" />
+  </unix:file_test>
+
+  <unix:file_object comment="/lib/modules directories" id="object_lib_modules_dir" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/lib/modules</unix:path>
+    <unix:filename xsi:nil="true" />
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_object comment="/lib/modules files" id="object_lib_modules_files" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/lib/modules</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_state id="state_owner_not_root" version="1" operator="OR">
+<!--    <unix:group_id datatype="int" operation="not equal">0</unix:group_id> -->
+    <unix:user_id datatype="int" operation="not equal">0</unix:user_id>
+  </unix:file_state>
+</def-group>
diff --git a/RHEL6/input/system/permissions/files.xml b/RHEL6/input/system/permissions/files.xml
index 6a9c707..21af4ea 100644
--- a/RHEL6/input/system/permissions/files.xml
+++ b/RHEL6/input/system/permissions/files.xml
@@ -251,9 +251,9 @@ space of processes (including privileged ones) or of the kernel itself at
 runtime. Proper ownership is necessary to protect the integrity of the system.
 </rationale>
 <ref nist="AC-6" disa="1499"/>
+<oval id="file_ownership_library_dirs" />
 </Rule>
 
-
 <Rule id="file_permissions_binary_dirs" severity="medium">
 <title>Verify that System Executables Have Restrictive Permissions</title>
 <description>
-- 
1.7.1