Blarg. OK, I'll resubmit the patch after some more testing. I'm not sure
what's going wrong yet.
On 09/26/2013 10:46 PM, Shawn Wells wrote:
On 9/25/13 2:49 PM, Maura Dailey wrote:
> Signed-off-by: Maura Dailey <maura(a)eclipse.ncsc.mil>
> ---
> .../checks/accounts_dangerous_path_for_root.xml | 67
> +++++++++++++-------
> .../checks/accounts_root_path_dirs_no_write.xml | 59
> +++++++++---------
> 2 files changed, 74 insertions(+), 52 deletions(-)
>
> diff --git a/RHEL6/input/checks/accounts_dangerous_path_for_root.xml
> b/RHEL6/input/checks/accounts_dangerous_path_for_root.xml
> index efc4f0d..7e475c4 100644
> --- a/RHEL6/input/checks/accounts_dangerous_path_for_root.xml
> +++ b/RHEL6/input/checks/accounts_dangerous_path_for_root.xml
> @@ -5,7 +5,9 @@
> <affected family="unix">
> <platform>Red Hat Enterprise Linux 6</platform>
> </affected>
> - <description>The environment variable PATH should be set
> correctly for the root user.</description>
> + <description>The environment variable PATH should be set
> correctly for
> + the root user.</description>
> + <reference source="MED" ref_id="20130925"
> ref_url="test_attestation" />
> </metadata>
> <criteria comment="environment variable PATH contains dangerous
> path" operator="AND">
> <criterion comment="environment variable PATH starts with :
> or ." test_ref="test_env_var_begins" />
> @@ -16,50 +18,69 @@
> <criterion comment="environment variable PATH doesn't contain
> relative paths" test_ref="test_env_var_contains_relative_path" />
> </criteria>
> </definition>
> - <ind:environmentvariable58_test check="none satisfy"
> comment="environment variable PATH starts with : or ."
> id="test_env_var_begins" version="1">
> - <ind:object object_ref="object_env_var_path" />
> + <ind:environmentvariable58_object
> id="object_accounts_dangerous_path_for_root"
> + version="1">
> + <ind:pid xsi:nil="true" datatype="int" />
> + <ind:name>PATH</ind:name>
> + </ind:environmentvariable58_object>
> + <ind:environmentvariable58_test check="none satisfy"
> + comment="environment variable PATH starts with : or ."
> + id="test_env_var_begins" version="1">
> + <ind:object object_ref="object_accounts_dangerous_path_for_root"
/>
> <ind:state state_ref="state_begins_colon_period" />
> </ind:environmentvariable58_test>
> - <ind:environmentvariable58_test check="none satisfy"
> comment="environment variable PATH contains : twice in a row"
> id="test_env_var_contains_doublecolon" version="1">
> - <ind:object object_ref="object_env_var_path" />
> + <ind:environmentvariable58_test check="none satisfy"
> + comment="environment variable PATH doesn't contain : twice in a
row"
> + id="test_env_var_contains_doublecolon" version="1">
> + <ind:object object_ref="object_accounts_dangerous_path_for_root"
/>
> <ind:state state_ref="state_contains_double_colon" />
> </ind:environmentvariable58_test>
> - <ind:environmentvariable58_test check="none satisfy"
> comment="environment variable PATH contains . twice in a row"
> id="test_env_var_contains_doubleperiod" version="1">
> - <ind:object object_ref="object_env_var_path" />
> + <ind:environmentvariable58_test check="none satisfy"
> + comment="environment variable PATH doesn't contain . twice in a
row"
> + id="test_env_var_contains_doubleperiod" version="1">
> + <ind:object object_ref="object_accounts_dangerous_path_for_root"
/>
> <ind:state state_ref="state_contains_double_period" />
> </ind:environmentvariable58_test>
> - <ind:environmentvariable58_test check="none satisfy"
> comment="environment variable PATH ends with : or ."
> id="test_env_var_ends" version="1">
> - <ind:object object_ref="object_env_var_path" />
> + <ind:environmentvariable58_test check="none satisfy"
> + comment="environment variable PATH ends with : or ."
> id="test_env_var_ends"
> + version="1">
> + <ind:object object_ref="object_accounts_dangerous_path_for_root"
/>
> <ind:state state_ref="state_ends_colon_period" />
> </ind:environmentvariable58_test>
> - <ind:environmentvariable58_test check="none satisfy"
> comment="environment variable PATH starts with an absolute path /"
> id="test_env_var_begins_slash" version="1">
> - <ind:object object_ref="object_env_var_path" />
> + <ind:environmentvariable58_test check="none satisfy"
> + comment="environment variable PATH starts with an absolute path /"
> + id="test_env_var_begins_slash" version="1">
> + <ind:object object_ref="object_accounts_dangerous_path_for_root"
/>
> <ind:state state_ref="state_begins_slash" />
> </ind:environmentvariable58_test>
> - <ind:environmentvariable58_test check="none satisfy"
> comment="environment variable PATH contains relative paths"
> id="test_env_var_contains_relative_path" version="1">
> - <ind:object object_ref="object_env_var_path" />
> + <ind:environmentvariable58_test check="none satisfy"
> + comment="environment variable PATH contains relative paths"
> + id="test_env_var_contains_relative_path" version="1">
> + <ind:object object_ref="object_accounts_dangerous_path_for_root"
/>
> <ind:state state_ref="state_contains_relative_path" />
> </ind:environmentvariable58_test>
> - <ind:environmentvariable58_object id="object_env_var_path"
> version="1">
> - <ind:pid xsi:nil="true" datatype="int" />
> - <ind:name>PATH</ind:name>
> - </ind:environmentvariable58_object>
> - <ind:environmentvariable58_state comment="starts with colon or
> period" id="state_begins_colon_period" version="1">
> + <ind:environmentvariable58_state comment="starts with colon or
> period"
> + id="state_begins_colon_period" version="1">
> <ind:value operation="pattern match">^[:\.]</ind:value>
> </ind:environmentvariable58_state>
> - <ind:environmentvariable58_state comment="colon twice in a row"
> id="state_contains_double_colon" version="1">
> + <ind:environmentvariable58_state comment="colon twice in a row"
> + id="state_contains_double_colon" version="1">
> <ind:value operation="pattern match">::</ind:value>
> </ind:environmentvariable58_state>
> - <ind:environmentvariable58_state comment="period twice in a row"
> id="state_contains_double_period" version="1">
> + <ind:environmentvariable58_state comment="period twice in a row"
> + id="state_contains_double_period" version="1">
> <ind:value operation="pattern match">\.\.</ind:value>
> </ind:environmentvariable58_state>
> - <ind:environmentvariable58_state comment="ends with colon or
> period" id="state_ends_colon_period" version="1">
> + <ind:environmentvariable58_state comment="ends with colon or period"
> + id="state_ends_colon_period" version="1">
> <ind:value operation="pattern match">[:\.]$</ind:value>
> </ind:environmentvariable58_state>
> - <ind:environmentvariable58_state comment="begins with a slash"
> id="state_begins_slash" version="1">
> + <ind:environmentvariable58_state comment="begins with a slash"
> + id="state_begins_slash" version="1">
> <ind:value operation="pattern match">^[^/]</ind:value>
> </ind:environmentvariable58_state>
> - <ind:environmentvariable58_state comment="elements begin with a
> slash" id="state_contains_relative_path" version="1">
> + <ind:environmentvariable58_state comment="elements begin with a
> slash"
> + id="state_contains_relative_path" version="1">
> <ind:value operation="pattern
match">[^\\]:[^/]</ind:value>
> </ind:environmentvariable58_state>
> </def-group>
Ack!
> diff --git a/RHEL6/input/checks/accounts_root_path_dirs_no_write.xml
> b/RHEL6/input/checks/accounts_root_path_dirs_no_write.xml
> index d0a20d3..cf5c09d 100644
> --- a/RHEL6/input/checks/accounts_root_path_dirs_no_write.xml
> +++ b/RHEL6/input/checks/accounts_root_path_dirs_no_write.xml
> @@ -1,6 +1,5 @@
> <def-group>
> - <definition class="compliance"
id="accounts_root_path_dirs_no_write"
> - version="1">
> + <definition class="compliance"
> id="accounts_root_path_dirs_no_write" version="1">
> <metadata>
> <title>Write permissions are disabled for group and other in all
> directories in Root's Path</title>
> @@ -9,50 +8,52 @@
> </affected>
> <description>Check each directory in root's path and make use
> it does not
> grant write permission to group and other</description>
> + <reference source="MED" ref_id="20130925"
> ref_url="test_attestation" />
> </metadata>
> - <criteria comment="Check that write permission to group and
> other in root's path is denied"
> - negate="true" operator="OR">
> - <criterion comment="Check for write permission to group in
> root's path"
> - test_ref="test_accounts_root_path_dirs_no_write_group" />
> - <criterion comment="Check for write permission to other in
> root's path"
> - test_ref="test_accounts_root_path_dirs_no_write_other" />
> + <criteria comment="Check that write permission to group and
> other in root's path is denied" negate="true"
operator="OR">
> + <criterion comment="Check for write permission to group in
> root's path"
test_ref="test_accounts_root_path_dirs_no_write_group" />
> + <criterion comment="Check for write permission to other in
> root's path"
test_ref="test_accounts_root_path_dirs_no_write_other" />
> </criteria>
> </definition>
> + <ind:environmentvariable58_object
> id="object_accounts_root_path_dirs_no_write_pathenv"
version="1">
> + <ind:pid xsi:nil="true" datatype="int" />
> + <ind:name>PATH</ind:name>
> + </ind:environmentvariable58_object>
> + <local_variable comment="Split the PATH on the : delimiter"
> datatype="string"
> + id="var_accounts_root_path_dirs_no_write" version="1">
> + <split delimiter=":">
> + <object_component item_field="value"
> + object_ref="object_accounts_root_path_dirs_no_write_pathenv" />
> + </split>
> + </local_variable>
> <unix:file_test check="all" check_existence="any_exist"
> comment="Check that write permission to group in root's path is
> denied"
> id="test_accounts_root_path_dirs_no_write_group"
version="1">
> - <unix:object
> object_ref="object_accounts_root_path_dirs_no_write" />
> - <unix:state
> state_ref="state_accounts_root_path_dirs_no_write_group" />
> + <unix:object
> object_ref="object_accounts_root_path_dirs_no_write_group" />
> </unix:file_test>
> <unix:file_state comment="Group has write privilege"
> id="state_accounts_root_path_dirs_no_write_group"
version="1">
> - <unix:gwrite datatype="boolean">1</unix:gwrite>
> + <unix:gwrite datatype="boolean">true</unix:gwrite>
> </unix:file_state>
> - <unix:file_object
>
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> - comment="root's PATH"
id="object_accounts_root_path_dirs_no_write"
> - version="1">
> - <unix:path var_ref="var_accounts_root_path_dirs_no_write" />
> + <unix:file_object comment="root's PATH"
> + id="object_accounts_root_path_dirs_no_write_group"
version="1">
> + <unix:path var_ref="var_accounts_root_path_dirs_no_write"
> var_check="at least one" />
> <unix:filename xsi:nil="true" />
> + <filter
>
action="include">state_accounts_root_path_dirs_no_write_group</filter>
> </unix:file_object>
> - <local_variable comment="Split the PATH on the : delimiter"
> datatype="string"
> - id="var_accounts_root_path_dirs_no_write" version="1">
> - <split delimiter=":">
> - <object_component item_field="value"
> - object_ref="object_accounts_root_path_dirs_no_write_pathenv" />
> - </split>
> - </local_variable>
> - <ind:environmentvariable_object
> id="object_accounts_root_path_dirs_no_write_pathenv"
> - version="1">
> - <ind:name>PATH</ind:name>
> - </ind:environmentvariable_object>
> <unix:file_test check="all" check_existence="any_exist"
> comment="Check that write permission to other in root's path is
> denied"
> id="test_accounts_root_path_dirs_no_write_other"
version="1">
> - <unix:object
> object_ref="object_accounts_root_path_dirs_no_write" />
> - <unix:state
> state_ref="state_accounts_root_path_dirs_no_write_other" />
> + <unix:object
> object_ref="object_accounts_root_path_dirs_no_write_other" />
> </unix:file_test>
> <unix:file_state comment="Other has write privilege"
> id="state_accounts_root_path_dirs_no_write_other"
version="1">
> - <unix:owrite datatype="boolean">1</unix:owrite>
> + <unix:owrite datatype="boolean">true</unix:owrite>
> </unix:file_state>
> + <unix:file_object comment="root's PATH"
> + id="object_accounts_root_path_dirs_no_write_other"
version="1">
> + <unix:path var_ref="var_accounts_root_path_dirs_no_write"
> var_check="at least one" />
> + <unix:filename xsi:nil="true" />
> + <filter
>
action="include">state_accounts_root_path_dirs_no_write_other</filter>
> + </unix:file_object>
> </def-group>
I kept failing when testing this:
[root@SSG-RHEL6 checks]# ./testcheck.py
accounts_root_path_dirs_no_write.xml
Evaluating with OVAL tempfile :
/tmp/accounts_root_path_dirs_no_writePF9qcC.xml
Writing results to :
/tmp/accounts_root_path_dirs_no_writePF9qcC.xml-results
Definition oval:scap-security-guide.testing:def:198: false
Evaluation done.
[root@SSG-RHEL6 checks]# echo $PATH
/sbin:/bin:/usr/sbin:/usr/bin
[root@SSG-RHEL6 checks]# ll / | grep bin
dr-xr-xr-x. 2 root root 4096 Sep 6 19:50 bin
dr-xr-xr-x. 2 root root 12288 Sep 6 19:50 sbin
[root@SSG-RHEL6 checks]# ll /usr/ | grep bin
dr-xr-xr-x. 2 root root 32768 Sep 11 21:27 bin
dr-xr-xr-x. 2 root root 12288 Sep 15 22:06 sbin
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide