Just an aside, I did some poking around, and it is possible to eliminate directories from the search. I looked at the USGCB stuffs and here's what I put together for file_permissions_unowned.xml in OVAL to eliminate /proc. I can do the same for the group id version. To add more exclusions, add an '|' after proc, and type in another directory path. It doesn't seem to care if you escape the forward slashes, but I left that in just in case the behavior changes later.

If anyone does figure out how to query PAM or nslcd/nscd for network user ids, I think you can add it as an extra filter option to the file_permissions_unowned_object.

Please note, I have not gotten a single failure with this check against /proc. I get thousands of failures on my workstation, since I have large git repositories checked out to directories owned by my network account on the root hard drive.

<def-group>
  <definition class="compliance" id="file_permissions_unowned" version="1">
    <metadata>
      <title>Find files unowned by a user</title>
      <affected family="unix">
        <platform>Red Hat Enterprise Linux 6</platform>
      </affected>
      <description>All files should be owned by a user</description>
    </metadata>
    <criteria>
      <criterion comment="Check all files and make sure they are owned by a user" test_ref="file_permissions_unowned_test" />
    </criteria>
  </definition>

  <unix:file_state id="file_permissions_unowned_userid_list_match" version="1">
    <unix:user_id var_check="at least one" var_ref="file_permissions_unowned_userid_list" datatype="int" />
  </unix:file_state>

  <local_variable id="file_permissions_unowned_userid_list" comment="List of valid user ids" datatype="int" version="1">
    <object_component item_field="subexpression" object_ref="file_permissions_unowned_userid_list_object" />
  </local_variable>

  <ind:textfilecontent54_object id="file_permissions_unowned_userid_list_object" version="1">
    <ind:filepath>/etc/passwd</ind:filepath>
    <ind:pattern operation="pattern match">^[^:]+:[^:]+:([\d]+):[\d]+:[^:]*:[^:]+:[^:]*$</ind:pattern>
    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
  </ind:textfilecontent54_object>

  <unix:file_object comment="all local files" id="file_permissions_unowned_object" version="1">
    <unix:behaviors recurse="symlinks and directories" recurse_direction="down" recurse_file_system="local" />
    <unix:filepath operation="pattern match">^(?!\/proc)/</unix:filepath>
    <filter action="exclude">file_permissions_unowned_userid_list_match</filter>
  </unix:file_object>

  <unix:file_test check="all" check_existence="none_exist" comment="Check user ids on all files on the system" id="file_permissions_unowned_test" version="1">
    <unix:object object_ref="file_permissions_unowned_object" />
  </unix:file_test>
</def-group>

- Maura Dailey

_______________________________________________
scap-security-guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide