>From 3e533c3189779d0015d9bb29a1741adf2b47154b Mon Sep 17 00:00:00 2001
From: Shawn Wells <shawn@redhat.com>
Date: Fri, 19 Apr 2013 22:50:46 -0400
Subject: [PATCH 1/2] (resubmit) Ticket 396 - OVAL needed for file_ownership_library_dirs
  - Created OVAL
  - Updated XCCDF rule to reflect
  - Ensured all test_ref's were called out

[shawn@rhel6 checks]$ ./testcheck.py file_ownership_library_dirs.xml
Evaluating with OVAL tempfile : /tmp/file_ownership_etc_skelssTK5P.xml
Definition oval:scap-security-guide.testing:def:100: false
Evaluation done.
[shawn@rhel6 checks]$ su -
Password:
Last login: Wed Apr 17 05:58:32 EDT 2013 on pts/0
[root@rhel6 ~]# chown -R root /lib /lib64/ /usr/lib/ /usr/lib64/ /lib/modules/
[root@rhel6 ~]# exit
logout
[shawn@rhel6 checks]$ ./testcheck.py file_ownership_library_dirs.xml
Evaluating with OVAL tempfile : /tmp/file_ownership_etc_skelPyCa24.xml
Definition oval:scap-security-guide.testing:def:100: true
Evaluation done.
---
 RHEL6/input/checks/file_ownership_library_dirs.xml |  148 ++++++++++++++++++++
 RHEL6/input/system/permissions/files.xml           |    2 +-
 2 files changed, 149 insertions(+), 1 deletions(-)
 create mode 100644 RHEL6/input/checks/file_ownership_library_dirs.xml

diff --git a/RHEL6/input/checks/file_ownership_library_dirs.xml b/RHEL6/input/checks/file_ownership_library_dirs.xml
new file mode 100644
index 0000000..8b5f282
--- /dev/null
+++ b/RHEL6/input/checks/file_ownership_library_dirs.xml
@@ -0,0 +1,148 @@
+<def-group>
+  <definition class="compliance" id="file_ownership_etc_skel" version="1">
+    <metadata>
+      <title>Verify that Shared Library Files Have Root Ownership</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 6</platform>
+      </affected>
+      <description>Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and objects therein, are owned by root</description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="test_ownership_lib_dir" />
+      <criterion test_ref="test_ownership_lib64_dir" />
+      <criterion test_ref="test_ownership_usr_lib_dir" />
+      <criterion test_ref="test_ownership_usr_lib64_dir" />
+      <criterion test_ref="test_ownership_lib_modules_dir" />
+      <criterion test_ref="test_ownership_lib_files" />
+      <criterion test_ref="test_ownership_lib64_files" />
+      <criterion test_ref="test_ownership_usr_lib_files" />
+      <criterion test_ref="test_ownership_usr_lib64_files" />
+      <criterion test_ref="test_ownership_lib_modules_files" />
+    </criteria>
+  </definition>
+
+  <unix:file_test check="all" check_existence="none_exist" comment="/lib directories uid root" id="test_ownership_lib_dir" version="1">
+    <unix:object object_ref="object_lib_dir" />
+    <unix:state state_ref="state_owner_not_root" />
+  </unix:file_test>
+
+  <unix:file_test check="all" check_existence="none_exist" comment="/lib files uid root" id="test_ownership_lib_files" version="1">
+    <unix:object object_ref="object_lib_files" />
+    <unix:state state_ref="state_owner_not_root" />
+  </unix:file_test>
+
+  <unix:file_object comment="/lib directories" id="object_lib_dir" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/lib</unix:path>
+    <unix:filename xsi:nil="true" />
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_object comment="/lib files" id="object_lib_files" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/lib</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_test check="all" check_existence="none_exist" comment="/lib64 directories uid root" id="test_ownership_lib64_dir" version="1">
+    <unix:object object_ref="object_lib64_dir" />
+    <unix:state state_ref="state_owner_not_root" />
+  </unix:file_test>
+
+  <unix:file_test check="all" check_existence="none_exist" comment="/lib64 files uid root" id="test_ownership_lib64_files" version="1">
+    <unix:object object_ref="object_lib64_files" />
+    <unix:state state_ref="state_owner_not_root" />
+  </unix:file_test>
+
+  <unix:file_object comment="/lib64 directories" id="object_lib64_dir" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/lib64</unix:path>
+    <unix:filename xsi:nil="true" />
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_object comment="/lib64 files" id="object_lib64_files" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/lib64</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_test check="all" check_existence="none_exist" comment="/usr/lib directories uid root" id="test_ownership_usr_lib_dir" version="1">
+    <unix:object object_ref="object_usr_lib_dir" />
+    <unix:state state_ref="state_owner_not_root" />
+  </unix:file_test>
+
+  <unix:file_test check="all" check_existence="none_exist" comment="/usr/lib files uid root" id="test_ownership_usr_lib_files" version="1">
+    <unix:object object_ref="object_usr_lib_files" />
+    <unix:state state_ref="state_owner_not_root" />
+  </unix:file_test>
+
+  <unix:file_object comment="/usr/lib directories" id="object_usr_lib_dir" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/usr/lib</unix:path>
+    <unix:filename xsi:nil="true" />
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_object comment="/usr/lib files" id="object_usr_lib_files" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/usr/lib</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>  
+
+  <unix:file_test check="all" check_existence="none_exist" comment="/usr/lib64 directories uid root" id="test_ownership_usr_lib64_dir" version="1">
+    <unix:object object_ref="object_usr_lib64_dir" />
+    <unix:state state_ref="state_owner_not_root" />
+  </unix:file_test>
+
+  <unix:file_test check="all" check_existence="none_exist" comment="/usr/lib64 files uid root" id="test_ownership_usr_lib64_files" version="1">
+    <unix:object object_ref="object_usr_lib64_files" />
+    <unix:state state_ref="state_owner_not_root" />
+  </unix:file_test>
+
+  <unix:file_object comment="/usr/lib64 directories" id="object_usr_lib64_dir" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/usr/lib64</unix:path>
+    <unix:filename xsi:nil="true" />
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_object comment="/usr/lib64 files" id="object_usr_lib64_files" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/usr/lib64</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_test check="all" check_existence="none_exist" comment="/lib/modules directories uid root" id="test_ownership_lib_modules_dir" version="1">
+    <unix:object object_ref="object_lib_modules_dir" />
+    <unix:state state_ref="state_owner_not_root" />
+  </unix:file_test>
+
+  <unix:file_test check="all" check_existence="none_exist" comment="/lib/modules files uid root" id="test_ownership_lib_modules_files" version="1">
+    <unix:object object_ref="object_lib_modules_files" />
+    <unix:state state_ref="state_owner_not_root" />
+  </unix:file_test>
+
+  <unix:file_object comment="/lib/modules directories" id="object_lib_modules_dir" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/lib/modules</unix:path>
+    <unix:filename xsi:nil="true" />
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_object comment="/lib/modules files" id="object_lib_modules_files" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+    <unix:path operation="equals">/lib/modules</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_owner_not_root</filter>
+  </unix:file_object>
+
+  <unix:file_state id="state_owner_not_root" version="1" operator="OR">
+<!--    <unix:group_id datatype="int" operation="not equal">0</unix:group_id> -->
+    <unix:user_id datatype="int" operation="not equal">0</unix:user_id>
+  </unix:file_state>
+</def-group>
diff --git a/RHEL6/input/system/permissions/files.xml b/RHEL6/input/system/permissions/files.xml
index 6a9c707..21af4ea 100644
--- a/RHEL6/input/system/permissions/files.xml
+++ b/RHEL6/input/system/permissions/files.xml
@@ -251,9 +251,9 @@ space of processes (including privileged ones) or of the kernel itself at
 runtime. Proper ownership is necessary to protect the integrity of the system.
 </rationale>
 <ref nist="AC-6" disa="1499"/>
+<oval id="file_ownership_library_dirs" />
 </Rule>
 
-
 <Rule id="file_permissions_binary_dirs" severity="medium">
 <title>Verify that System Executables Have Restrictive Permissions</title>
 <description>
-- 
1.7.1