Just an aside, I did some poking around, and it is possible to
eliminate directories from the search. I looked at the USGCB stuffs
and here's what I put together for file_permissions_unowned.xml in
OVAL to eliminate /proc. I can do the same for the group id version.
To add more exclusions, add an '|' after proc, and type in another
directory path. It doesn't seem to care if you escape the forward
slashes, but I left that in just in case the behavior changes later.
If anyone does figure out how to query PAM or nslcd/nscd for network
user ids, I think you can add it as an extra filter option to the
file_permissions_unowned_object.
Please note, I have not gotten a single failure with this check
against /proc. I get thousands of failures on my workstation, since
I have large git repositories checked out to directories owned by my
network account on the root hard drive.
<def-group>
<definition class="compliance"
id="file_permissions_unowned" version="1">
<metadata>
<title>Find files unowned by a
user</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux
6</platform>
</affected>
<description>All files should be owned by a
user</description>
</metadata>
<criteria>
<criterion comment="Check all files and make
sure they are owned by a user"
test_ref="file_permissions_unowned_test" />
</criteria>
</definition>
<unix:file_state
id="file_permissions_unowned_userid_list_match" version="1">
<unix:user_id var_check="at least one"
var_ref="file_permissions_unowned_userid_list" datatype="int"
/>
</unix:file_state>
<local_variable
id="file_permissions_unowned_userid_list" comment="List of valid
user ids" datatype="int" version="1">
<object_component item_field="subexpression"
object_ref="file_permissions_unowned_userid_list_object" />
</local_variable>
<ind:textfilecontent54_object
id="file_permissions_unowned_userid_list_object" version="1">
<ind:filepath>/etc/passwd</ind:filepath>
<ind:pattern operation="pattern
match">^[^:]+:[^:]+:([\d]+):[\d]+:[^:]*:[^:]+:[^:]*$</ind:pattern>
<ind:instance operation="greater than or equal"
datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="all local files"
id="file_permissions_unowned_object" version="1">
<unix:behaviors recurse="symlinks and
directories" recurse_direction="down" recurse_file_system="local"
/>
<unix:filepath operation="pattern
match">^(?!\/proc)/</unix:filepath>
<filter
action="exclude">file_permissions_unowned_userid_list_match</filter>
</unix:file_object>
<unix:file_test check="all"
check_existence="none_exist" comment="Check user ids on all files
on the system" id="file_permissions_unowned_test" version="1">
<unix:object
object_ref="file_permissions_unowned_object" />
</unix:file_test>
</def-group>
- Maura Dailey