Just an aside, I did some poking around, and it is possible to eliminate directories from the search. I looked at the USGCB stuffs and here's what I put together for file_permissions_unowned.xml in OVAL to eliminate /proc. I can do the same for the group id version. To add more exclusions, add an '|' after proc, and type in another directory path. It doesn't seem to care if you escape the forward slashes, but I left that in just in case the behavior changes later.

If anyone does figure out how to query PAM or nslcd/nscd for network user ids, I think you can add it as an extra filter option to the file_permissions_unowned_object.

Please note, I have not gotten a single failure with this check against /proc. I get thousands of failures on my workstation, since I have large git repositories checked out to directories owned by my network account on the root hard drive.

<def-group>

  <definition class="compliance"
      id="file_permissions_unowned" version="1">

<metadata>

      <title>Find files unowned by a
      user</title>

<affected family="unix">

        <platform>Red Hat Enterprise Linux
      6</platform>

</affected>

      <description>All files should be owned by a
      user</description>

</metadata>

<criteria>

      <criterion comment="Check all files and make
      sure they are owned by a user"
      test_ref="file_permissions_unowned_test" />

</criteria>

</definition>

  <unix:file_state
      id="file_permissions_unowned_userid_list_match" version="1">

    <unix:user_id var_check="at least one"
      var_ref="file_permissions_unowned_userid_list" datatype="int"
      />

</unix:file_state>

  <local_variable
      id="file_permissions_unowned_userid_list" comment="List of valid
      user ids" datatype="int" version="1">

    <object_component item_field="subexpression"
      object_ref="file_permissions_unowned_userid_list_object" />

</local_variable>

  <ind:textfilecontent54_object
      id="file_permissions_unowned_userid_list_object" version="1">

   
      <ind:filepath>/etc/passwd</ind:filepath>

    <ind:pattern operation="pattern
match">^[^:]+:[^:]+:([\d]+):[\d]+:[^:]*:[^:]+:[^:]*$</ind:pattern>

    <ind:instance operation="greater than or equal"
      datatype="int">1</ind:instance>

</ind:textfilecontent54_object>

  <unix:file_object comment="all local files"
      id="file_permissions_unowned_object" version="1">

    <unix:behaviors recurse="symlinks and
      directories" recurse_direction="down" recurse_file_system="local"
      />

    <unix:filepath operation="pattern
      match">^(?!\/proc)/</unix:filepath>

    <filter
action="exclude">file_permissions_unowned_userid_list_match</filter>

</unix:file_object>

  <unix:file_test check="all"
      check_existence="none_exist" comment="Check user ids on all files
      on the system" id="file_permissions_unowned_test" version="1">

    <unix:object
      object_ref="file_permissions_unowned_object" />

</unix:file_test>

</def-group>

- Maura Dailey