On 9/28/13 8:15 PM, Shawn Wells wrote:
0001-OVAL-signoff-accounts_dangerous_path_for_root.patch
From 273fca22af9e24a42da94bbf92a64af4e3082a13 Mon Sep 17 00:00:00 2001
From: Shawn Wells<shawn(a)redhat.com>
Date: Fri, 27 Sep 2013 15:59:58 -0400
Subject: [PATCH 1/8] OVAL signoff: accounts_dangerous_path_for_root
TESTING:
[root@SSG-RHEL6 checks]# find /lib -perm /022 -type f ; find /lib64/ -perm /022 -type f ;
find /usr/lib -perm /022 -type f ; find /usr/lib64 -perm /022 -type f
[root@SSG-RHEL6 checks]# ./testcheck.py file_permissions_library_dirs.xml
Evaluating with OVAL tempfile : /tmp/file_permissions_library_dirstUlHnu.xml
Writing results to : /tmp/file_permissions_library_dirstUlHnu.xml-results
Definition oval:scap-security-guide.testing:def:207: true
Evaluation done.
[root@SSG-RHEL6 checks]# chmod go+w /lib64/libacl.so.1
[root@SSG-RHEL6 checks]# ./testcheck.py file_permissions_library_dirs.xml
Evaluating with OVAL tempfile : /tmp/file_permissions_library_dirstTWqp5.xml
Writing results to : /tmp/file_permissions_library_dirstTWqp5.xml-results
Definition oval:scap-security-guide.testing:def:207: false
Evaluation done.
---
.../checks/accounts_dangerous_path_for_root.xml | 67 +++++++++++++-------
1 files changed, 44 insertions(+), 23 deletions(-)
diff --git a/RHEL6/input/checks/accounts_dangerous_path_for_root.xml
b/RHEL6/input/checks/accounts_dangerous_path_for_root.xml
index efc4f0d..7e475c4 100644
--- a/RHEL6/input/checks/accounts_dangerous_path_for_root.xml
+++ b/RHEL6/input/checks/accounts_dangerous_path_for_root.xml
@@ -5,7 +5,9 @@
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
- <description>The environment variable PATH should be set correctly for the
root user.</description>
+ <description>The environment variable PATH should be set correctly for
+ the root user.</description>
+ <reference source="MED" ref_id="20130925"
ref_url="test_attestation" />
</metadata>
<criteria comment="environment variable PATH contains dangerous path"
operator="AND">
<criterion comment="environment variable PATH starts with : or ."
test_ref="test_env_var_begins" />
@@ -16,50 +18,69 @@
<criterion comment="environment variable PATH doesn't contain
relative paths" test_ref="test_env_var_contains_relative_path" />
</criteria>
</definition>
- <ind:environmentvariable58_test check="none satisfy"
comment="environment variable PATH starts with : or ."
id="test_env_var_begins" version="1">
- <ind:object object_ref="object_env_var_path" />
+ <ind:environmentvariable58_object
id="object_accounts_dangerous_path_for_root"
+ version="1">
+ <ind:pid xsi:nil="true" datatype="int" />
+ <ind:name>PATH</ind:name>
+ </ind:environmentvariable58_object>
+ <ind:environmentvariable58_test check="none satisfy"
+ comment="environment variable PATH starts with : or ."
+ id="test_env_var_begins" version="1">
+ <ind:object object_ref="object_accounts_dangerous_path_for_root" />
<ind:state state_ref="state_begins_colon_period" />
</ind:environmentvariable58_test>
- <ind:environmentvariable58_test check="none satisfy"
comment="environment variable PATH contains : twice in a row"
id="test_env_var_contains_doublecolon" version="1">
- <ind:object object_ref="object_env_var_path" />
+ <ind:environmentvariable58_test check="none satisfy"
+ comment="environment variable PATH doesn't contain : twice in a row"
+ id="test_env_var_contains_doublecolon" version="1">
+ <ind:object object_ref="object_accounts_dangerous_path_for_root" />
<ind:state state_ref="state_contains_double_colon" />
</ind:environmentvariable58_test>
- <ind:environmentvariable58_test check="none satisfy"
comment="environment variable PATH contains . twice in a row"
id="test_env_var_contains_doubleperiod" version="1">
- <ind:object object_ref="object_env_var_path" />
+ <ind:environmentvariable58_test check="none satisfy"
+ comment="environment variable PATH doesn't contain . twice in a row"
+ id="test_env_var_contains_doubleperiod" version="1">
+ <ind:object object_ref="object_accounts_dangerous_path_for_root" />
<ind:state state_ref="state_contains_double_period" />
</ind:environmentvariable58_test>
- <ind:environmentvariable58_test check="none satisfy"
comment="environment variable PATH ends with : or ."
id="test_env_var_ends" version="1">
- <ind:object object_ref="object_env_var_path" />
+ <ind:environmentvariable58_test check="none satisfy"
+ comment="environment variable PATH ends with : or ."
id="test_env_var_ends"
+ version="1">
+ <ind:object object_ref="object_accounts_dangerous_path_for_root" />
<ind:state state_ref="state_ends_colon_period" />
</ind:environmentvariable58_test>
- <ind:environmentvariable58_test check="none satisfy"
comment="environment variable PATH starts with an absolute path /"
id="test_env_var_begins_slash" version="1">
- <ind:object object_ref="object_env_var_path" />
+ <ind:environmentvariable58_test check="none satisfy"
+ comment="environment variable PATH starts with an absolute path /"
+ id="test_env_var_begins_slash" version="1">
+ <ind:object object_ref="object_accounts_dangerous_path_for_root" />
<ind:state state_ref="state_begins_slash" />
</ind:environmentvariable58_test>
- <ind:environmentvariable58_test check="none satisfy"
comment="environment variable PATH contains relative paths"
id="test_env_var_contains_relative_path" version="1">
- <ind:object object_ref="object_env_var_path" />
+ <ind:environmentvariable58_test check="none satisfy"
+ comment="environment variable PATH contains relative paths"
+ id="test_env_var_contains_relative_path" version="1">
+ <ind:object object_ref="object_accounts_dangerous_path_for_root" />
<ind:state state_ref="state_contains_relative_path" />
</ind:environmentvariable58_test>
- <ind:environmentvariable58_object id="object_env_var_path"
version="1">
- <ind:pid xsi:nil="true" datatype="int" />
- <ind:name>PATH</ind:name>
- </ind:environmentvariable58_object>
- <ind:environmentvariable58_state comment="starts with colon or period"
id="state_begins_colon_period" version="1">
+ <ind:environmentvariable58_state comment="starts with colon or period"
+ id="state_begins_colon_period" version="1">
<ind:value operation="pattern match">^[:\.]</ind:value>
</ind:environmentvariable58_state>
- <ind:environmentvariable58_state comment="colon twice in a row"
id="state_contains_double_colon" version="1">
+ <ind:environmentvariable58_state comment="colon twice in a row"
+ id="state_contains_double_colon" version="1">
<ind:value operation="pattern match">::</ind:value>
</ind:environmentvariable58_state>
- <ind:environmentvariable58_state comment="period twice in a row"
id="state_contains_double_period" version="1">
+ <ind:environmentvariable58_state comment="period twice in a row"
+ id="state_contains_double_period" version="1">
<ind:value operation="pattern match">\.\.</ind:value>
</ind:environmentvariable58_state>
- <ind:environmentvariable58_state comment="ends with colon or period"
id="state_ends_colon_period" version="1">
+ <ind:environmentvariable58_state comment="ends with colon or period"
+ id="state_ends_colon_period" version="1">
<ind:value operation="pattern match">[:\.]$</ind:value>
</ind:environmentvariable58_state>
- <ind:environmentvariable58_state comment="begins with a slash"
id="state_begins_slash" version="1">
+ <ind:environmentvariable58_state comment="begins with a slash"
+ id="state_begins_slash" version="1">
<ind:value operation="pattern match">^[^/]</ind:value>
</ind:environmentvariable58_state>
- <ind:environmentvariable58_state comment="elements begin with a slash"
id="state_contains_relative_path" version="1">
+ <ind:environmentvariable58_state comment="elements begin with a slash"
+ id="state_contains_relative_path" version="1">
<ind:value operation="pattern match">[^\\]:[^/]</ind:value>
</ind:environmentvariable58_state>
</def-group>
-- 1.7.1
Shawn Wells 10:53
patches sent
Dave 10:55
Looks awesome, ack to all. I hesitate to ack now (don't have access to
work address)
Shawn Wells 10:56
i can copy/paste this chat, if that works [stripping emails]
err, you know, the pieces to show the ack
Dave 10:57
that works
..... result: pushed patches