There are a few more coming that need more testing or aren't working correctly, but here's a small batch for now.
The behavior recurse="files" was deprecated, so I changed it to the normal "symlinks and directories". Also, the environment variable tests were updated and replaced by the environmentvariable58 tests, objects, and states.
One check I can't submit an update to yet that has a similar problem is "accounts_root_path_dirs_no_write". I was cleaning it up and replacing the deprecated check when I noticed that the check is not actually working correctly. Specifying a single path in file_object gets the correct result of true or false, but passing in a variable with multiple values (PATH, split into multiple strings) appears to always fail with "does not exist".
- Maura Dailey
Maura Dailey (3): Replacing deprecated ind:environmentvariable_... tags with ind:environmentvariable58_... tags Removing deprecated recurse=files behavior. Removing deprecated recurse="files" behavior
.../checks/accounts_dangerous_path_for_root.xml | 53 ++++++++++---------- .../input/checks/file_permissions_ungroupowned.xml | 4 +- RHEL6/input/checks/file_permissions_unowned.xml | 4 +- 3 files changed, 31 insertions(+), 30 deletions(-)
Signed-off-by: Maura Dailey maura@eclipse.ncsc.mil --- .../checks/accounts_dangerous_path_for_root.xml | 53 ++++++++++---------- 1 files changed, 27 insertions(+), 26 deletions(-)
diff --git a/RHEL6/input/checks/accounts_dangerous_path_for_root.xml b/RHEL6/input/checks/accounts_dangerous_path_for_root.xml index 52ffa6f..efc4f0d 100644 --- a/RHEL6/input/checks/accounts_dangerous_path_for_root.xml +++ b/RHEL6/input/checks/accounts_dangerous_path_for_root.xml @@ -16,49 +16,50 @@ <criterion comment="environment variable PATH doesn't contain relative paths" test_ref="test_env_var_contains_relative_path" /> </criteria> </definition> - <ind:environmentvariable_test check="none satisfy" comment="environment variable PATH starts with : or ." id="test_env_var_begins" version="1"> + <ind:environmentvariable58_test check="none satisfy" comment="environment variable PATH starts with : or ." id="test_env_var_begins" version="1"> <ind:object object_ref="object_env_var_path" /> <ind:state state_ref="state_begins_colon_period" /> - </ind:environmentvariable_test> - <ind:environmentvariable_test check="none satisfy" comment="environment variable PATH contains : twice in a row" id="test_env_var_contains_doublecolon" version="1"> + </ind:environmentvariable58_test> + <ind:environmentvariable58_test check="none satisfy" comment="environment variable PATH contains : twice in a row" id="test_env_var_contains_doublecolon" version="1"> <ind:object object_ref="object_env_var_path" /> <ind:state state_ref="state_contains_double_colon" /> - </ind:environmentvariable_test> - <ind:environmentvariable_test check="none satisfy" comment="environment variable PATH contains . twice in a row" id="test_env_var_contains_doubleperiod" version="1"> + </ind:environmentvariable58_test> + <ind:environmentvariable58_test check="none satisfy" comment="environment variable PATH contains . twice in a row" id="test_env_var_contains_doubleperiod" version="1"> <ind:object object_ref="object_env_var_path" /> <ind:state state_ref="state_contains_double_period" /> - </ind:environmentvariable_test> - <ind:environmentvariable_test check="none satisfy" comment="environment variable PATH ends with : or ." id="test_env_var_ends" version="1"> + </ind:environmentvariable58_test> + <ind:environmentvariable58_test check="none satisfy" comment="environment variable PATH ends with : or ." id="test_env_var_ends" version="1"> <ind:object object_ref="object_env_var_path" /> <ind:state state_ref="state_ends_colon_period" /> - </ind:environmentvariable_test> - <ind:environmentvariable_test check="none satisfy" comment="environment variable PATH starts with an absolute path /" id="test_env_var_begins_slash" version="1"> + </ind:environmentvariable58_test> + <ind:environmentvariable58_test check="none satisfy" comment="environment variable PATH starts with an absolute path /" id="test_env_var_begins_slash" version="1"> <ind:object object_ref="object_env_var_path" /> <ind:state state_ref="state_begins_slash" /> - </ind:environmentvariable_test> - <ind:environmentvariable_test check="none satisfy" comment="environment variable PATH contains relative paths" id="test_env_var_contains_relative_path" version="1"> + </ind:environmentvariable58_test> + <ind:environmentvariable58_test check="none satisfy" comment="environment variable PATH contains relative paths" id="test_env_var_contains_relative_path" version="1"> <ind:object object_ref="object_env_var_path" /> <ind:state state_ref="state_contains_relative_path" /> - </ind:environmentvariable_test> - <ind:environmentvariable_object id="object_env_var_path" version="1"> + </ind:environmentvariable58_test> + <ind:environmentvariable58_object id="object_env_var_path" version="1"> + <ind:pid xsi:nil="true" datatype="int" /> ind:namePATH</ind:name> - </ind:environmentvariable_object> - <ind:environmentvariable_state comment="starts with colon or period" id="state_begins_colon_period" version="1"> + </ind:environmentvariable58_object> + <ind:environmentvariable58_state comment="starts with colon or period" id="state_begins_colon_period" version="1"> <ind:value operation="pattern match">^[:.]</ind:value> - </ind:environmentvariable_state> - <ind:environmentvariable_state comment="colon twice in a row" id="state_contains_double_colon" version="1"> + </ind:environmentvariable58_state> + <ind:environmentvariable58_state comment="colon twice in a row" id="state_contains_double_colon" version="1"> <ind:value operation="pattern match">::</ind:value> - </ind:environmentvariable_state> - <ind:environmentvariable_state comment="period twice in a row" id="state_contains_double_period" version="1"> + </ind:environmentvariable58_state> + <ind:environmentvariable58_state comment="period twice in a row" id="state_contains_double_period" version="1"> <ind:value operation="pattern match">..</ind:value> - </ind:environmentvariable_state> - <ind:environmentvariable_state comment="ends with colon or period" id="state_ends_colon_period" version="1"> + </ind:environmentvariable58_state> + <ind:environmentvariable58_state comment="ends with colon or period" id="state_ends_colon_period" version="1"> <ind:value operation="pattern match">[:.]$</ind:value> - </ind:environmentvariable_state> - <ind:environmentvariable_state comment="begins with a slash" id="state_begins_slash" version="1"> + </ind:environmentvariable58_state> + <ind:environmentvariable58_state comment="begins with a slash" id="state_begins_slash" version="1"> <ind:value operation="pattern match">^[^/]</ind:value> - </ind:environmentvariable_state> - <ind:environmentvariable_state comment="elements begin with a slash" id="state_contains_relative_path" version="1"> + </ind:environmentvariable58_state> + <ind:environmentvariable58_state comment="elements begin with a slash" id="state_contains_relative_path" version="1"> <ind:value operation="pattern match">[^\]:[^/]</ind:value> - </ind:environmentvariable_state> + </ind:environmentvariable58_state> </def-group>
Signed-off-by: Maura Dailey maura@eclipse.ncsc.mil --- .../input/checks/file_permissions_ungroupowned.xml | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/checks/file_permissions_ungroupowned.xml b/RHEL6/input/checks/file_permissions_ungroupowned.xml index d004310..5bc34f7 100644 --- a/RHEL6/input/checks/file_permissions_ungroupowned.xml +++ b/RHEL6/input/checks/file_permissions_ungroupowned.xml @@ -31,8 +31,8 @@ </unix:file_state> <unix:file_object comment="all local files" id="obj_20025" version="1"> - <unix:behaviors recurse="files" recurse_file_system="local" /> - <unix:path operation="pattern match">.*</unix:path> + <unix:behaviors recurse="symlinks and directories" recurse_file_system="local" /> + unix:path/</unix:path> <unix:filename operation="pattern match">.*</unix:filename> </unix:file_object> </def-group>
Signed-off-by: Maura Dailey maura@eclipse.ncsc.mil --- RHEL6/input/checks/file_permissions_unowned.xml | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/checks/file_permissions_unowned.xml b/RHEL6/input/checks/file_permissions_unowned.xml index 63f903b..5fc8afc 100644 --- a/RHEL6/input/checks/file_permissions_unowned.xml +++ b/RHEL6/input/checks/file_permissions_unowned.xml @@ -31,8 +31,8 @@ </unix:file_state> <unix:file_object comment="all local files" id="obj_20022" version="1"> - <unix:behaviors recurse="files" recurse_file_system="local" /> - <unix:path operation="pattern match">.*</unix:path> + <unix:behaviors recurse="symlinks and directories" recurse_file_system="local" /> + unix:path/</unix:path> <unix:filename operation="pattern match">.*</unix:filename> </unix:file_object> </def-group>
Fantastic, please push. This is getting us quite close to OVAL that doesn't merely execute, but is actually structurally valid! (And with a little testing help, also has the correct behavior -- though I suspect we're doing pretty good in that department by now.)
On Thu, May 30, 2013 at 4:43 PM, Maura Dailey maura@eclipse.ncsc.milwrote:
There are a few more coming that need more testing or aren't working correctly, but here's a small batch for now.
The behavior recurse="files" was deprecated, so I changed it to the normal "symlinks and directories". Also, the environment variable tests were updated and replaced by the environmentvariable58 tests, objects, and states.
One check I can't submit an update to yet that has a similar problem is "accounts_root_path_dirs_no_write". I was cleaning it up and replacing the deprecated check when I noticed that the check is not actually working correctly. Specifying a single path in file_object gets the correct result of true or false, but passing in a variable with multiple values (PATH, split into multiple strings) appears to always fail with "does not exist".
- Maura Dailey
Maura Dailey (3): Replacing deprecated ind:environmentvariable_... tags with ind:environmentvariable58_... tags Removing deprecated recurse=files behavior. Removing deprecated recurse="files" behavior
.../checks/accounts_dangerous_path_for_root.xml | 53 ++++++++++---------- .../input/checks/file_permissions_ungroupowned.xml | 4 +- RHEL6/input/checks/file_permissions_unowned.xml | 4 +- 3 files changed, 31 insertions(+), 30 deletions(-)
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
Jeffrey Blank -
Maura Dailey