On 04/23/2013 11:04 AM, Jeffrey Blank wrote:
Signed-off-by: Jeffrey Blank <blank(a)eclipse.ncsc.mil>
---
RHEL6/input/checks/file_ownership_library_dirs.xml | 138 ++++++++++++++++++++
1 files changed, 138 insertions(+), 0 deletions(-)
create mode 100644 RHEL6/input/checks/file_ownership_library_dirs.xml
diff --git a/RHEL6/input/checks/file_ownership_library_dirs.xml
b/RHEL6/input/checks/file_ownership_library_dirs.xml
new file mode 100644
index 0000000..4f482aa
--- /dev/null
+++ b/RHEL6/input/checks/file_ownership_library_dirs.xml
@@ -0,0 +1,138 @@
+<def-group>
+ <definition class="compliance" id="file_ownership_library_dirs"
version="1">
+ <metadata>
+ <title>Verify that Shared Library Files Have Root Ownership</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <description>Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules,
and objects therein, are owned by root</description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="test_ownership_lib_dir" />
+ <criterion test_ref="test_ownership_lib64_dir" />
+ <criterion test_ref="test_ownership_usr_lib_dir" />
+ <criterion test_ref="test_ownership_usr_lib64_dir" />
+ <criterion test_ref="test_ownership_lib_modules_dir" />
+ <criterion test_ref="test_ownership_lib_files" />
+ <criterion test_ref="test_ownership_lib64_files" />
+ <criterion test_ref="test_ownership_usr_lib_files" />
+ <criterion test_ref="test_ownership_usr_lib64_files" />
+ <criterion test_ref="test_ownership_lib_modules_files" />
+ </criteria>
+ </definition>
+
+ <unix:file_test check="all" check_existence="none_exist"
comment="/lib directories uid root" id="test_ownership_lib_dir"
version="1">
+ <unix:object object_ref="object_lib_dir" />
+ </unix:file_test>
+
+ <unix:file_test check="all" check_existence="none_exist"
comment="/lib files uid root" id="test_ownership_lib_files"
version="1">
+ <unix:object object_ref="object_lib_files" />
+ </unix:file_test>
+
+ <unix:file_object comment="/lib directories"
id="object_lib_dir" version="1">
+ <unix:behaviors recurse="directories"
recurse_direction="down" max_depth="-1"
recurse_file_system="all" />
+ <unix:path operation="equals">/lib</unix:path>
+ <unix:filename xsi:nil="true" />
+ <filter action="include">state_owner_not_root</filter>
+ </unix:file_object>
+
+ <unix:file_object comment="/lib files" id="object_lib_files"
version="1">
+ <unix:behaviors recurse="directories"
recurse_direction="down" max_depth="-1"
recurse_file_system="all" />
+ <unix:path operation="equals">/lib</unix:path>
+ <unix:filename operation="pattern match">^.*$</unix:filename>
+ <filter action="include">state_owner_not_root</filter>
+ </unix:file_object>
+
+ <unix:file_test check="all" check_existence="none_exist"
comment="/lib64 directories uid root" id="test_ownership_lib64_dir"
version="1">
+ <unix:object object_ref="object_lib64_dir" />
+ </unix:file_test>
+
+ <unix:file_test check="all" check_existence="none_exist"
comment="/lib64 files uid root" id="test_ownership_lib64_files"
version="1">
+ <unix:object object_ref="object_lib64_files" />
+ </unix:file_test>
+
+ <unix:file_object comment="/lib64 directories"
id="object_lib64_dir" version="1">
+ <unix:behaviors recurse="directories"
recurse_direction="down" max_depth="-1"
recurse_file_system="all" />
+ <unix:path operation="equals">/lib64</unix:path>
+ <unix:filename xsi:nil="true" />
+ <filter action="include">state_owner_not_root</filter>
+ </unix:file_object>
+
+ <unix:file_object comment="/lib64 files"
id="object_lib64_files" version="1">
+ <unix:behaviors recurse="directories"
recurse_direction="down" max_depth="-1"
recurse_file_system="all" />
+ <unix:path operation="equals">/lib64</unix:path>
+ <unix:filename operation="pattern match">^.*$</unix:filename>
+ <filter action="include">state_owner_not_root</filter>
+ </unix:file_object>
+
+ <unix:file_test check="all" check_existence="none_exist"
comment="/usr/lib directories uid root"
id="test_ownership_usr_lib_dir" version="1">
+ <unix:object object_ref="object_usr_lib_dir" />
+ </unix:file_test>
+
+ <unix:file_test check="all" check_existence="none_exist"
comment="/usr/lib files uid root" id="test_ownership_usr_lib_files"
version="1">
+ <unix:object object_ref="object_usr_lib_files" />
+ </unix:file_test>
+
+ <unix:file_object comment="/usr/lib directories"
id="object_usr_lib_dir" version="1">
+ <unix:behaviors recurse="directories"
recurse_direction="down" max_depth="-1"
recurse_file_system="all" />
+ <unix:path operation="equals">/usr/lib</unix:path>
+ <unix:filename xsi:nil="true" />
+ <filter action="include">state_owner_not_root</filter>
+ </unix:file_object>
+
+ <unix:file_object comment="/usr/lib files"
id="object_usr_lib_files" version="1">
+ <unix:behaviors recurse="directories"
recurse_direction="down" max_depth="-1"
recurse_file_system="all" />
+ <unix:path operation="equals">/usr/lib</unix:path>
+ <unix:filename operation="pattern match">^.*$</unix:filename>
+ <filter action="include">state_owner_not_root</filter>
+ </unix:file_object>
+
+ <unix:file_test check="all" check_existence="none_exist"
comment="/usr/lib64 directories uid root"
id="test_ownership_usr_lib64_dir" version="1">
+ <unix:object object_ref="object_usr_lib64_dir" />
+ </unix:file_test>
+
+ <unix:file_test check="all" check_existence="none_exist"
comment="/usr/lib64 files uid root"
id="test_ownership_usr_lib64_files" version="1">
+ <unix:object object_ref="object_usr_lib64_files" />
+ </unix:file_test>
+
+ <unix:file_object comment="/usr/lib64 directories"
id="object_usr_lib64_dir" version="1">
+ <unix:behaviors recurse="directories"
recurse_direction="down" max_depth="-1"
recurse_file_system="all" />
+ <unix:path operation="equals">/usr/lib64</unix:path>
+ <unix:filename xsi:nil="true" />
+ <filter action="include">state_owner_not_root</filter>
+ </unix:file_object>
+
+ <unix:file_object comment="/usr/lib64 files"
id="object_usr_lib64_files" version="1">
+ <unix:behaviors recurse="directories"
recurse_direction="down" max_depth="-1"
recurse_file_system="all" />
+ <unix:path operation="equals">/usr/lib64</unix:path>
+ <unix:filename operation="pattern match">^.*$</unix:filename>
+ <filter action="include">state_owner_not_root</filter>
+ </unix:file_object>
+
+ <unix:file_test check="all" check_existence="none_exist"
comment="/lib/modules directories uid root"
id="test_ownership_lib_modules_dir" version="1">
+ <unix:object object_ref="object_lib_modules_dir" />
+ </unix:file_test>
+
+ <unix:file_test check="all" check_existence="none_exist"
comment="/lib/modules files uid root"
id="test_ownership_lib_modules_files" version="1">
+ <unix:object object_ref="object_lib_modules_files" />
+ </unix:file_test>
+
+ <unix:file_object comment="/lib/modules directories"
id="object_lib_modules_dir" version="1">
+ <unix:behaviors recurse="directories"
recurse_direction="down" max_depth="-1"
recurse_file_system="all" />
+ <unix:path operation="equals">/lib/modules</unix:path>
+ <unix:filename xsi:nil="true" />
+ <filter action="include">state_owner_not_root</filter>
+ </unix:file_object>
+
+ <unix:file_object comment="/lib/modules files"
id="object_lib_modules_files" version="1">
+ <unix:behaviors recurse="directories"
recurse_direction="down" max_depth="-1"
recurse_file_system="all" />
+ <unix:path operation="equals">/lib/modules</unix:path>
+ <unix:filename operation="pattern match">^.*$</unix:filename>
+ <filter action="include">state_owner_not_root</filter>
+ </unix:file_object>
+
+ <unix:file_state id="state_owner_not_root" version="1"
operator="OR">
+<!-- <unix:group_id datatype="int" operation="not
equal">0</unix:group_id> -->
+ <unix:user_id datatype="int" operation="not
equal">0</unix:user_id>
+ </unix:file_state>
+</def-group>
ACK, with one caveat. I got a warning about trailing whitespace on line 100.
Unit tests appear to work just fine!
- Maura