From: Matt Keeler <mkeeler(a)tresys.com>
Add a /etc/passwd owner,group owner, and mode example
Added a puppet manifest which contains remediation classes for both of the tests.
---
testing/data/EtcPasswdPerms/2-15Passwd.xml | 108 ++++++++++++++++++++
testing/data/EtcPasswdPerms/Passwd.xccdf.xml | 105 +++++++++++++++++++
testing/data/PasswordComplexity/PassComp.xccdf.xml | 20 ++++
testing/data/PuppetManifests/passwd.pp | 26 +++++
4 files changed, 259 insertions(+), 0 deletions(-)
create mode 100644 testing/data/EtcPasswdPerms/2-15Passwd.xml
create mode 100644 testing/data/EtcPasswdPerms/Passwd.xccdf.xml
create mode 100644 testing/data/PuppetManifests/passwd.pp
diff --git a/testing/data/EtcPasswdPerms/2-15Passwd.xml
b/testing/data/EtcPasswdPerms/2-15Passwd.xml
new file mode 100644
index 0000000..8e9ceb3
--- /dev/null
+++ b/testing/data/EtcPasswdPerms/2-15Passwd.xml
@@ -0,0 +1,108 @@
+<oval_definitions
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions...
unix-definitions-schema.xsd
http://oval.mitre.org/XMLSchema/oval-definitions-5#linux
linux-definitions-schema.xsd
http://oval.mitre.org/XMLSchema/oval-definitions-5#independent
independent-definitions-schema.xsd
http://oval.mitre.org/XMLSchema/oval-definitions-5
oval-definitions-schema.xsd
http://oval.mitre.org/XMLSchema/oval-common-5
oval-common-schema.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+ <generator>
+ <product_name
xmlns="http://oval.mitre.org/XMLSchema/oval-common-5">squashed
circle</product_name>
+ <product_version
xmlns="http://oval.mitre.org/XMLSchema/oval-common-5">0.5<...
+ <schema_version
xmlns="http://oval.mitre.org/XMLSchema/oval-common-5">5.6<...
+ <timestamp
xmlns="http://oval.mitre.org/XMLSchema/oval-common-5">2010-0...
+ </generator>
+
+ <!-- OVAL Definitions Section -->
+ <definitions>
+ <definition class="compliance"
id="oval:com.tresys.com.passwd:def:1000" version="1">
+ <metadata>
+ <title>/etc/passwd owner</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 5</platform>
+ </affected>
+ <reference ref_id="PasswdOwner" source="UNIX STIG" />
+ <description>Password File owner</description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:com.tresys.oval.passwd:tst:1000" />
+ </criteria>
+ </definition>
+
+ <definition class="compliance"
id="oval:com.tresys.com.passwd:def:1001" version="1">
+ <metadata>
+ <title>/etc/passwd group</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 5</platform>
+ </affected>
+ <reference ref_id="PasswdGroup" source="UNIX STIG" />
+ <description>Password File owner</description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:com.tresys.oval.passwd:tst:1001" />
+ </criteria>
+ </definition>
+
+ <definition class="compliance"
id="oval:com.tresys.com.passwd:def:1002" version="1">
+ <metadata>
+ <title>/etc/passwd mode</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 5</platform>
+ </affected>
+ <reference ref_id="PasswdMode" source="UNIX STIG" />
+ <description>Password File owner</description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:com.tresys.oval.passwd:tst:1002" />
+ </criteria>
+ </definition>
+ </definitions>
+
+ <!-- OVAL Tests Section -->
+ <tests>
+ <file_test check="all" comment="check owner of /etc/passwd"
id="oval:com.tresys.oval.passwd:tst:1000" version="1"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"...
+ <object object_ref="oval:com.tresys.oval.passwd.obj:1002" />
+ <state state_ref="oval:com.tresys.oval.passwd:ste:1000" />
+ </file_test>
+
+ <file_test check="all" comment="check owner of /etc/passwd"
id="oval:com.tresys.oval.passwd:tst:1001" version="1"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"...
+ <object object_ref="oval:com.tresys.oval.passwd.obj:1002" />
+ <state state_ref="oval:com.tresys.oval.passwd:ste:1001" />
+ </file_test>
+
+ <file_test check="all" comment="check owner of /etc/passwd"
id="oval:com.tresys.oval.passwd:tst:1002" version="1"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"...
+ <object object_ref="oval:com.tresys.oval.passwd.obj:1002" />
+ <state state_ref="oval:com.tresys.oval.passwd:ste:1002" />
+ </file_test>
+ </tests>
+
+ <!-- OVAL Objects Section -->
+ <objects>
+ <file_object comment="/etc/passwd"
id="oval:com.tresys.oval.passwd:obj:1002" version="1"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"...
+ <filepath>/etc/passwd</filepath>
+ </file_object>
+ </objects>
+
+ <!-- OVAL States Section -->
+ <states>
+ <file_state id="oval:com.tresys.oval.passwd:ste:1000"
version="1"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"...
+ <user_id operation="equals"
var_ref="oval:com.tresys.oval.passwd:var:1004" />
+ </file_state>
+
+ <file_state id="oval:com.tresys.oval.passwd:ste:1001"
version="1"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"...
+ <group_id operation="equals"
var_ref="oval:com.tresys.oval.passwd:var:1005" />
+ </file_state>
+
+ <file_state id="oval:com.tresys.oval.passwd:ste:1002"
version="1"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"...
+ <uexec operation="equals"
var_ref="oval:com.tresys.oval.passwd:var:1006" />
+ <gwrite operation="equals"
var_ref="oval:com.tresys.oval.passwd:var:1007" />
+ <gexec operation="equals"
var_ref="oval:com.tresys.oval.passwd:var:1008" />
+ <owrite operation="equals"
var_ref="oval:com.tresys.oval.passwd:var:1009" />
+ <oexec operation="equals"
var_ref="oval:com.tresys.oval.passwd:var:1010" />
+ </file_state>
+ </states>
+
+ <!-- Oval Variables Section -->
+ <variables>
+ <external_variable comment="owner" datatype="string"
id="oval:com.tresys.oval.passwd:var:1004" version="1" />
+ <external_variable comment="group" datatype="string"
id="oval:com.tresys.oval.passwd:var:1005" version="1" />
+ <external_variable comment="uexec" datatype="string"
id="oval:com.tresys.oval.passwd:var:1006" version="1" />
+ <external_variable comment="gwrite" datatype="string"
id="oval:com.tresys.oval.passwd:var:1007" version="1" />
+ <external_variable comment="gexec" datatype="string"
id="oval:com.tresys.oval.passwd:var:1008" version="1" />
+ <external_variable comment="owrite" datatype="string"
id="oval:com.tresys.oval.passwd:var:1009" version="1" />
+ <external_variable comment="oexec" datatype="string"
id="oval:com.tresys.oval.passwd:var:1010" version="1" />
+ </variables>
+</oval_definitions>
\ No newline at end of file
diff --git a/testing/data/EtcPasswdPerms/Passwd.xccdf.xml
b/testing/data/EtcPasswdPerms/Passwd.xccdf.xml
new file mode 100644
index 0000000..72771a0
--- /dev/null
+++ b/testing/data/EtcPasswdPerms/Passwd.xccdf.xml
@@ -0,0 +1,105 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- This XCCDF document was auto generated by the Recommendation Tracker. -->
+<Benchmark
xmlns="http://checklists.nist.gov/xccdf/1.1"
+
xmlns:dc="http://purl.org/dc/elements/1.1/"
+
xmlns:cdf="http://checklists.nist.gov/xccdf/1.1"
+
xmlns:cpe="http://cpe.mitre.org/dictionary/2.0"
+
xmlns:dsig="http://w3.org/2000/09/xmldsig#"
+
xmlns:xhtml="http://www.w3.org/1999/xhtml"
+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+
xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1
http://nvd.nist.gov/schema/xccdf-1.1.4.xsd"
+ id="Passwd">
+<!-- Review the status value. -->
+<status date="2010-06-11">draft</status>
+ <title>PasswordFilePermissions</title>
+ <!-- Consider adding front-matter. -->
+
+<!-- Consider adding rear-matter. -->
+<!-- Consider adding a reference for the benchamrk. -->
+<!-- Consider adding application wide plafrom information. -->
+
+<!-- Review version information. -->
+<version>1.0</version>
+ <!-- Consider adding scoring model information. -->
+<Value id="Passwd-V-2-2" type="string"
operator="equals">
+ <title>PasswdOwner</title>
+ <description/>
+ <value>root</value>
+ </Value>
+ <Value id="Passwd-V-2-4" type="string"
operator="equals">
+ <title>PasswdGroup</title>
+ <description/>
+ <value>root</value>
+ </Value>
+ <Value id="Passwd-V-2-6" type="string"
operator="equals">
+ <title>PasswdOwnerExec</title>
+ <description/>
+ <value>0</value>
+ </Value>
+ <Value id="Passwd-V-2-8" type="string"
operator="equals">
+ <title>PasswdGroupWrite</title>
+ <description/>
+ <value>0</value>
+ </Value>
+ <Value id="Passwd-V-2-10" type="string"
operator="equals">
+ <title>PasswdGroupExec</title>
+ <description/>
+ <value>0</value>
+ </Value>
+ <Value id="Passwd-V-2-12" type="string"
operator="equals">
+ <title>PasswdOtherWrite</title>
+ <description/>
+ <value>0</value>
+ </Value>
+ <Value id="Passwd-V-2-14" type="string"
operator="equals">
+ <title>PasswdOtherExec</title>
+ <description/>
+ <value>0</value>
+ </Value>
+ <Rule id="Passwd-R-2-1">
+ <title>Passwd_Ownership</title>
+ <description>/etc/passwd should be owned by root</description>
+ <rationale>Who Cares</rationale>
+ <fixtext>Change the owner to root</fixtext>
+ <check
system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-export value-id="Passwd-V-2-2"
export-name="oval:com.tresys.oval.passwd:var:1004"/>
+ <check-content-ref href="2-15Passwd.xml"
name="oval:com.tresys.com.passwd:def:1000"/>
+ </check>
+ <fix system="urn:xccdf:fix:script:puppet">
+ class : passwd
+ parameter : etc_passwd_owner : root
+ </fix>
+ </Rule>
+ <Rule id="Passwd-R-2-2">
+ <title>Passwd_Group_Ownership</title>
+ <description>/etc/passwd should be owned by root</description>
+ <rationale>Who Cares</rationale>
+ <fixtext>Change the owner to root</fixtext>
+ <check
system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-export value-id="Passwd-V-2-4"
export-name="oval:com.tresys.oval.passwd:var:1005"/>
+ <check-content-ref href="2-15Passwd.xml"
name="oval:com.tresys.com.passwd:def:1001"/>
+ </check>
+ <fix system="urn:xccdf:fix:script:puppet">
+ class : passwd
+ parameter : etc_passwd_group_owner : root
+ </fix>
+ </Rule>
+ <Rule id="Passwd-R-2-3">
+ <title>Passwd_Mode</title>
+ <description>/etc/passwd should be 644 or less</description>
+ <rationale>Who Cares</rationale>
+ <fixtext>Change the mode to 644</fixtext>
+ <check
system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-export value-id="Passwd-V-2-6"
export-name="oval:com.tresys.oval.passwd:var:1006"/>
+ <check-export value-id="Passwd-V-2-8"
export-name="oval:com.tresys.oval.passwd:var:1007"/>
+ <check-export value-id="Passwd-V-2-10"
export-name="oval:com.tresys.oval.passwd:var:1008"/>
+ <check-export value-id="Passwd-V-2-12"
export-name="oval:com.tresys.oval.passwd:var:1009"/>
+ <check-export value-id="Passwd-V-2-14"
export-name="oval:com.tresys.oval.passwd:var:1010"/>
+ <check-content-ref href="2-15Passwd.xml"
name="oval:com.tresys.com.passwd:def:1002"/>
+ </check>
+ <fix system="urn:xccdf:fix:script:puppet">
+ class : passwd
+ parameter : etc_passwd_mode : 644
+ </fix>
+ </Rule>
+</Benchmark>
diff --git a/testing/data/PasswordComplexity/PassComp.xccdf.xml
b/testing/data/PasswordComplexity/PassComp.xccdf.xml
index ae2ea8b..6810723 100644
--- a/testing/data/PasswordComplexity/PassComp.xccdf.xml
+++ b/testing/data/PasswordComplexity/PassComp.xccdf.xml
@@ -37,6 +37,10 @@
<check-content-ref
href="2-19PasswordComplexity_Lowercase.xml"
name="oval:com.tresys.oval.rhel:def:1000"
/>
</check>
+ <fix system="urn:xccdf:fix:script:puppet">
+ class : passwd_complexity
+ array : cracklib_args : lcredit=-2
+ </fix>
</Rule>
<Rule id="PassComp-R-2-2" selected="true"
role="full">
<title>Min. Length</title>
@@ -48,6 +52,10 @@
<check-content-ref href="2-20PasswordComplexity_MinLen.xml"
name="oval:com.tresys.oval.rhel:def:1001"
/>
</check>
+ <fix system="urn:xccdf:fix:script:puppet">
+ class : passwd_complexity
+ array : cracklib_args : ucredit=-2
+ </fix>
</Rule>
<Rule id="PassComp-R-2-3">
<title>Numeric</title>
@@ -58,6 +66,10 @@
<check-content-ref href="2-21PasswordComplexity_Numeric.xml"
name="oval:com.tresys.oval.rhel:def:1002"
/>
</check>
+ <fix system="urn:xccdf:fix:script:puppet">
+ class : passwd_complexity
+ array : cracklib_args : dcredit=-1
+ </fix>
</Rule>
<Rule id="PassComp-R-2-4">
<title>Special</title>
@@ -68,6 +80,10 @@
<check-content-ref href="2-22PasswordComplexity_Special.xml"
name="oval:com.tresys.oval.rhel:def:1003"
/>
</check>
+ <fix system="urn:xccdf:fix:script:puppet">
+ class : passwd_complexity
+ array : cracklib_args : ocredit=-1
+ </fix>
</Rule>
<Rule id="PassComp-R-2-5">
<title>Uppercase</title>
@@ -78,6 +94,10 @@
<check-content-ref
href="2-23PasswordComplexity_Uppercase.xml"
name="oval:com.tresys.oval.rhel:def:1004"
/>
</check>
+ <fix system="urn:xccdf:fix:script:puppet">
+ class : passwd_complexity
+ array : cracklib_args : ucredit=-2
+ </fix>
</Rule>
</Group>
</Group>
diff --git a/testing/data/PuppetManifests/passwd.pp
b/testing/data/PuppetManifests/passwd.pp
new file mode 100644
index 0000000..90eeb7b
--- /dev/null
+++ b/testing/data/PuppetManifests/passwd.pp
@@ -0,0 +1,26 @@
+class passwd {
+ file { '/etc/passwd' :
+ mode => $etc_passwd_mode? {
+ '' => undef,
+ default => $etc_passwd_mode
+ },
+ owner => $etc_passwd_owner? {
+ '' => undef,
+ default => $etc_passwd_owner
+ },
+ group => $etc_passwd_group_owner? {
+ '' => undef,
+ default => $etc_passwd_group_owner
+ }
+ }
+}
+
+class passwd_complexity {
+ pam {"pam_cracklib.so":
+ type => "password",
+ control => "requisite",
+ module_args => $cracklib_args,
+ args_membership => minimum,
+ }
+}
+
--
1.6.5.2