From: Matt Keeler <mkeeler(a)tresys.com&gt; Add a /etc/passwd owner,group owner, and mode example Added a puppet manifest which contains remediation classes for both of the tests. --- testing/data/EtcPasswdPerms/2-15Passwd.xml | 108 ++++++++++++++++++++ testing/data/EtcPasswdPerms/Passwd.xccdf.xml | 105 +++++++++++++++++++ testing/data/PasswordComplexity/PassComp.xccdf.xml | 20 ++++ testing/data/PuppetManifests/passwd.pp | 26 +++++ 4 files changed, 259 insertions(+), 0 deletions(-) create mode 100644 testing/data/EtcPasswdPerms/2-15Passwd.xml create mode 100644 testing/data/EtcPasswdPerms/Passwd.xccdf.xml create mode 100644 testing/data/PuppetManifests/passwd.pp diff --git a/testing/data/EtcPasswdPerms/2-15Passwd.xml b/testing/data/EtcPasswdPerms/2-15Passwd.xml new file mode 100644 index 0000000..8e9ceb3 --- /dev/null +++ b/testing/data/EtcPasswdPerms/2-15Passwd.xml @@ -0,0 +1,108 @@ +<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions... unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <generator> + <product_name xmlns="http://oval.mitre.org/XMLSchema/oval-common-5">squashed circle</product_name> + <product_version xmlns="http://oval.mitre.org/XMLSchema/oval-common-5">0.5<... + <schema_version xmlns="http://oval.mitre.org/XMLSchema/oval-common-5">5.6<... + <timestamp xmlns="http://oval.mitre.org/XMLSchema/oval-common-5">2010-0... + </generator> + + <!-- OVAL Definitions Section --> + <definitions> + <definition class="compliance" id="oval:com.tresys.com.passwd:def:1000" version="1"> + <metadata> + <title>/etc/passwd owner</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 5</platform> + </affected> + <reference ref_id="PasswdOwner" source="UNIX STIG" /> + <description>Password File owner</description> + </metadata> + <criteria operator="AND"> + <criterion test_ref="oval:com.tresys.oval.passwd:tst:1000" /> + </criteria> + </definition> + + <definition class="compliance" id="oval:com.tresys.com.passwd:def:1001" version="1"> + <metadata> + <title>/etc/passwd group</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 5</platform> + </affected> + <reference ref_id="PasswdGroup" source="UNIX STIG" /> + <description>Password File owner</description> + </metadata> + <criteria operator="AND"> + <criterion test_ref="oval:com.tresys.oval.passwd:tst:1001" /> + </criteria> + </definition> + + <definition class="compliance" id="oval:com.tresys.com.passwd:def:1002" version="1"> + <metadata> + <title>/etc/passwd mode</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 5</platform> + </affected> + <reference ref_id="PasswdMode" source="UNIX STIG" /> + <description>Password File owner</description> + </metadata> + <criteria operator="AND"> + <criterion test_ref="oval:com.tresys.oval.passwd:tst:1002" /> + </criteria> + </definition> + </definitions> + + <!-- OVAL Tests Section --> + <tests> + <file_test check="all" comment="check owner of /etc/passwd" id="oval:com.tresys.oval.passwd:tst:1000" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"... + <object object_ref="oval:com.tresys.oval.passwd.obj:1002" /> + <state state_ref="oval:com.tresys.oval.passwd:ste:1000" /> + </file_test> + + <file_test check="all" comment="check owner of /etc/passwd" id="oval:com.tresys.oval.passwd:tst:1001" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"... + <object object_ref="oval:com.tresys.oval.passwd.obj:1002" /> + <state state_ref="oval:com.tresys.oval.passwd:ste:1001" /> + </file_test> + + <file_test check="all" comment="check owner of /etc/passwd" id="oval:com.tresys.oval.passwd:tst:1002" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"... + <object object_ref="oval:com.tresys.oval.passwd.obj:1002" /> + <state state_ref="oval:com.tresys.oval.passwd:ste:1002" /> + </file_test> + </tests> + + <!-- OVAL Objects Section --> + <objects> + <file_object comment="/etc/passwd" id="oval:com.tresys.oval.passwd:obj:1002" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"... + <filepath>/etc/passwd</filepath> + </file_object> + </objects> + + <!-- OVAL States Section --> + <states> + <file_state id="oval:com.tresys.oval.passwd:ste:1000" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"... + <user_id operation="equals" var_ref="oval:com.tresys.oval.passwd:var:1004" /> + </file_state> + + <file_state id="oval:com.tresys.oval.passwd:ste:1001" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"... + <group_id operation="equals" var_ref="oval:com.tresys.oval.passwd:var:1005" /> + </file_state> + + <file_state id="oval:com.tresys.oval.passwd:ste:1002" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"... + <uexec operation="equals" var_ref="oval:com.tresys.oval.passwd:var:1006" /> + <gwrite operation="equals" var_ref="oval:com.tresys.oval.passwd:var:1007" /> + <gexec operation="equals" var_ref="oval:com.tresys.oval.passwd:var:1008" /> + <owrite operation="equals" var_ref="oval:com.tresys.oval.passwd:var:1009" /> + <oexec operation="equals" var_ref="oval:com.tresys.oval.passwd:var:1010" /> + </file_state> + </states> + + <!-- Oval Variables Section --> + <variables> + <external_variable comment="owner" datatype="string" id="oval:com.tresys.oval.passwd:var:1004" version="1" /> + <external_variable comment="group" datatype="string" id="oval:com.tresys.oval.passwd:var:1005" version="1" /> + <external_variable comment="uexec" datatype="string" id="oval:com.tresys.oval.passwd:var:1006" version="1" /> + <external_variable comment="gwrite" datatype="string" id="oval:com.tresys.oval.passwd:var:1007" version="1" /> + <external_variable comment="gexec" datatype="string" id="oval:com.tresys.oval.passwd:var:1008" version="1" /> + <external_variable comment="owrite" datatype="string" id="oval:com.tresys.oval.passwd:var:1009" version="1" /> + <external_variable comment="oexec" datatype="string" id="oval:com.tresys.oval.passwd:var:1010" version="1" /> + </variables> +</oval_definitions> \ No newline at end of file diff --git a/testing/data/EtcPasswdPerms/Passwd.xccdf.xml b/testing/data/EtcPasswdPerms/Passwd.xccdf.xml new file mode 100644 index 0000000..72771a0 --- /dev/null +++ b/testing/data/EtcPasswdPerms/Passwd.xccdf.xml @@ -0,0 +1,105 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- This XCCDF document was auto generated by the Recommendation Tracker. --> +<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" + xmlns:dc="http://purl.org/dc/elements/1.1/" + xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" + xmlns:cpe="http://cpe.mitre.org/dictionary/2.0" + xmlns:dsig="http://w3.org/2000/09/xmldsig#" + xmlns:xhtml="http://www.w3.org/1999/xhtml" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd" + id="Passwd"> +<!-- Review the status value. --> +<status date="2010-06-11">draft</status> + <title>PasswordFilePermissions</title> + <!-- Consider adding front-matter. --> + +<!-- Consider adding rear-matter. --> +<!-- Consider adding a reference for the benchamrk. --> +<!-- Consider adding application wide plafrom information. --> + +<!-- Review version information. --> +<version>1.0</version> + <!-- Consider adding scoring model information. --> +<Value id="Passwd-V-2-2" type="string" operator="equals"> + <title>PasswdOwner</title> + <description/> + <value>root</value> + </Value> + <Value id="Passwd-V-2-4" type="string" operator="equals"> + <title>PasswdGroup</title> + <description/> + <value>root</value> + </Value> + <Value id="Passwd-V-2-6" type="string" operator="equals"> + <title>PasswdOwnerExec</title> + <description/> + <value>0</value> + </Value> + <Value id="Passwd-V-2-8" type="string" operator="equals"> + <title>PasswdGroupWrite</title> + <description/> + <value>0</value> + </Value> + <Value id="Passwd-V-2-10" type="string" operator="equals"> + <title>PasswdGroupExec</title> + <description/> + <value>0</value> + </Value> + <Value id="Passwd-V-2-12" type="string" operator="equals"> + <title>PasswdOtherWrite</title> + <description/> + <value>0</value> + </Value> + <Value id="Passwd-V-2-14" type="string" operator="equals"> + <title>PasswdOtherExec</title> + <description/> + <value>0</value> + </Value> + <Rule id="Passwd-R-2-1"> + <title>Passwd_Ownership</title> + <description>/etc/passwd should be owned by root</description> + <rationale>Who Cares</rationale> + <fixtext>Change the owner to root</fixtext> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-export value-id="Passwd-V-2-2" export-name="oval:com.tresys.oval.passwd:var:1004"/> + <check-content-ref href="2-15Passwd.xml" name="oval:com.tresys.com.passwd:def:1000"/> + </check> + <fix system="urn:xccdf:fix:script:puppet"> + class : passwd + parameter : etc_passwd_owner : root + </fix> + </Rule> + <Rule id="Passwd-R-2-2"> + <title>Passwd_Group_Ownership</title> + <description>/etc/passwd should be owned by root</description> + <rationale>Who Cares</rationale> + <fixtext>Change the owner to root</fixtext> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-export value-id="Passwd-V-2-4" export-name="oval:com.tresys.oval.passwd:var:1005"/> + <check-content-ref href="2-15Passwd.xml" name="oval:com.tresys.com.passwd:def:1001"/> + </check> + <fix system="urn:xccdf:fix:script:puppet"> + class : passwd + parameter : etc_passwd_group_owner : root + </fix> + </Rule> + <Rule id="Passwd-R-2-3"> + <title>Passwd_Mode</title> + <description>/etc/passwd should be 644 or less</description> + <rationale>Who Cares</rationale> + <fixtext>Change the mode to 644</fixtext> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-export value-id="Passwd-V-2-6" export-name="oval:com.tresys.oval.passwd:var:1006"/> + <check-export value-id="Passwd-V-2-8" export-name="oval:com.tresys.oval.passwd:var:1007"/> + <check-export value-id="Passwd-V-2-10" export-name="oval:com.tresys.oval.passwd:var:1008"/> + <check-export value-id="Passwd-V-2-12" export-name="oval:com.tresys.oval.passwd:var:1009"/> + <check-export value-id="Passwd-V-2-14" export-name="oval:com.tresys.oval.passwd:var:1010"/> + <check-content-ref href="2-15Passwd.xml" name="oval:com.tresys.com.passwd:def:1002"/> + </check> + <fix system="urn:xccdf:fix:script:puppet"> + class : passwd + parameter : etc_passwd_mode : 644 + </fix> + </Rule> +</Benchmark> diff --git a/testing/data/PasswordComplexity/PassComp.xccdf.xml b/testing/data/PasswordComplexity/PassComp.xccdf.xml index ae2ea8b..6810723 100644 --- a/testing/data/PasswordComplexity/PassComp.xccdf.xml +++ b/testing/data/PasswordComplexity/PassComp.xccdf.xml @@ -37,6 +37,10 @@ <check-content-ref href="2-19PasswordComplexity_Lowercase.xml" name="oval:com.tresys.oval.rhel:def:1000" /> </check> + <fix system="urn:xccdf:fix:script:puppet"> + class : passwd_complexity + array : cracklib_args : lcredit=-2 + </fix> </Rule> <Rule id="PassComp-R-2-2" selected="true" role="full"> <title>Min. Length</title> @@ -48,6 +52,10 @@ <check-content-ref href="2-20PasswordComplexity_MinLen.xml" name="oval:com.tresys.oval.rhel:def:1001" /> </check> + <fix system="urn:xccdf:fix:script:puppet"> + class : passwd_complexity + array : cracklib_args : ucredit=-2 + </fix> </Rule> <Rule id="PassComp-R-2-3"> <title>Numeric</title> @@ -58,6 +66,10 @@ <check-content-ref href="2-21PasswordComplexity_Numeric.xml" name="oval:com.tresys.oval.rhel:def:1002" /> </check> + <fix system="urn:xccdf:fix:script:puppet"> + class : passwd_complexity + array : cracklib_args : dcredit=-1 + </fix> </Rule> <Rule id="PassComp-R-2-4"> <title>Special</title> @@ -68,6 +80,10 @@ <check-content-ref href="2-22PasswordComplexity_Special.xml" name="oval:com.tresys.oval.rhel:def:1003" /> </check> + <fix system="urn:xccdf:fix:script:puppet"> + class : passwd_complexity + array : cracklib_args : ocredit=-1 + </fix> </Rule> <Rule id="PassComp-R-2-5"> <title>Uppercase</title> @@ -78,6 +94,10 @@ <check-content-ref href="2-23PasswordComplexity_Uppercase.xml" name="oval:com.tresys.oval.rhel:def:1004" /> </check> + <fix system="urn:xccdf:fix:script:puppet"> + class : passwd_complexity + array : cracklib_args : ucredit=-2 + </fix> </Rule> </Group> </Group> diff --git a/testing/data/PuppetManifests/passwd.pp b/testing/data/PuppetManifests/passwd.pp new file mode 100644 index 0000000..90eeb7b --- /dev/null +++ b/testing/data/PuppetManifests/passwd.pp @@ -0,0 +1,26 @@ +class passwd { + file { '/etc/passwd' : + mode => $etc_passwd_mode? { + '' => undef, + default => $etc_passwd_mode + }, + owner => $etc_passwd_owner? { + '' => undef, + default => $etc_passwd_owner + }, + group => $etc_passwd_group_owner? { + '' => undef, + default => $etc_passwd_group_owner + } + } +} + +class passwd_complexity { + pam {"pam_cracklib.so": + type => "password", + control => "requisite", + module_args => $cracklib_args, + args_membership => minimum, + } +} + -- 1.6.5.2