Merge pull request #38 from redhatrises/add_NFS_insecure_oval

Add NFS insecure OVAL check
ComplianceAsCode · Sep 9, 2014 · 17d6c79 · 17d6c79
2 parents 9854c75 + 742619b
commit 17d6c79
Show file tree

Hide file tree

Showing 11 changed files with 471 additions and 26 deletions.
diff --git a/Fedora/input/checks/no_insecure_locks_exports.xml b/Fedora/input/checks/no_insecure_locks_exports.xml
@@ -0,0 +1 @@
+../../../shared/oval/no_insecure_locks_exports.xml
diff --git a/Fedora/input/guide.xslt b/Fedora/input/guide.xslt
@@ -75,6 +75,7 @@
       <xsl:apply-templates select="document('services/ssh.xml')" />
       <xsl:apply-templates select="document('services/ftp.xml')" />
       <xsl:apply-templates select="document('services/snmp.xml')" />
+      <xsl:apply-templates select="document('services/nfs.xml')" />
     </xsl:copy>
   </xsl:template>
 

diff --git a/Fedora/input/services/nfs.xml b/Fedora/input/services/nfs.xml
diff --git a/RHEL/6/input/checks/no_insecure_locks_exports.xml b/RHEL/6/input/checks/no_insecure_locks_exports.xml
@@ -0,0 +1 @@
+../../../../shared/oval/no_insecure_locks_exports.xml
diff --git a/RHEL/6/input/checks/package_nfs-utils_removed.xml b/RHEL/6/input/checks/package_nfs-utils_removed.xml
diff --git a/RHEL/6/input/checks/package_nfs-utils_removed.xml b/RHEL/6/input/checks/package_nfs-utils_removed.xml
@@ -0,0 +1 @@
+../../../../shared/oval/package_nfs-utils_removed.xml
diff --git a/RHEL/6/input/services/nfs.xml b/RHEL/6/input/services/nfs.xml
@@ -415,6 +415,7 @@ To verify insecure file locking has been disabled, run the following command:
 <rationale>Allowing insecure file locking could allow for sensitive data to be
 viewed or edited by an unauthorized user.
 </rationale>
+<oval id="no_insecure_locks_exports" />
 <ident cce="27167-6" />
 <ref disa="764" />
 </Rule>

diff --git a/RHEL/7/input/checks/no_insecure_locks_exports.xml b/RHEL/7/input/checks/no_insecure_locks_exports.xml
@@ -0,0 +1 @@
+../../../../shared/oval/no_insecure_locks_exports.xml
diff --git a/RHEL/7/input/checks/package_nfs-utils_removed.xml b/RHEL/7/input/checks/package_nfs-utils_removed.xml
@@ -0,0 +1 @@
+../../../../shared/oval/package_nfs-utils_removed.xml
diff --git a/RHEL/7/input/services/nfs.xml b/RHEL/7/input/services/nfs.xml
@@ -415,6 +415,7 @@ To verify insecure file locking has been disabled, run the following command:
 <rationale>Allowing insecure file locking could allow for sensitive data to be
 viewed or edited by an unauthorized user.
 </rationale>
+<oval id="no_insecure_locks_exports" />
 <ident cce="RHEL7-CCE-TBD" />
 <ref disa="764" />
 </Rule>

diff --git a/shared/oval/no_insecure_locks_exports.xml b/shared/oval/no_insecure_locks_exports.xml
@@ -0,0 +1,30 @@
+<def-group>
+  <definition class="compliance" id="no_insecure_locks_exports" version="1">
+    <metadata>
+      <title>Ensure insecure_locks is disabled</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 6</platform>
+        <platform>Red Hat Enterprise Linux 7</platform>
+        <platform>Fedora 20</platform>
+      </affected>
+      <description>Allowing insecure file locking could allow for sensitive 
+      data to be viewed or edited by an unauthorized user.</description>
+      <reference source="galford" ref_id="20140813" ref_url="test_attestation" />
+    </metadata>
+    <criteria>
+      <criterion comment="Check for insecure NFS locks in /etc/exports"
+      test_ref="test_no_insecure_locks_exports" />
+    </criteria>
+  </definition>
+  <ind:textfilecontent54_test check="all" check_existence="none_exist"
+  comment="Tests the value of the insecure locks in /etc/exports"
+  id="test_no_insecure_locks_exports" version="1">
+    <ind:object object_ref="obj_no_insecure_locks_exports" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_no_insecure_locks_exports"
+  version="2">
+    <ind:filepath>/etc/exports</ind:filepath>
+    <ind:pattern operation="pattern match">^(.*?(\binsecure_locks\b)[^$]*)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>
diff --git a/shared/oval/package_nfs-utils_removed.xml b/shared/oval/package_nfs-utils_removed.xml
@@ -0,0 +1,28 @@
+<def-group>
+ <!-- THIS FILE IS GENERATED by create_package_removed.py.  DO NOT EDIT.  -->
+  <definition class="compliance" id="package_nfs-utils_removed"
+  version="1">
+    <metadata>
+      <title>Package nfs-utils Removed</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 6</platform>
+        <platform>Red Hat Enterprise Linux 7</platform>
+        <platform>Fedora 20</platform>
+      </affected>
+      <description>The RPM package nfs-utils should be removed.</description>
+      <reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
+    </metadata>
+    <criteria>
+      <criterion comment="package nfs-utils is removed"
+      test_ref="test_package_nfs-utils_removed" />
+    </criteria>
+  </definition>
+  <linux:rpminfo_test check="all" check_existence="none_exist"
+  id="test_package_nfs-utils_removed" version="1"
+  comment="package nfs-utils is removed">
+    <linux:object object_ref="obj_package_nfs-utils_removed" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_object id="obj_package_nfs-utils_removed" version="1">
+    <linux:name>nfs-utils</linux:name>
+  </linux:rpminfo_object>
+</def-group>