Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BugFix] [RHEL/6, RHEL/7, Fedora] Fix & simplify accounts_root_path_dirs_no_write OVAL check. Make it shared. #339

Merged
merged 1 commit into from
Nov 19, 2014
Merged

[BugFix] [RHEL/6, RHEL/7, Fedora] Fix & simplify accounts_root_path_dirs_no_write OVAL check. Make it shared. #339

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Fedora/input/checks/accounts_root_path_dirs_no_write.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../../../shared/oval/accounts_root_path_dirs_no_write.xml
3 changes: 3 additions & 0 deletions Fedora/input/profiles/common.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@
<select idref="accounts_maximum_age_login_defs" selected="true"/>
<refine-value idref="var_accounts_password_warn_age_login_defs" selector="7"/>
<select idref="accounts_password_warn_age_login_defs" selected="true"/>
<!-- Secure Session Configuration Files for Login Accounts -->
<!-- Ensure that No Dangerous Directories Exist in Root's Path -->
<select idref="root_path_no_groupother_writable" selected="true"/>

<!-- Services -->
<!-- Network Time Protocol -->
Expand Down
2 changes: 1 addition & 1 deletion Fedora/input/system/accounts/session.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ Such entries increase the risk that root could
execute code provided by unprivileged users,
and potentially malicious code.
</rationale>
<!-- <oval id="accounts_root_path_dirs_no_write" /> -->
<oval id="accounts_root_path_dirs_no_write" />
<ref nist=""/>
</Rule>
</Group>
Expand Down
59 changes: 0 additions & 59 deletions RHEL/6/input/checks/accounts_root_path_dirs_no_write.xml
View file
Open in desktop

This file was deleted.

1 change: 1 addition & 0 deletions RHEL/6/input/checks/accounts_root_path_dirs_no_write.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../../../../shared/oval/accounts_root_path_dirs_no_write.xml
1 change: 1 addition & 0 deletions RHEL/7/input/checks/accounts_root_path_dirs_no_write.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../../../../shared/oval/accounts_root_path_dirs_no_write.xml
61 changes: 61 additions & 0 deletions shared/oval/accounts_root_path_dirs_no_write.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
<def-group>
<definition class="compliance" id="accounts_root_path_dirs_no_write" version="2">
<metadata>
<title>Write permissions are disabled for group and other in all
directories in Root's Path</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Check each directory in root's path and make use it does
not grant write permission to group and other</description>
<reference source="JL" ref_id="RHEL6_20141119" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20141119" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20141119" ref_url="test_attestation"/>
</metadata>
<criteria comment="Check that write permission to group and other in root's path is denied">
<criterion comment="Check for write permission to group and other in root's path"
test_ref="test_accounts_root_path_dirs_no_group_other_write" />
</criteria>
</definition>

<ind:environmentvariable58_object id="object_accounts_root_path_dirs_no_write_pathenv" version="1">
<ind:pid xsi:nil="true" datatype="int" />
<ind:name>PATH</ind:name>
</ind:environmentvariable58_object>

<local_variable comment="Split the PATH on the : delimiter" datatype="string"
id="var_accounts_root_path_dirs_no_write" version="1">
<split delimiter=":">
<object_component item_field="value"
object_ref="object_accounts_root_path_dirs_no_write_pathenv" />
</split>
</local_variable>

<unix:file_test check="all" check_existence="none_exist"
comment="Check if there aren't directories in root's path having write permission set for group or other"
id="test_accounts_root_path_dirs_no_group_other_write" version="1">
<unix:object object_ref="object_accounts_root_path_dirs_no_group_other_write" />
</unix:file_test>

<unix:file_object comment="root's path directories with wrong group / other write permissions"
id="object_accounts_root_path_dirs_no_group_other_write" version="1">
<unix:path var_ref="var_accounts_root_path_dirs_no_write" var_check="at least one" />
<unix:filename xsi:nil="true" />
<filter action="include">state_accounts_root_path_dirs_wrong_perms</filter>
<filter action="exclude">state_accounts_root_path_dirs_symlink</filter>
</unix:file_object>

<unix:file_state comment="group or other has write privilege"
id="state_accounts_root_path_dirs_wrong_perms" version="1" operator="OR">
<unix:gwrite datatype="boolean">true</unix:gwrite>
<unix:owrite datatype="boolean">true</unix:owrite>
</unix:file_state>

<unix:file_state comment="symbolic link"
id="state_accounts_root_path_dirs_symlink" version="1">
<unix:type operation="equals">symbolic link</unix:type>
</unix:file_state>

</def-group>