Hi Pravin,
When you eliminate the filter and receive a listing of files shown below:
I can confirm that there are suid files in /bin.
/bin/eject
/bin/su
/bin/umount
/bin/mount
/bin/ping
/bin/ping6
You confirm that those are all suid files. Your filter is testing for files
which are BOTH suid and sgid. Is that the intent? Or do you want files which
are either suid OR sgid? If you want files which are either suid or sgid, add
an @operator="OR" to your <file_state>:
<file_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix
id="oval:suid-test.test.com:ste:30"
version="1" comment="SRG-OS-000327-GPOS-00127-filter-include-suid-and
sgid-files" operator="OR">
<suid datatype="boolean" operation="equals">1</suid>
<sgid datatype="boolean" operation="equals">1</sgid>
</file_state>
You could also probably use <set>'s to accomplish that as well, if need be.
Hope that helps!
Cheers,
-Bill M
-Bill Munyan
Technical Product Executive :: CIS-CAT
Security Controls & Automation
Center for Internet Security
(518) 880-0686
www.cisecurity.org<http://www.cisecurity.org/>
Follow us @CISecurity
From: [email protected]
[mailto:[email protected]] On Behalf Of Pravin Goyal
Sent: Wednesday, April 20, 2016 2:01 AM
To: [email protected]
Subject: [Open-scap] filter not working for file_object
Hi All,
This is on SLES 11 SP3 with OpenSCAP 1.2.5.
I am trying to do a check to find out suid and sgid files in /bin.
<file_object
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix";
id="oval:suid-test.test.com:obj:151"
version="1"
comment="find-all-suid-and-sgid-files">
<behaviors recurse="directories" recurse_direction="down"
recurse_file_system="local" max_depth="1"/>
<path datatype="string" operation="equals">/bin</path>
<filename datatype="string" operation="pattern
match">.*</filename>
<filter
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5";
action="include">oval:suid-test.test.com:ste:30</filter>
</file_object>
<file_state
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix";
id="oval:suid-test.test.com:ste:30"
version="1"
comment="SRG-OS-000327-GPOS-00127-filter-include-suid-and sgid-files">
<suid datatype="boolean" operation="equals">1</suid>
<sgid datatype="boolean" operation="equals">1</sgid>
</file_state>
But, as soon as I apply the filter, no object gets collected. Is this a known
issue?
I also tried with filename regex as [a-z]+, but that does not work as well. Any
pointers please?
I can confirm that there are suid files in /bin.
/bin/eject
/bin/su
/bin/umount
/bin/mount
/bin/ping
/bin/ping6
If I remove the filter, all files under /bin are collected perfectly. So, I am
suspicious that filter is breaking things.
Thanks and regards,
Pravin Goyal
...
This message and attachments may contain confidential information. If it
appears that this message was sent to you by mistake, any retention,
dissemination, distribution or copying of this message and attachments is
strictly prohibited. Please notify the sender immediately and permanently
delete the message and any attachments.
. . ._______________________________________________
Open-scap-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/open-scap-list
