There isn't any way to do this the clever way, following the symlink /etc/grub.conf, so for now at least, I added a second path to check, the path for EFI in a default install.
Signed-off-by: Maura Dailey <[email protected]> --- RHEL6/input/checks/file_group_owner_grub_conf.xml | 18 +++++++++++++++--- RHEL6/input/checks/file_user_owner_grub_conf.xml | 18 +++++++++++++++--- 2 files changed, 30 insertions(+), 6 deletions(-) diff --git a/RHEL6/input/checks/file_group_owner_grub_conf.xml b/RHEL6/input/checks/file_group_owner_grub_conf.xml index 3fc076a..4856fdf 100644 --- a/RHEL6/input/checks/file_group_owner_grub_conf.xml +++ b/RHEL6/input/checks/file_group_owner_grub_conf.xml @@ -1,14 +1,16 @@ <def-group> <definition class="compliance" id="file_group_owner_grub_conf" version="1"> <metadata> - <title>File /boot/grub/grub.conf Owned By root Group </title> + <title>File grub.conf Owned By root Group </title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>The /boot/grub/grub.conf file should be owned by the root group.</description> + <description>The grub.conf file should be owned by the root group.</description> + <reference source="MED" ref_id="20130830" ref_url="test_attestation" /> </metadata> - <criteria> + <criteria operator="OR"> <criterion test_ref="test_file_group_owner_grub_conf" /> + <criterion test_ref="test_file_group_owner_efi_grub_conf" /> </criteria> </definition> @@ -17,11 +19,21 @@ <unix:state state_ref="state_file_group_owner_grub_conf" /> </unix:file_test> + <unix:file_test check="all" check_existence="all_exist" comment="/boot/efi/EFI/redhat/grub.conf owned by root" id="test_file_group_owner_efi_grub_conf" version="1"> + <unix:object object_ref="object_file_group_owner_efi_grub_conf" /> + <unix:state state_ref="state_file_group_owner_grub_conf" /> + </unix:file_test> + <unix:file_object comment="/boot/grub/grub.conf" id="object_file_group_owner_grub_conf" version="1"> <unix:path>/boot/grub</unix:path> <unix:filename>grub.conf</unix:filename> </unix:file_object> + <unix:file_object comment="/boot/efi/EFI/redhat/grub.conf" id="object_file_group_owner_efi_grub_conf" version="1"> + <unix:path>/boot/efi/EFI/redhat</unix:path> + <unix:filename>grub.conf</unix:filename> + </unix:file_object> + <unix:file_state id="state_file_group_owner_grub_conf" version="1"> <unix:group_id datatype="int">0</unix:group_id> </unix:file_state> diff --git a/RHEL6/input/checks/file_user_owner_grub_conf.xml b/RHEL6/input/checks/file_user_owner_grub_conf.xml index 53d5e2f..290d883 100644 --- a/RHEL6/input/checks/file_user_owner_grub_conf.xml +++ b/RHEL6/input/checks/file_user_owner_grub_conf.xml @@ -1,14 +1,16 @@ <def-group> <definition class="compliance" id="file_user_owner_grub_conf" version="1"> <metadata> - <title>File /boot/grub/grub.conf Owned By root User</title> + <title>File grub.conf Owned By root User</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>The /boot/grub/grub.conf file should be owned by the root user.</description> + <description>The grub.conf file should be owned by the root user.</description> + <reference source="MED" ref_id="20130830" ref_url="test_attestation" /> </metadata> - <criteria> + <criteria operator="OR"> <criterion test_ref="test_file_user_owner_grub_conf" /> + <criterion test_ref="test_file_user_owner_efi_grub_conf" /> </criteria> </definition> @@ -17,11 +19,21 @@ <unix:state state_ref="state_file_user_owner_grub_conf" /> </unix:file_test> + <unix:file_test check="all" check_existence="all_exist" comment="/boot/efi/EFI/redhat/grub.conf owned by root" id="test_file_user_owner_efi_grub_conf" version="1"> + <unix:object object_ref="object_file_user_owner_efi_grub_conf" /> + <unix:state state_ref="state_file_user_owner_grub_conf" /> + </unix:file_test> + <unix:file_object comment="/boot/grub/grub.conf" id="object_file_user_owner_grub_conf" version="1"> <unix:path>/boot/grub</unix:path> <unix:filename>grub.conf</unix:filename> </unix:file_object> + <unix:file_object comment="/boot/efi/EFI/redhat/grub.conf" id="object_file_user_owner_efi_grub_conf" version="1"> + <unix:path>/boot/efi/EFI/redhat</unix:path> + <unix:filename>grub.conf</unix:filename> + </unix:file_object> + <unix:file_state id="state_file_user_owner_grub_conf" version="1"> <unix:user_id datatype="int">0</unix:user_id> </unix:file_state> -- 1.7.1 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
