It looks like I made a typo in one of the criteria that caused this issue. I fixed that and resubmitted.
From: [email protected] [mailto:[email protected]] On Behalf Of Shawn Wells Sent: Tuesday, October 01, 2013 11:24 AM To: [email protected] Subject: Re: [PATCH] Added OVAL content for the file_ownership_binary_dirs rule as the file file_ownership_binary_dirs.xml and added the oval id to the corresponding XCCDF content in files.xml You're encountering the same issue I did... perhaps I'm the LCD here... ;) Check out results for /usr/local/bin below. I ran the following to ensure everything is root before testing: [shawn@SSG-RHEL6 checks]$ sudo bash [root@SSG-RHEL6 checks]# DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin" [root@SSG-RHEL6 checks]# for dirPath in $DIRS; do > find $dirPath \! -user root -exec chown root '{}' \; > done [root@SSG-RHEL6 checks]# exit exit [shawn@SSG-RHEL6 checks]$ ./testcheck.py file_ownership_binary_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_binary_dirsU1mqUp.xml Writing results to : /tmp/file_ownership_binary_dirsU1mqUp.xml-results Definition oval:scap-security-guide.testing:def:261: true Evaluation done. On 10/1/13 10:06 AM, Caleb Cooper wrote: Signed-off-by: Caleb Cooper <[email protected]><mailto:[email protected]> --- RHEL6/input/checks/file_ownership_binary_dirs.xml | 163 +++++++++++++++++++++ 1 files changed, 163 insertions(+), 0 deletions(-) create mode 100644 RHEL6/input/checks/file_ownership_binary_dirs.xml diff --git a/RHEL6/input/checks/file_ownership_binary_dirs.xml b/RHEL6/input/checks/file_ownership_binary_dirs.xml new file mode 100644 index 0000000..b787191 --- /dev/null +++ b/RHEL6/input/checks/file_ownership_binary_dirs.xml @@ -0,0 +1,163 @@ +<def-group> + <definition class="compliance" id="file_ownership_binary_dirs" version="1"> + <metadata> + <title>Verify that System Executables Have Root Ownership</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>Checks that /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and objects therein, are owned by root</description> + <reference source="swells" ref_id="20130914" ref_url="test_attestation" /> + </metadata> + <criteria operator="AND"> + <criterion test_ref="test_ownership_bin_dir" /> + <criterion test_ref="test_ownership_sbin_dir" /> + <criterion test_ref="test_ownership_usr_bin_dir" /> + <criterion test_ref="test_ownership_usr_sbin_dir" /> + <criterion test_ref="test_ownership_usr_local_bin_dir" /> + <criterion test_ref="test_ownership_usr_local_bin_dir" /> + <criterion test_ref="test_ownership_bin_files" /> + <criterion test_ref="test_ownership_sbin_files" /> + <criterion test_ref="test_ownership_usr_bin_files" /> + <criterion test_ref="test_ownership_usr_sbin_files" /> + <criterion test_ref="test_ownership_usr_local_sbin_files" /> + <criterion test_ref="test_ownership_usr_local_sbin_files" /> + </criteria> + </definition> + + <unix:file_test check="all" check_existence="none_exist" comment="/bin directories uid root" id="test_ownership_bin_dir" version="1"> + <unix:object object_ref="file_ownership_object_bin_dir" /> + </unix:file_test> + + <unix:file_test check="all" check_existence="none_exist" comment="/bin files uid root" id="test_ownership_bin_files" version="1"> + <unix:object object_ref="object_file_ownership_bin_files" /> + </unix:file_test> + + <unix:file_object comment="/lib directories" id="file_ownership_object_bin_dir" version="1"> Minor note: lib/bin in comment + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/bin</unix:path> + <unix:filename xsi:nil="true" /> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_object comment="/bin files" id="object_file_ownership_bin_files" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/bin</unix:path> + <unix:filename operation="pattern match">^.*$</unix:filename> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + .... testing for non-root under /bin...... [shawn@SSG-RHEL6 checks]$ sudo chown shawn:shawn /bin/awk [shawn@SSG-RHEL6 checks]$ ./testcheck.py file_ownership_binary_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_binary_dirs6eQhsR.xml Writing results to : /tmp/file_ownership_binary_dirs6eQhsR.xml-results Definition oval:scap-security-guide.testing:def:261: false Evaluation done. + <unix:file_test check="all" check_existence="none_exist" comment="/sbin directories uid root" id="test_ownership_sbin_dir" version="1"> + <unix:object object_ref="object_file_ownership_sbin_dir" /> + </unix:file_test> + + <unix:file_test check="all" check_existence="none_exist" comment="/sbin files uid root" id="test_ownership_sbin_files" version="1"> + <unix:object object_ref="object_file_ownership_sbin_files" /> + </unix:file_test> + + <unix:file_object comment="/sbin directories" id="object_file_ownership_sbin_dir" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/sbin</unix:path> + <unix:filename xsi:nil="true" /> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_object comment="/sbin files" id="object_file_ownership_sbin_files" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/sbin</unix:path> + <unix:filename operation="pattern match">^.*$</unix:filename> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> ..... testing for non-root under /sbin ..... [shawn@SSG-RHEL6 checks]$ sudo rm /usr/local/bin/filetest [shawn@SSG-RHEL6 checks]$ sudo chown shawn:shawn /sbin/addpart [shawn@SSG-RHEL6 checks]$ ./testcheck.py file_ownership_binary_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_binary_dirsu4wrQh.xml Writing results to : /tmp/file_ownership_binary_dirsu4wrQh.xml-results Definition oval:scap-security-guide.testing:def:261: false Evaluation done. + + <unix:file_test check="all" check_existence="none_exist" comment="/usr/bin directories uid root" id="test_ownership_usr_bin_dir" version="1"> + <unix:object object_ref="object_file_ownership_usr_bin_dir" /> + </unix:file_test> + + <unix:file_test check="all" check_existence="none_exist" comment="/usr/bin files uid root" id="test_ownership_usr_bin_files" version="1"> + <unix:object object_ref="object_file_ownership_usr_bin_files" /> + </unix:file_test> + + <unix:file_object comment="/usr/bin directories" id="object_file_ownership_usr_bin_dir" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/usr/bin</unix:path> + <unix:filename xsi:nil="true" /> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_object comment="/usr/bin files" id="object_file_ownership_usr_bin_files" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/usr/bin</unix:path> + <unix:filename operation="pattern match">^.*$</unix:filename> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> ..... testing for non-root under /usr/bin ..... [shawn@SSG-RHEL6 checks]$ sudo chown root:root /bin/awk [shawn@SSG-RHEL6 checks]$ sudo chown shawn:shawn /usr/bin/a2p [shawn@SSG-RHEL6 checks]$ ./testcheck.py file_ownership_binary_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_binary_dirs2wHH6V.xml Writing results to : /tmp/file_ownership_binary_dirs2wHH6V.xml-results Definition oval:scap-security-guide.testing:def:261: false Evaluation done. + + <unix:file_test check="all" check_existence="none_exist" comment="/usr/sbin directories uid root" id="test_ownership_usr_sbin_dir" version="1"> + <unix:object object_ref="object_file_ownership_usr_sbin_dir" /> + </unix:file_test> + + <unix:file_test check="all" check_existence="none_exist" comment="/usr/sbin files uid root" id="test_ownership_usr_sbin_files" version="1"> + <unix:object object_ref="object_file_ownership_usr_sbin_files" /> + </unix:file_test> + + <unix:file_object comment="/usr/sbin directories" id="object_file_ownership_usr_sbin_dir" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/usr/sbin</unix:path> + <unix:filename xsi:nil="true" /> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_object comment="/usr/sbin files" id="object_file_ownership_usr_sbin_files" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/usr/sbin</unix:path> + <unix:filename operation="pattern match">^.*$</unix:filename> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> ..... testing for non-root under /usr/sbin ..... [shawn@SSG-RHEL6 checks]$ sudo chown root:root /sbin/addpart [shawn@SSG-RHEL6 checks]$ sudo chown shawn:shawn /usr/sbin/accept [shawn@SSG-RHEL6 checks]$ ./testcheck.py file_ownership_binary_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_binary_dirsddwRzZ.xml Writing results to : /tmp/file_ownership_binary_dirsddwRzZ.xml-results Definition oval:scap-security-guide.testing:def:261: false Evaluation done. + + <unix:file_test check="all" check_existence="none_exist" comment="/usr/local/bin directories uid root" id="test_ownership_usr_local_bin_dir" version="1"> + <unix:object object_ref="object_file_ownership_usr_local_bin_dir" /> + </unix:file_test> + + <unix:file_test check="all" check_existence="none_exist" comment="/usr/local/bin files uid root" id="test_ownership_usr_local_bin_files" version="1"> + <unix:object object_ref="object_file_ownership_usr_local_bin_files" /> + </unix:file_test> + + <unix:file_object comment="/usr/local/bin directories" id="object_file_ownership_usr_local_bin_dir" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/usr/local/bin</unix:path> + <unix:filename xsi:nil="true" /> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> ..... testing for non-root under /usr/local/bin ..... [shawn@SSG-RHEL6 checks]$ sudo touch /usr/local/bin/filetest ; sudo chown shawn:shawn /usr/local/bin/filetest [shawn@SSG-RHEL6 checks]$ sudo chown root:root /usr/bin/a2p [shawn@SSG-RHEL6 checks]$ ./testcheck.py file_ownership_binary_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_binary_dirsno1sSt.xml Writing results to : /tmp/file_ownership_binary_dirsno1sSt.xml-results Definition oval:scap-security-guide.testing:def:261: true Evaluation done. [shawn@SSG-RHEL6 checks]$ ll /usr/local/bin/filetest -rw-r--r--. 1 shawn shawn 0 Oct 1 00:09 /usr/local/bin/filetest + + <unix:file_object comment="/usr/local/bin files" id="object_file_ownership_usr_local_bin_files" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/usr/local/bin</unix:path> + <unix:filename operation="pattern match">^.*$</unix:filename> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_test check="all" check_existence="none_exist" comment="/usr/local/sbin directories uid root" id="test_ownership_usr_local_sbin_dir" version="1"> + <unix:object object_ref="object_file_ownership_usr_local_sbin_dir" /> + </unix:file_test> + + <unix:file_test check="all" check_existence="none_exist" comment="/usr/local/sbin files uid root" id="test_ownership_usr_local_sbin_files" version="1"> + <unix:object object_ref="object_file_ownership_usr_local_sbin_files" /> + </unix:file_test> + + <unix:file_object comment="/usr/local/sbin directories" id="object_file_ownership_usr_local_sbin_dir" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/usr/local/sbin</unix:path> + <unix:filename xsi:nil="true" /> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> + + <unix:file_object comment="/usr/local/sbin files" id="object_file_ownership_usr_local_sbin_files" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> + <unix:path operation="equals">/usr/local/sbin</unix:path> + <unix:filename operation="pattern match">^.*$</unix:filename> + <filter action="include">state_owner_not_root</filter> + </unix:file_object> ..... testing for non-root under /usr/local/sbin ..... [shawn@SSG-RHEL6 checks]$ sudo chown root:root /usr/sbin/accept [shawn@SSG-RHEL6 checks]$ sudo touch /usr/local/sbin/test ; sudo chown shawn:shawn /usr/local/sbin/test [shawn@SSG-RHEL6 checks]$ ./testcheck.py file_ownership_binary_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_binary_dirszY6fXL.xml Writing results to : /tmp/file_ownership_binary_dirszY6fXL.xml-results Definition oval:scap-security-guide.testing:def:261: false Evaluation done. + + <unix:file_state id="state_owner_not_root" version="1" operator="OR"> +<!-- <unix:group_id datatype="int" operation="not equal">0</unix:group_id> --> + <unix:user_id datatype="int" operation="not equal">0</unix:user_id> + </unix:file_state> +</def-group>
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
