----- Original Message ----- > From: "Shawn Wells" <[email protected]> > To: [email protected] > Sent: Thursday, December 5, 2013 8:18:38 AM > Subject: Re: [PATCH] [Fedora] Add OVAL check for Verify that Shared Library > Files Have Restrictive Permissions > > On 12/4/13, 10:03 AM, Jan Lieskovsky wrote: > > > > This patch adds OVAL check for 'Verify that Shared Library Files Have > Restrictive Permissions' > rule for Fedora. > > It is a re-implementation / simplification against currently used RHEL-6 > form: > [1] > > https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/checks/file_permissions_library_dirs.xml > Instead of having dedicated tests for each of /lib, /lib64, /usr/lib && > /usr/lib64 > directories (and checking based on 'equals' operation), it uses just one test > for each of library permissions checks and files' permissions within those > libraries > check (and checks based on 'pattern match' operation). > > Passed basic sanity && regression testing. > > Please review (especially in relation with existing RHEL-6 form if > we would like to use this proposal also for particular RHEL-6 OVAL check > in the future). > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Technologies Team > > 0001-Fedora-Add-OVAL-check-for-Verify-that-Shared-Library.patch > From 569de3bfcf8c65951b3b1c6ec4f59bd66511b367 Mon Sep 17 00:00:00 2001 > From: Jan Lieskovsky <[email protected]> Date: Wed, 4 Dec 2013 15:54:15 > +0100 > Subject: [PATCH] [Fedora] Add OVAL check for Verify that Shared Library Files > Have Restrictive Permissions > > Signed-off-by: Jan Lieskovsky <[email protected]> --- > .../input/checks/file_permissions_library_dirs.xml | 52 > ++++++++++++++++++++++ > Fedora/input/system/permissions/files.xml | 2 +- > Fedora/scap-security-guide.spec | 1 + > 3 files changed, 54 insertions(+), 1 deletion(-) > create mode 100644 Fedora/input/checks/file_permissions_library_dirs.xml > > diff --git a/Fedora/input/checks/file_permissions_library_dirs.xml > b/Fedora/input/checks/file_permissions_library_dirs.xml > new file mode 100644 > index 0000000..cce15a5 > --- /dev/null > +++ b/Fedora/input/checks/file_permissions_library_dirs.xml > @@ -0,0 +1,52 @@ > +<def-group> > + <definition class="compliance" id="file_permissions_library_dirs" > version="1"> > + <metadata> > + <title>Verify that Shared Library Files Have Restrictive > Permissions</title> > + <affected family="unix"> > + <platform>Fedora 19</platform> > + </affected> > + <description> > + Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and > + objects therein, are not group-writable or world-writable. > + </description> > + </metadata> > + <criteria operator="AND"> > + <criterion test_ref="test_perms_lib_dir" /> > + <criterion test_ref="test_perms_lib_files" /> > + </criteria> > + </definition> > + > + <unix:file_test check="all" check_existence="none_exist" comment="library > directories go-w" id="test_perms_lib_dir" version="1"> > + <unix:object object_ref="object_file_permissions_lib_dir" /> > + </unix:file_test> > + > + <unix:file_test check="all" check_existence="none_exist" comment="library > files go-w" id="test_perms_lib_files" version="1"> > + <unix:object object_ref="object_file_permissions_lib_files" /> > + </unix:file_test> > + > + <unix:file_object comment="library directories" > id="object_file_permissions_lib_dir" version="1"> > + <!-- Check that /lib, /lib64, /usr/lib, /usr/lib64 directories have safe > permissions (go-w) --> > + <unix:path operation="pattern > match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path> > + <unix:filename xsi:nil="true" /> > + <filter action="include">state_perms_nogroupwrite_noworldwrite</filter> > + <filter action="exclude">perms_state_symlink</filter> > + </unix:file_object> > + > + <unix:file_object comment="library files" > id="object_file_permissions_lib_files" version="1"> > + <!-- Check the files within /lib, /lib64, /usr/lib, /usr/lib64 > directories have safe permissions (go-w) --> > + <unix:path operation="pattern > match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path> > + <unix:filename operation="pattern match">^.*$</unix:filename> > + <filter action="include">state_perms_nogroupwrite_noworldwrite</filter> > + <filter action="exclude">perms_state_symlink</filter> > + </unix:file_object> > + > + <unix:file_state id="state_perms_nogroupwrite_noworldwrite" version="1" > operator="OR"> > + <unix:gwrite datatype="boolean">true</unix:gwrite> > + <unix:owrite datatype="boolean">true</unix:owrite> > + </unix:file_state> > + > + <unix:file_state id="perms_state_symlink" version="1"> > + <unix:type operation="equals">symbolic link</unix:type> > + </unix:file_state> > + > +</def-group> > diff --git a/Fedora/input/system/permissions/files.xml > b/Fedora/input/system/permissions/files.xml > index c15482c..a9bfd93 100644 > --- a/Fedora/input/system/permissions/files.xml > +++ b/Fedora/input/system/permissions/files.xml > @@ -30,7 +30,7 @@ runtime. Restrictive permissions are necessary to protect > the integrity of the > system. > </rationale> > <ref nist="AC-6" disa="1499"/> > -<!-- <oval id="file_permissions_library_dirs" /> --> > +<oval id="file_permissions_library_dirs" /> > </Rule> > > <Rule id="file_ownership_library_dirs" severity="medium"> > diff --git a/Fedora/scap-security-guide.spec > b/Fedora/scap-security-guide.spec > index cd3ff7e..356d024 100644 > --- a/Fedora/scap-security-guide.spec > +++ b/Fedora/scap-security-guide.spec > @@ -56,6 +56,7 @@ cp -a Fedora/input/auxiliary/scap-security-guide.8 > %{buildroot}%{_mandir}/en/man > %changelog > * Mon Dec 02 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc9-1 > - Fix remediation for Disable Prelinking rule > +- OVAL check for Verify that Shared Library Files Have Restrictive > Permissions > > * Fri Nov 29 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc8-1 > - OVAL check and remediation for sshd's ClientAliveCountMax rule > -- > 1.8.3.1 > > This is much cleaner. Ack to the code. > > Should we start the scap-security-guide/shared/oval/ directory now, instead > of placing within Fedora/input/checks/ directly?
I will try to see what can be done (try to come with patch proposal having shared/oval directory) and start using it (we can return back to the current scheme [should there be some issues found later] anytime). Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
