Based on thread: https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-December/thread.html#4585
this patch adds first OVAL check into scap-security-guide/shared/oval directory and modifies main Makefile wrt to building Fedora packages it to include OVAL checks directly provided in input/checks directory, together with those linked from shared/ directory. For now didn't change the value of <platform> element (didn't implement the XSLT transformation it to be modified automatically based on underlying system version content is build at) - will do this in next steps, once we have agreed on the expected form of test_attestation element. Passed basic sanity && regression testing on Fedora system. RHEL-6 content has been intentionally kept intact till the moment, we are sure about the final shared OVAL check form. Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
From f03e520893fbbff9ec3dddd44ebd71e1065702a7 Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Thu, 5 Dec 2013 19:15:53 +0100 Subject: [PATCH] [Shared] Add initial shared OVAL check for 'Verify that Shared Library Files Have Restrictive Permissions' rule Signed-off-by: Jan Lieskovsky <[email protected]> --- .../input/checks/file_permissions_library_dirs.xml | 1 + Fedora/input/system/permissions/files.xml | 2 +- Fedora/scap-security-guide.spec | 6 ++- Makefile | 3 ++ shared/oval/file_permissions_library_dirs.xml | 52 ++++++++++++++++++++++ 5 files changed, 62 insertions(+), 2 deletions(-) create mode 120000 Fedora/input/checks/file_permissions_library_dirs.xml create mode 100644 shared/oval/file_permissions_library_dirs.xml diff --git a/Fedora/input/checks/file_permissions_library_dirs.xml b/Fedora/input/checks/file_permissions_library_dirs.xml new file mode 120000 index 0000000..6aaa43e --- /dev/null +++ b/Fedora/input/checks/file_permissions_library_dirs.xml @@ -0,0 +1 @@ +../../../shared/oval/file_permissions_library_dirs.xml \ No newline at end of file diff --git a/Fedora/input/system/permissions/files.xml b/Fedora/input/system/permissions/files.xml index c15482c..a9bfd93 100644 --- a/Fedora/input/system/permissions/files.xml +++ b/Fedora/input/system/permissions/files.xml @@ -30,7 +30,7 @@ runtime. Restrictive permissions are necessary to protect the integrity of the system. </rationale> <ref nist="AC-6" disa="1499"/> -<!-- <oval id="file_permissions_library_dirs" /> --> +<oval id="file_permissions_library_dirs" /> </Rule> <Rule id="file_ownership_library_dirs" severity="medium"> diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec index cd3ff7e..63057ec 100644 --- a/Fedora/scap-security-guide.spec +++ b/Fedora/scap-security-guide.spec @@ -5,7 +5,7 @@ # file one level up - in the main scap-security-guide directory (instead of # this one). -%global fedorassgversion 4.rc9 +%global fedorassgversion 4.rc10 Name: scap-security-guide Version: 0.1.%{fedorassgversion} @@ -54,6 +54,10 @@ cp -a Fedora/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man %doc Fedora/LICENSE Fedora/output/ssg-fedora-guide.html %changelog +* Thu Dec 05 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc10-1 +- Shared OVAL check for Verify that Shared Library Files Have Restrictive + Permissions + * Mon Dec 02 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc9-1 - Fix remediation for Disable Prelinking rule diff --git a/Makefile b/Makefile index 3aa12b5..edba4e0 100644 --- a/Makefile +++ b/Makefile @@ -83,6 +83,9 @@ fedora-tarball: # Copy the source tree for Fedora content cp -r Fedora $(RPM_TMPDIR)/$(FEDORA_PKG) + # Copy the source tree for shared OVAL / XCCDF content + cp -r shared $(RPM_TMPDIR)/$(FEDORA_PKG) + # Don't trust the developers, clean out the build # environment before packaging cd $(RPM_TMPDIR)/$(FEDORA_PKG)/Fedora && $(MAKE) clean diff --git a/shared/oval/file_permissions_library_dirs.xml b/shared/oval/file_permissions_library_dirs.xml new file mode 100644 index 0000000..cce15a5 --- /dev/null +++ b/shared/oval/file_permissions_library_dirs.xml @@ -0,0 +1,52 @@ +<def-group> + <definition class="compliance" id="file_permissions_library_dirs" version="1"> + <metadata> + <title>Verify that Shared Library Files Have Restrictive Permissions</title> + <affected family="unix"> + <platform>Fedora 19</platform> + </affected> + <description> + Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and + objects therein, are not group-writable or world-writable. + </description> + </metadata> + <criteria operator="AND"> + <criterion test_ref="test_perms_lib_dir" /> + <criterion test_ref="test_perms_lib_files" /> + </criteria> + </definition> + + <unix:file_test check="all" check_existence="none_exist" comment="library directories go-w" id="test_perms_lib_dir" version="1"> + <unix:object object_ref="object_file_permissions_lib_dir" /> + </unix:file_test> + + <unix:file_test check="all" check_existence="none_exist" comment="library files go-w" id="test_perms_lib_files" version="1"> + <unix:object object_ref="object_file_permissions_lib_files" /> + </unix:file_test> + + <unix:file_object comment="library directories" id="object_file_permissions_lib_dir" version="1"> + <!-- Check that /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) --> + <unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path> + <unix:filename xsi:nil="true" /> + <filter action="include">state_perms_nogroupwrite_noworldwrite</filter> + <filter action="exclude">perms_state_symlink</filter> + </unix:file_object> + + <unix:file_object comment="library files" id="object_file_permissions_lib_files" version="1"> + <!-- Check the files within /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) --> + <unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path> + <unix:filename operation="pattern match">^.*$</unix:filename> + <filter action="include">state_perms_nogroupwrite_noworldwrite</filter> + <filter action="exclude">perms_state_symlink</filter> + </unix:file_object> + + <unix:file_state id="state_perms_nogroupwrite_noworldwrite" version="1" operator="OR"> + <unix:gwrite datatype="boolean">true</unix:gwrite> + <unix:owrite datatype="boolean">true</unix:owrite> + </unix:file_state> + + <unix:file_state id="perms_state_symlink" version="1"> + <unix:type operation="equals">symbolic link</unix:type> + </unix:file_state> + +</def-group> -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
