On 12/6/13, 12:20 PM, Jan Lieskovsky wrote:
This patch adds the following to Fedora (all three are rewritten /
simplified versions of existing RHEL-6 OVAL checks):
* OVAL check for Verify that Shared Library Files Have Root Ownership
* OVAL check for Verify that System Executables Have Restrictive Permissions
* OVAL check for Verify that System Executables Have Root Ownership
While all three from the provided OVAL checks could be placed into shared
directory, for now will keep them under Fedora input directory till
there's support for XSLT platform rewrite transformation in shared etc.
When their times come, they can be moved to shared together with
platforms attestations (past testing on RHEL-6 too).
Passed basic sanity testing on Fedora.
Please review (mainly if existing RHEL-6 ones could be
possibly replaced with these).
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
Ack.
I applied this locally, copied the OVAL into shared/, rm'd the RHEL6
version, soft linked shared into RHEL6/input/checks, then updated the
platform tag to be:
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
Ran 'make content' on RHEL6, and the scan worked correctly. IMO there's
no need to wait until the XSLT is complete as this could get us moving
forward. Don't particularly have a strong opinion on it though, so
whatever you think is best!
0001-Fedora-Add-OVAL-check-for-Verify-that-Shared-Library.patch
From 02e08662c6d02f58e6a053492f87c436eb5b851a Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky<[email protected]>
Date: Fri, 6 Dec 2013 17:52:25 +0100
Subject: [PATCH] [Fedora] Add OVAL check for Verify that Shared Library Files
Have Root Ownership [Fedora] Add OVAL check for Verify that System
Executables Have Restrictive Permissions [Fedora] Add OVAL check for Verify
that System Executables Have Root Ownership
Signed-off-by: Jan Lieskovsky<[email protected]>
---
Fedora/input/checks/file_ownership_binary_dirs.xml | 47 ++++++++++++++++++++++
.../input/checks/file_ownership_library_dirs.xml | 45 +++++++++++++++++++++
.../input/checks/file_permissions_binary_dirs.xml | 40 ++++++++++++++++++
Fedora/input/system/permissions/files.xml | 6 +--
Fedora/scap-security-guide.spec | 7 +++-
5 files changed, 141 insertions(+), 4 deletions(-)
create mode 100644 Fedora/input/checks/file_ownership_binary_dirs.xml
create mode 100644 Fedora/input/checks/file_ownership_library_dirs.xml
create mode 100644 Fedora/input/checks/file_permissions_binary_dirs.xml
diff --git a/Fedora/input/checks/file_ownership_binary_dirs.xml
b/Fedora/input/checks/file_ownership_binary_dirs.xml
new file mode 100644
index 0000000..b6d0eec
--- /dev/null
+++ b/Fedora/input/checks/file_ownership_binary_dirs.xml
@@ -0,0 +1,47 @@
+<def-group>
+ <definition class="compliance" id="file_ownership_binary_dirs" version="1">
+ <metadata>
+ <title>Verify that System Executables Have Root Ownership</title>
+ <affected family="unix">
+ <platform>Fedora 19</platform>
+ </affected>
+ <description>
+ Checks that /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin,
+ /usr/local/sbin, and objects therein, are owned by root.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="test_ownership_binary_directories" />
+ <criterion test_ref="test_ownership_binary_files" />
+ </criteria>
+ </definition>
+
+ <unix:file_test check="all" check_existence="none_exist" comment="binary directories uid root"
id="test_ownership_binary_directories" version="1">
+ <unix:object object_ref="object_file_ownership_binary_directories" />
+ </unix:file_test>
+
+ <unix:file_test check="all" check_existence="none_exist" comment="binary files uid root"
id="test_ownership_binary_files" version="1">
+ <unix:object object_ref="object_file_ownership_binary_files" />
+ </unix:file_test>
+
+ <unix:file_object comment="binary directories"
id="object_file_ownership_binary_directories" version="1">
+ <!-- Check that /bin, /sbin, /usr/sbin, /usr/sbin, /usr/local/bin, and
+ /usr/local/sbin directories belong to user with uid 0 (root) -->
+ <unix:path operation="pattern
match">^\/(|s)bin|^\/usr\/(|local\/)(|s)bin</unix:path>
+ <unix:filename xsi:nil="true" />
+ <filter action="include">state_owner_binaries_not_root</filter>
+ </unix:file_object>
+
+ <unix:file_object comment="binary files" id="object_file_ownership_binary_files"
version="1">
+ <!-- Check that files within /bin, /sbin, /usr/bin, /usr/sbin,
/usr/local/bin, and
+ /usr/local/sbin directories belong to user with uid 0 (root) -->
+ <unix:path operation="pattern
match">^\/(|s)bin|^\/usr\/(|local\/)(|s)bin</unix:path>
+ <unix:filename operation="pattern match">^.*$</unix:filename>
+ <filter action="include">state_owner_binaries_not_root</filter>
+ </unix:file_object>
+
+ <unix:file_state id="state_owner_binaries_not_root" version="1"
operator="OR">
+ <unix:user_id datatype="int" operation="not equal">0</unix:user_id>
+ </unix:file_state>
+
+</def-group>
diff --git a/Fedora/input/checks/file_ownership_library_dirs.xml
b/Fedora/input/checks/file_ownership_library_dirs.xml
new file mode 100644
index 0000000..09c408e
--- /dev/null
+++ b/Fedora/input/checks/file_ownership_library_dirs.xml
@@ -0,0 +1,45 @@
+<def-group>
+ <definition class="compliance" id="file_ownership_library_dirs" version="1">
+ <metadata>
+ <title>Verify that Shared Library Files Have Root Ownership</title>
+ <affected family="unix">
+ <platform>Fedora 19</platform>
+ </affected>
+ <description>
+ Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
+ objects therein, are owned by root.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="test_ownership_lib_dir" />
+ <criterion test_ref="test_ownership_lib_files" />
+ </criteria>
+ </definition>
+
+ <unix:file_test check="all" check_existence="none_exist" comment="library directories uid root"
id="test_ownership_lib_dir" version="1">
+ <unix:object object_ref="object_file_ownership_lib_dir" />
+ </unix:file_test>
+
+ <unix:file_test check="all" check_existence="none_exist" comment="library files uid root"
id="test_ownership_lib_files" version="1">
+ <unix:object object_ref="object_file_ownership_lib_files" />
+ </unix:file_test>
+
+ <unix:file_object comment="library directories" id="object_file_ownership_lib_dir"
version="1">
+ <!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to
user with uid 0 (root) -->
+ <unix:path operation="pattern
match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
+ <unix:filename xsi:nil="true" />
+ <filter action="include">state_owner_libraries_not_root</filter>
+ </unix:file_object>
+
+ <unix:file_object comment="library files" id="object_file_ownership_lib_files"
version="1">
+ <!-- Check that files within /lib, /lib64, /usr/lib, and /usr/lib64
directories belong to user with uid 0 (root) -->
+ <unix:path operation="pattern
match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
+ <unix:filename operation="pattern match">^.*$</unix:filename>
+ <filter action="include">state_owner_libraries_not_root</filter>
+ </unix:file_object>
+
+ <unix:file_state id="state_owner_libraries_not_root" version="1">
+ <unix:user_id datatype="int" operation="not equal">0</unix:user_id>
+ </unix:file_state>
+
+</def-group>
diff --git a/Fedora/input/checks/file_permissions_binary_dirs.xml
b/Fedora/input/checks/file_permissions_binary_dirs.xml
new file mode 100644
index 0000000..22e5a39
--- /dev/null
+++ b/Fedora/input/checks/file_permissions_binary_dirs.xml
@@ -0,0 +1,40 @@
+<def-group>
+ <definition class="compliance" id="file_permissions_binary_dirs" version="1">
+ <metadata>
+ <title>Verify that System Executables Have Restrictive
Permissions</title>
+ <affected family="unix">
+ <platform>Fedora 19</platform>
+ </affected>
+ <description>
+ Checks that binary files under /bin, /sbin, /usr/bin, /usr/sbin,
+ /usr/local/bin, and /usr/local/sbin, are not group-writable or
world-writable.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="test_perms_binary_files" />
+ </criteria>
+ </definition>
+
+ <unix:file_test check="all" check_existence="none_exist" comment="binary files go-w"
id="test_perms_binary_files" version="1">
+ <unix:object object_ref="object_file_permissions_binary_files" />
+ </unix:file_test>
+
+ <unix:file_object comment="binary files" id="object_file_permissions_binary_files"
version="1">
+ <!-- Check that binary files under /bin, /sbin, /usr/bin, /usr/sbin,
/usr/local/bin,
+ and /usr/local/sbin directories have safe permissions (go-w) -->
+ <unix:path operation="pattern
match">^\/(|s)bin|^\/usr\/(|local\/)(|s)bin</unix:path>
+ <unix:filename operation="pattern match">^.*$</unix:filename>
+ <filter
action="include">state_perms_binary_files_nogroupwrite_noworldwrite</filter>
+ <filter action="exclude">state_perms_binary_files_symlink</filter>
+ </unix:file_object>
+
+ <unix:file_state id="state_perms_binary_files_nogroupwrite_noworldwrite" version="1"
operator="OR">
+ <unix:gwrite datatype="boolean">true</unix:gwrite>
+ <unix:owrite datatype="boolean">true</unix:owrite>
+ </unix:file_state>
+
+ <unix:file_state id="state_perms_binary_files_symlink" version="1">
+ <unix:type operation="equals">symbolic link</unix:type>
+ </unix:file_state>
+
+</def-group>
diff --git a/Fedora/input/system/permissions/files.xml
b/Fedora/input/system/permissions/files.xml
index a9bfd93..5d0e507 100644
--- a/Fedora/input/system/permissions/files.xml
+++ b/Fedora/input/system/permissions/files.xml
@@ -55,7 +55,7 @@ space of processes (including privileged ones) or of the
kernel itself at
runtime. Proper ownership is necessary to protect the integrity of the system.
</rationale>
<ref nist="AC-6" disa="1499"/>
-<!-- <oval id="file_ownership_library_dirs" /> -->
+<oval id="file_ownership_library_dirs" />
</Rule>
<Rule id="file_permissions_binary_dirs" severity="medium">
@@ -78,7 +78,7 @@ services, and restrictive permissions are necessary to ensure
execution of
these programs cannot be co-opted.
</rationale>
<ref nist="AC-6" disa="1499"/>
-<!-- <oval id="file_permissions_binary_dirs" /> -->
+<oval id="file_permissions_binary_dirs" />
</Rule>
<Rule id="file_ownership_binary_dirs" severity="medium">
@@ -100,7 +100,7 @@ than root, correct its ownership with the following command:
services, and restrictive permissions are necessary to ensure that their
execution of these programs cannot be co-opted.
</rationale>
-<!-- <oval id="file_ownership_binary_dirs" /> -->
+<oval id="file_ownership_binary_dirs" />
<ref nist="AC-6" disa="1499"/>
</Rule>
diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec
index 63057ec..e27fc53 100644
--- a/Fedora/scap-security-guide.spec
+++ b/Fedora/scap-security-guide.spec
@@ -5,7 +5,7 @@
# file one level up - in the main scap-security-guide directory (instead of
# this one).
-%global fedorassgversion 4.rc10
+%global fedorassgversion 4.rc11
Name: scap-security-guide
Version: 0.1.%{fedorassgversion}
@@ -54,6 +54,11 @@ cp -a Fedora/input/auxiliary/scap-security-guide.8
%{buildroot}%{_mandir}/en/man
%doc Fedora/LICENSE Fedora/output/ssg-fedora-guide.html
%changelog
+* Fri Dec 06 2013 Jan iankko Lieskovsky<[email protected]> 0.1.4.rc11-1
+- OVAL check for Verify that Shared Library Files Have Root Ownership
+- OVAL check for Verify that System Executables Have Restrictive Permissions
+- OVAL check for Verify that System Executables Have Root Ownership
+
* Thu Dec 05 2013 Jan iankko Lieskovsky<[email protected]> 0.1.4.rc10-1
- Shared OVAL check for Verify that Shared Library Files Have Restrictive
Permissions
-- 1.8.3.1
--
Shawn Wells
Director, Innovation Programs
[email protected] | 443.534.0130
@shawndwells
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
