>From ac3f0027b727125257d0e79b4d39285207e431c1 Mon Sep 17 00:00:00 2001
From: Shawn Wells <[email protected]>
Date: Fri, 27 Dec 2013 02:22:03 -0500
Subject: [PATCH 22/31] Moved userowner_group_file -> file_owner_etc_group,
added to shared/
- Renamed XCCDF to match template style
- Tested on RHEL7, updated CPE
- Added to shared/
---
RHEL/6/input/auxiliary/stig_overlay.xml | 2 +-
RHEL/6/input/checks/file_owner_etc_group.xml | 30 +---------------------
RHEL/6/input/profiles/CS2.xml | 2 +-
RHEL/6/input/profiles/common.xml | 2 +-
.../6/input/profiles/fisma-medium-rhel6-server.xml | 2 +-
RHEL/6/input/profiles/nist-CL-IL-AL.xml | 2 +-
RHEL/6/input/profiles/rht-ccp.xml | 2 +-
RHEL/6/input/profiles/usgcb-rhel6-server.xml | 2 +-
RHEL/6/input/system/permissions/files.xml | 2 +-
RHEL/7/input/auxiliary/stig_overlay.xml | 2 +-
RHEL/7/input/checks/file_owner_etc_group.xml | 1 +
RHEL/7/input/profiles/rht-ccp.xml | 2 +-
RHEL/7/input/system/permissions/files.xml | 2 +-
shared/oval/file_owner_etc_group.xml | 29 +++++++++++++++++++++
14 files changed, 42 insertions(+), 40 deletions(-)
mode change 100644 => 120000 RHEL/6/input/checks/file_owner_etc_group.xml
create mode 120000 RHEL/7/input/checks/file_owner_etc_group.xml
create mode 100644 shared/oval/file_owner_etc_group.xml
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml
b/RHEL/6/input/auxiliary/stig_overlay.xml
index 9848d2c..7ce2383 100644
--- a/RHEL/6/input/auxiliary/stig_overlay.xml
+++ b/RHEL/6/input/auxiliary/stig_overlay.xml
@@ -124,7 +124,7 @@
<VMSinfo VKey="38457" SVKey="50257" VRelease="1" />
<title>The /etc/passwd file must have mode 0644 or less
permissive.</title>
</overlay>
- <overlay owner="disastig" ruleid="userowner_group_file"
ownerid="RHEL-06-000042" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="file_owner_etc_group"
ownerid="RHEL-06-000042" disa="366" severity="medium">
<VMSinfo VKey="38458" SVKey="50258" VRelease="1" />
<title>The /etc/group file must be owned by root.</title>
</overlay>
diff --git a/RHEL/6/input/checks/file_owner_etc_group.xml
b/RHEL/6/input/checks/file_owner_etc_group.xml
deleted file mode 100644
index e6bc24c..0000000
--- a/RHEL/6/input/checks/file_owner_etc_group.xml
+++ /dev/null
@@ -1,29 +0,0 @@
-<def-group>
- <definition class="compliance" id="file_owner_etc_group" version="1">
- <metadata>
- <title>Verify user who owns 'group' file</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>The /etc/group file should be owned by the appropriate
- user.</description>
- <reference source="MED" ref_id="20130807" ref_url="test_attestation" />
- </metadata>
- <criteria>
- <criterion test_ref="test_file_owner_etc_group" />
- </criteria>
- </definition>
- <unix:file_test check="all" check_existence="all_exist"
- comment="Testing user ownership" id="test_file_owner_etc_group" version="1">
- <unix:object object_ref="object_file_owner_etc_group" />
- <unix:state state_ref="state_file_owner_etc_group" />
- </unix:file_test>
- <unix:file_state id="state_file_owner_etc_group" version="1">
- <unix:user_id datatype="int">0</unix:user_id>
- </unix:file_state>
- <unix:file_object comment="/etc/group" id="object_file_owner_etc_group"
- version="1">
- <unix:path>/etc</unix:path>
- <unix:filename>group</unix:filename>
- </unix:file_object>
-</def-group>
diff --git a/RHEL/6/input/checks/file_owner_etc_group.xml
b/RHEL/6/input/checks/file_owner_etc_group.xml
new file mode 120000
index 0000000..909d9b3
--- /dev/null
+++ b/RHEL/6/input/checks/file_owner_etc_group.xml
@@ -0,0 +1 @@
+../../../../shared/oval/file_owner_etc_group.xml
\ No newline at end of file
diff --git a/RHEL/6/input/profiles/CS2.xml b/RHEL/6/input/profiles/CS2.xml
index 645966a..0d38147 100644
--- a/RHEL/6/input/profiles/CS2.xml
+++ b/RHEL/6/input/profiles/CS2.xml
@@ -157,7 +157,7 @@
<select idref="file_owner_etc_passwd" selected="true"/>
<select idref="file_groupowner_etc_passwd" selected="true"/>
<select idref="file_permissions_etc_passwd" selected="true"/>
-<select idref="userowner_group_file" selected="true" />
+<select idref="file_owner_etc_group" selected="true" />
<select idref="groupowner_group_file" selected="true" />
<select idref="perms_group_file" selected="true" />
<select idref="file_permissions_library_dirs" selected="true"/>
diff --git a/RHEL/6/input/profiles/common.xml b/RHEL/6/input/profiles/common.xml
index 20d7d4f..dd68778 100644
--- a/RHEL/6/input/profiles/common.xml
+++ b/RHEL/6/input/profiles/common.xml
@@ -36,7 +36,7 @@
<select idref="file_groupowner_etc_passwd" selected="true"/>
<select idref="file_permissions_etc_passwd" selected="true"/>
-<select idref="userowner_group_file" selected="true" />
+<select idref="file_owner_etc_group" selected="true" />
<select idref="groupowner_group_file" selected="true" />
<select idref="perms_group_file" selected="true" />
diff --git a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
index de9673a..e021f01 100644
--- a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
+++ b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
@@ -42,7 +42,7 @@
<select idref="userowner_shadow_file" selected="true" />
<select idref="groupowner_shadow_file" selected="true" />
<select idref="file_permissions_etc_shadow" selected="true"/>
-<select idref="userowner_group_file" selected="true" />
+<select idref="file_owner_etc_group" selected="true" />
<select idref="groupowner_group_file" selected="true" />
<select idref="perms_group_file" selected="true" />
<select idref="file_owner_etc_gshadow" selected="true" />
diff --git a/RHEL/6/input/profiles/nist-CL-IL-AL.xml
b/RHEL/6/input/profiles/nist-CL-IL-AL.xml
index 265b303..78e2adc 100644
--- a/RHEL/6/input/profiles/nist-CL-IL-AL.xml
+++ b/RHEL/6/input/profiles/nist-CL-IL-AL.xml
@@ -136,7 +136,7 @@ assurance."</description>
<select idref="userowner_shadow_file" selected="true" \>
<select idref="groupowner_shadow_file" selected="true" \>
<select idref="file_permissions_etc_shadow" selected="true" \>
-<select idref="userowner_group_file" selected="true" \>
+<select idref="file_owner_etc_group" selected="true" \>
<select idref="groupowner_group_file" selected="true" \>
<select idref="perms_group_file" selected="true" \>
<select idref="file_owner_etc_gshadow" selected="true" \>
diff --git a/RHEL/6/input/profiles/rht-ccp.xml
b/RHEL/6/input/profiles/rht-ccp.xml
index c1be635..7dadbdc 100644
--- a/RHEL/6/input/profiles/rht-ccp.xml
+++ b/RHEL/6/input/profiles/rht-ccp.xml
@@ -76,7 +76,7 @@
<select idref="file_owner_etc_passwd" selected="true"/>
<select idref="file_groupowner_etc_passwd" selected="true"/>
<select idref="file_permissions_etc_passwd" selected="true"/>
-<select idref="userowner_group_file" selected="true"/>
+<select idref="file_owner_etc_group" selected="true"/>
<select idref="groupowner_group_file" selected="true"/>
<select idref="perms_group_file" selected="true"/>
<select idref="file_permissions_library_dirs" selected="true"/>
diff --git a/RHEL/6/input/profiles/usgcb-rhel6-server.xml
b/RHEL/6/input/profiles/usgcb-rhel6-server.xml
index a390a3e..e2c7690 100644
--- a/RHEL/6/input/profiles/usgcb-rhel6-server.xml
+++ b/RHEL/6/input/profiles/usgcb-rhel6-server.xml
@@ -40,7 +40,7 @@
<select idref="userowner_shadow_file" selected="true" />
<select idref="groupowner_shadow_file" selected="true" />
<select idref="perms_group_file" selected="true" />
-<select idref="userowner_group_file" selected="true" />
+<select idref="file_owner_etc_group" selected="true" />
<select idref="groupowner_group_file" selected="true" />
<select idref="file_permissions_etc_passwd" selected="true" />
<select idref="file_owner_etc_passwd" selected="true" />
diff --git a/RHEL/6/input/system/permissions/files.xml
b/RHEL/6/input/system/permissions/files.xml
index 197e4ae..caa7938 100644
--- a/RHEL/6/input/system/permissions/files.xml
+++ b/RHEL/6/input/system/permissions/files.xml
@@ -59,7 +59,7 @@ which could weaken the system security posture.</rationale>
<tested by="DS" on="20121026"/>
</Rule>
-<Rule id="userowner_group_file" severity="medium">
+<Rule id="file_owner_etc_group" severity="medium">
<title>Verify User Who Owns <tt>group</tt> File</title>
<description><fileowner-desc-macro file="/etc/group"
owner="root"/></description>
<ocil><fileowner-check-macro file="/etc/group" owner="root"/></ocil>
diff --git a/RHEL/7/input/auxiliary/stig_overlay.xml
b/RHEL/7/input/auxiliary/stig_overlay.xml
index bf24f96..dd61f3c 100644
--- a/RHEL/7/input/auxiliary/stig_overlay.xml
+++ b/RHEL/7/input/auxiliary/stig_overlay.xml
@@ -124,7 +124,7 @@
<VMSinfo VKey="38457" SVKey="50257" VRelease="1" />
<title>The /etc/passwd file must have mode 0644 or less
permissive.</title>
</overlay>
- <overlay owner="disastig" ruleid="userowner_group_file"
ownerid="RHEL-06-000042" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="file_owner_etc_group"
ownerid="RHEL-06-000042" disa="366" severity="medium">
<VMSinfo VKey="38458" SVKey="50258" VRelease="1" />
<title>The /etc/group file must be owned by root.</title>
</overlay>
diff --git a/RHEL/7/input/checks/file_owner_etc_group.xml
b/RHEL/7/input/checks/file_owner_etc_group.xml
new file mode 120000
index 0000000..909d9b3
--- /dev/null
+++ b/RHEL/7/input/checks/file_owner_etc_group.xml
@@ -0,0 +1 @@
+../../../../shared/oval/file_owner_etc_group.xml
\ No newline at end of file
diff --git a/RHEL/7/input/profiles/rht-ccp.xml
b/RHEL/7/input/profiles/rht-ccp.xml
index d6c5275..1be219f 100644
--- a/RHEL/7/input/profiles/rht-ccp.xml
+++ b/RHEL/7/input/profiles/rht-ccp.xml
@@ -75,7 +75,7 @@ FILE PERMISSION CHECKS
<select idref="file_owner_etc_passwd" selected="true"/>
<select idref="file_groupowner_etc_passwd" selected="true"/>
<select idref="file_permissions_etc_passwd" selected="true"/>
-<select idref="userowner_group_file" selected="true"/>
+<select idref="file_owner_etc_group" selected="true"/>
<select idref="groupowner_group_file" selected="true"/>
<select idref="perms_group_file" selected="true"/>
<select idref="file_permissions_library_dirs" selected="true"/>
diff --git a/RHEL/7/input/system/permissions/files.xml
b/RHEL/7/input/system/permissions/files.xml
index 38ee361..1ed6110 100644
--- a/RHEL/7/input/system/permissions/files.xml
+++ b/RHEL/7/input/system/permissions/files.xml
@@ -59,7 +59,7 @@ which could weaken the system security posture.</rationale>
<tested by="DS" on="20121026"/>
</Rule>
-<Rule id="userowner_group_file" severity="medium">
+<Rule id="file_owner_etc_group" severity="medium">
<title>Verify User Who Owns <tt>group</tt> File</title>
<description><fileowner-desc-macro file="/etc/group"
owner="root"/></description>
<ocil><fileowner-check-macro file="/etc/group" owner="root"/></ocil>
diff --git a/shared/oval/file_owner_etc_group.xml
b/shared/oval/file_owner_etc_group.xml
new file mode 100644
index 0000000..6a773d6
--- /dev/null
+++ b/shared/oval/file_owner_etc_group.xml
@@ -0,0 +1,29 @@
+<def-group>
+ <definition class="compliance" id="file_owner_etc_group" version="1">
+ <metadata>
+ <title>Verify user who owns 'group' file</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ <platform>Red Hat Enterprise Linux 7</platform>
+ </affected>
+ <description>The /etc/group file should be owned by the appropriate
+ user.</description>
+ <reference source="MED" ref_id="20130807" ref_url="test_attestation" />
+ </metadata>
+ <criteria>
+ <criterion test_ref="test_file_owner_etc_group" />
+ </criteria>
+ </definition>
+ <unix:file_test check="all" check_existence="all_exist"
+ comment="Testing user ownership" id="test_file_owner_etc_group" version="1">
+ <unix:object object_ref="object_file_owner_etc_group" />
+ <unix:state state_ref="state_file_owner_etc_group" />
+ </unix:file_test>
+ <unix:file_state id="state_file_owner_etc_group" version="1">
+ <unix:user_id datatype="int">0</unix:user_id>
+ </unix:file_state>
+ <unix:file_object comment="/etc/group" id="object_file_owner_etc_group"
+ version="1">
+ <unix:filepath>/etc/group</unix:filepath>
+ </unix:file_object>
+</def-group>
--
1.8.3.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
