>From 439e2dc6dd352fbbcaf878fc3008903d5374db76 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Fri, 27 Dec 2013 00:51:15 -0500 Subject: [PATCH 15/31] Moved file_permissions_etc_shadow to shared/
- Tested on RHEL7, updated CPE, moved to shared/ --- .../6/input/checks/file_permissions_etc_shadow.xml | 47 +--------------------- .../7/input/checks/file_permissions_etc_shadow.xml | 1 + shared/oval/file_permissions_etc_shadow.xml | 47 ++++++++++++++++++++++ 3 files changed, 49 insertions(+), 46 deletions(-) mode change 100644 => 120000 RHEL/6/input/checks/file_permissions_etc_shadow.xml create mode 120000 RHEL/7/input/checks/file_permissions_etc_shadow.xml create mode 100644 shared/oval/file_permissions_etc_shadow.xml diff --git a/RHEL/6/input/checks/file_permissions_etc_shadow.xml b/RHEL/6/input/checks/file_permissions_etc_shadow.xml deleted file mode 100644 index 136ab7a..0000000 --- a/RHEL/6/input/checks/file_permissions_etc_shadow.xml +++ /dev/null @@ -1,46 +0,0 @@ -<def-group> - <!-- THIS FILE IS GENERATED by create_permission_checks.py. DO NOT EDIT. --> - <definition class="compliance" id="file_permissions_etc_shadow" version="1"> - <metadata> - <title>Verify /etc/shadow Permissions</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>This test makes sure that /etc/shadow is owned by 0, group owned by 0, and has mode 0000. If - the target file or directory has an extended ACL then it will fail the mode check.</description> - <reference source="swells" ref_id="20130831" ref_url="test_attestation"/> - </metadata> - <criteria> - <criterion test_ref="test_etc_shadow" /> - </criteria> - </definition> - <unix:file_test check="all" check_existence="all_exist" comment="/etc/shadow mode and ownership" id="test_etc_shadow" version="1"> - <unix:object object_ref="object_etc_shadow" /> - <unix:state state_ref="_etc_shadow_state_uid_0" /> - <unix:state state_ref="_etc_shadow_state_gid_0" /> - <unix:state state_ref="_etc_shadow_state_mode_0000" /> - </unix:file_test> - <unix:file_object comment="/etc/shadow" id="object_etc_shadow" version="1"> - <unix:filepath>/etc/shadow</unix:filepath> - </unix:file_object> - <unix:file_state id="_etc_shadow_state_uid_0" version="1"> - <unix:user_id datatype="int" operation="equals">0</unix:user_id> - </unix:file_state> - <unix:file_state id="_etc_shadow_state_gid_0" version="1"> - <unix:group_id datatype="int" operation="equals">0</unix:group_id> - </unix:file_state> - <unix:file_state id="_etc_shadow_state_mode_0000" version="1"> - <unix:suid datatype="boolean">false</unix:suid> - <unix:sgid datatype="boolean">false</unix:sgid> - <unix:sticky datatype="boolean">false</unix:sticky> - <unix:uread datatype="boolean">false</unix:uread> - <unix:uwrite datatype="boolean">false</unix:uwrite> - <unix:uexec datatype="boolean">false</unix:uexec> - <unix:gread datatype="boolean">false</unix:gread> - <unix:gwrite datatype="boolean">false</unix:gwrite> - <unix:gexec datatype="boolean">false</unix:gexec> - <unix:oread datatype="boolean">false</unix:oread> - <unix:owrite datatype="boolean">false</unix:owrite> - <unix:oexec datatype="boolean">false</unix:oexec> - </unix:file_state> -</def-group> diff --git a/RHEL/6/input/checks/file_permissions_etc_shadow.xml b/RHEL/6/input/checks/file_permissions_etc_shadow.xml new file mode 120000 index 0000000..c9178ca --- /dev/null +++ b/RHEL/6/input/checks/file_permissions_etc_shadow.xml @@ -0,0 +1 @@ +../../../../shared/oval/file_permissions_etc_shadow.xml \ No newline at end of file diff --git a/RHEL/7/input/checks/file_permissions_etc_shadow.xml b/RHEL/7/input/checks/file_permissions_etc_shadow.xml new file mode 120000 index 0000000..c9178ca --- /dev/null +++ b/RHEL/7/input/checks/file_permissions_etc_shadow.xml @@ -0,0 +1 @@ +../../../../shared/oval/file_permissions_etc_shadow.xml \ No newline at end of file diff --git a/shared/oval/file_permissions_etc_shadow.xml b/shared/oval/file_permissions_etc_shadow.xml new file mode 100644 index 0000000..602ff0f --- /dev/null +++ b/shared/oval/file_permissions_etc_shadow.xml @@ -0,0 +1,47 @@ +<def-group> + <!-- THIS FILE IS GENERATED by create_permission_checks.py. DO NOT EDIT. --> + <definition class="compliance" id="file_permissions_etc_shadow" version="1"> + <metadata> + <title>Verify /etc/shadow Permissions</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description>This test makes sure that /etc/shadow is owned by 0, group owned by 0, and has mode 0000. If + the target file or directory has an extended ACL then it will fail the mode check.</description> + <reference source="swells" ref_id="20130831" ref_url="test_attestation"/> + </metadata> + <criteria> + <criterion test_ref="test_etc_shadow" /> + </criteria> + </definition> + <unix:file_test check="all" check_existence="all_exist" comment="/etc/shadow mode and ownership" id="test_etc_shadow" version="1"> + <unix:object object_ref="object_etc_shadow" /> + <unix:state state_ref="_etc_shadow_state_uid_0" /> + <unix:state state_ref="_etc_shadow_state_gid_0" /> + <unix:state state_ref="_etc_shadow_state_mode_0000" /> + </unix:file_test> + <unix:file_object comment="/etc/shadow" id="object_etc_shadow" version="1"> + <unix:filepath>/etc/shadow</unix:filepath> + </unix:file_object> + <unix:file_state id="_etc_shadow_state_uid_0" version="1"> + <unix:user_id datatype="int" operation="equals">0</unix:user_id> + </unix:file_state> + <unix:file_state id="_etc_shadow_state_gid_0" version="1"> + <unix:group_id datatype="int" operation="equals">0</unix:group_id> + </unix:file_state> + <unix:file_state id="_etc_shadow_state_mode_0000" version="1"> + <unix:suid datatype="boolean">false</unix:suid> + <unix:sgid datatype="boolean">false</unix:sgid> + <unix:sticky datatype="boolean">false</unix:sticky> + <unix:uread datatype="boolean">false</unix:uread> + <unix:uwrite datatype="boolean">false</unix:uwrite> + <unix:uexec datatype="boolean">false</unix:uexec> + <unix:gread datatype="boolean">false</unix:gread> + <unix:gwrite datatype="boolean">false</unix:gwrite> + <unix:gexec datatype="boolean">false</unix:gexec> + <unix:oread datatype="boolean">false</unix:oread> + <unix:owrite datatype="boolean">false</unix:owrite> + <unix:oexec datatype="boolean">false</unix:oexec> + </unix:file_state> +</def-group> -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
