>From 7725df59cd6a1766277c944e91800560a9273c9b Mon Sep 17 00:00:00 2001
From: Shawn Wells <[email protected]>
Date: Fri, 27 Dec 2013 01:11:09 -0500
Subject: [PATCH 19/31] Renamed userowner_passwd_file to file_owner_etc_passwd,
moved to shared/
- Renamed XCCDF rule name to match filecheck template
- Tested on RHEL7, updated CPE, moved to shared, created symlinks
---
RHEL/6/input/auxiliary/stig_overlay.xml | 2 +-
RHEL/6/input/checks/file_owner_etc_passwd.xml | 30 +---------------------
RHEL/6/input/profiles/CS2.xml | 2 +-
RHEL/6/input/profiles/common.xml | 2 +-
.../6/input/profiles/fisma-medium-rhel6-server.xml | 2 +-
RHEL/6/input/profiles/nist-CL-IL-AL.xml | 2 +-
RHEL/6/input/profiles/rht-ccp.xml | 2 +-
RHEL/6/input/profiles/usgcb-rhel6-server.xml | 2 +-
RHEL/6/input/system/permissions/files.xml | 2 +-
RHEL/7/input/auxiliary/stig_overlay.xml | 2 +-
RHEL/7/input/checks/file_owner_etc_passwd.xml | 1 +
RHEL/7/input/profiles/rht-ccp.xml | 2 +-
RHEL/7/input/system/permissions/files.xml | 2 +-
shared/oval/file_owner_etc_passwd.xml | 29 +++++++++++++++++++++
14 files changed, 42 insertions(+), 40 deletions(-)
mode change 100644 => 120000 RHEL/6/input/checks/file_owner_etc_passwd.xml
create mode 120000 RHEL/7/input/checks/file_owner_etc_passwd.xml
create mode 100644 shared/oval/file_owner_etc_passwd.xml
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml
b/RHEL/6/input/auxiliary/stig_overlay.xml
index e1d21c2..428681e 100644
--- a/RHEL/6/input/auxiliary/stig_overlay.xml
+++ b/RHEL/6/input/auxiliary/stig_overlay.xml
@@ -112,7 +112,7 @@
<VMSinfo VKey="38449" SVKey="50249" VRelease="1" />
<title>The /etc/gshadow file must have mode 0000.</title>
</overlay>
- <overlay owner="disastig" ruleid="userowner_passwd_file"
ownerid="RHEL-06-000039" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="file_owner_etc_passwd"
ownerid="RHEL-06-000039" disa="366" severity="medium">
<VMSinfo VKey="38450" SVKey="50250" VRelease="1" />
<title>The /etc/passwd file must be owned by root.</title>
</overlay>
diff --git a/RHEL/6/input/checks/file_owner_etc_passwd.xml
b/RHEL/6/input/checks/file_owner_etc_passwd.xml
deleted file mode 100644
index 44d3e18..0000000
--- a/RHEL/6/input/checks/file_owner_etc_passwd.xml
+++ /dev/null
@@ -1,29 +0,0 @@
-<def-group>
- <definition class="compliance" id="file_owner_etc_passwd" version="1">
- <metadata>
- <title>Verify user who owns 'passwd' file</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>The /etc/passwd file should be owned by the appropriate
- user.</description>
- <reference source="MED" ref_id="20130807" ref_url="test_attestation" />
- </metadata>
- <criteria>
- <criterion test_ref="test_file_owner_etc_passwd" />
- </criteria>
- </definition>
- <unix:file_test check="all" check_existence="all_exist"
- comment="Testing user ownership" id="test_file_owner_etc_passwd" version="1">
- <unix:object object_ref="object_file_owner_etc_passwd" />
- <unix:state state_ref="state_file_owner_etc_passwd" />
- </unix:file_test>
- <unix:file_state id="state_file_owner_etc_passwd" version="1">
- <unix:user_id datatype="int">0</unix:user_id>
- </unix:file_state>
- <unix:file_object comment="/etc/passwd" id="object_file_owner_etc_passwd"
- version="1">
- <unix:path>/etc</unix:path>
- <unix:filename>passwd</unix:filename>
- </unix:file_object>
-</def-group>
diff --git a/RHEL/6/input/checks/file_owner_etc_passwd.xml
b/RHEL/6/input/checks/file_owner_etc_passwd.xml
new file mode 120000
index 0000000..3c6a1fd
--- /dev/null
+++ b/RHEL/6/input/checks/file_owner_etc_passwd.xml
@@ -0,0 +1 @@
+../../../../shared/oval/file_owner_etc_passwd.xml
\ No newline at end of file
diff --git a/RHEL/6/input/profiles/CS2.xml b/RHEL/6/input/profiles/CS2.xml
index d8d3f43..86ba34e 100644
--- a/RHEL/6/input/profiles/CS2.xml
+++ b/RHEL/6/input/profiles/CS2.xml
@@ -154,7 +154,7 @@
<select idref="file_owner_etc_gshadow" selected="true"/>
<select idref="file_groupowner_etc_gshadow" selected="true"/>
<select idref="file_permissions_etc_gshadow" selected="true"/>
-<select idref="userowner_passwd_file" selected="true"/>
+<select idref="file_owner_etc_passwd" selected="true"/>
<select idref="groupowner_passwd_file" selected="true"/>
<select idref="file_permissions_etc_passwd" selected="true"/>
<select idref="userowner_group_file" selected="true" />
diff --git a/RHEL/6/input/profiles/common.xml b/RHEL/6/input/profiles/common.xml
index eea2ac7..2b7f984 100644
--- a/RHEL/6/input/profiles/common.xml
+++ b/RHEL/6/input/profiles/common.xml
@@ -32,7 +32,7 @@
<select idref="file_groupowner_etc_gshadow" selected="true"/>
<select idref="file_permissions_etc_gshadow" selected="true"/>
-<select idref="userowner_passwd_file" selected="true"/>
+<select idref="file_owner_etc_passwd" selected="true"/>
<select idref="groupowner_passwd_file" selected="true"/>
<select idref="file_permissions_etc_passwd" selected="true"/>
diff --git a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
index 105d7ce..da7355f 100644
--- a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
+++ b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
@@ -48,7 +48,7 @@
<select idref="file_owner_etc_gshadow" selected="true" />
<select idref="file_groupowner_etc_gshadow" selected="true" />
<select idref="file_permissions_etc_gshadow" selected="true" />
-<select idref="userowner_passwd_file" selected="true" />
+<select idref="file_owner_etc_passwd" selected="true" />
<select idref="groupowner_passwd_file" selected="true" />
<select idref="file_permissions_etc_passwd" selected="true" />
<select idref="file_permissions_library_dirs" selected="true" />
diff --git a/RHEL/6/input/profiles/nist-CL-IL-AL.xml
b/RHEL/6/input/profiles/nist-CL-IL-AL.xml
index 7bf1293..5548ffe 100644
--- a/RHEL/6/input/profiles/nist-CL-IL-AL.xml
+++ b/RHEL/6/input/profiles/nist-CL-IL-AL.xml
@@ -142,7 +142,7 @@ assurance."</description>
<select idref="file_owner_etc_gshadow" selected="true" \>
<select idref="file_groupowner_etc_gshadow" selected="true" \>
<select idref="file_permissions_etc_gshadow" selected="true" \>
-<select idref="userowner_passwd_file" selected="true" \>
+<select idref="file_owner_etc_passwd" selected="true" \>
<select idref="groupowner_passwd_file" selected="true" \>
<select idref="file_permissions_etc_passwd" selected="true" \>
<select idref="selinux_confinement_of_daemons" selected="true" \>
diff --git a/RHEL/6/input/profiles/rht-ccp.xml
b/RHEL/6/input/profiles/rht-ccp.xml
index 8af94c5..aefea86 100644
--- a/RHEL/6/input/profiles/rht-ccp.xml
+++ b/RHEL/6/input/profiles/rht-ccp.xml
@@ -73,7 +73,7 @@
<select idref="file_owner_etc_gshadow" selected="true"/>
<select idref="file_groupowner_etc_gshadow" selected="true"/>
<select idref="file_permissions_etc_gshadow" selected="true"/>
-<select idref="userowner_passwd_file" selected="true"/>
+<select idref="file_owner_etc_passwd" selected="true"/>
<select idref="groupowner_passwd_file" selected="true"/>
<select idref="file_permissions_etc_passwd" selected="true"/>
<select idref="userowner_group_file" selected="true"/>
diff --git a/RHEL/6/input/profiles/usgcb-rhel6-server.xml
b/RHEL/6/input/profiles/usgcb-rhel6-server.xml
index 1f85107..2983256 100644
--- a/RHEL/6/input/profiles/usgcb-rhel6-server.xml
+++ b/RHEL/6/input/profiles/usgcb-rhel6-server.xml
@@ -43,7 +43,7 @@
<select idref="userowner_group_file" selected="true" />
<select idref="groupowner_group_file" selected="true" />
<select idref="file_permissions_etc_passwd" selected="true" />
-<select idref="userowner_passwd_file" selected="true" />
+<select idref="file_owner_etc_passwd" selected="true" />
<select idref="groupowner_passwd_file" selected="true" />
<select idref="sticky_world_writable_dirs" selected="true" />
<select idref="world_writeable_files" selected="true" />
diff --git a/RHEL/6/input/system/permissions/files.xml
b/RHEL/6/input/system/permissions/files.xml
index 6f6f5c0..71461d7 100644
--- a/RHEL/6/input/system/permissions/files.xml
+++ b/RHEL/6/input/system/permissions/files.xml
@@ -131,7 +131,7 @@ is critical for system security.</rationale>
<tested by="DS" on="20121026"/>
</Rule>
-<Rule id="userowner_passwd_file" severity="medium">
+<Rule id="file_owner_etc_passwd" severity="medium">
<title>Verify User Who Owns <tt>passwd</tt> File</title>
<description><fileowner-desc-macro file="/etc/passwd"
owner="root"/></description>
<ocil><fileowner-check-macro file="/etc/passwd" owner="root"/></ocil>
diff --git a/RHEL/7/input/auxiliary/stig_overlay.xml
b/RHEL/7/input/auxiliary/stig_overlay.xml
index 3152f32..d21fe1e 100644
--- a/RHEL/7/input/auxiliary/stig_overlay.xml
+++ b/RHEL/7/input/auxiliary/stig_overlay.xml
@@ -112,7 +112,7 @@
<VMSinfo VKey="38449" SVKey="50249" VRelease="1" />
<title>The /etc/gshadow file must have mode 0000.</title>
</overlay>
- <overlay owner="disastig" ruleid="userowner_passwd_file"
ownerid="RHEL-06-000039" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="file_owner_etc_passwd"
ownerid="RHEL-06-000039" disa="366" severity="medium">
<VMSinfo VKey="38450" SVKey="50250" VRelease="1" />
<title>The /etc/passwd file must be owned by root.</title>
</overlay>
diff --git a/RHEL/7/input/checks/file_owner_etc_passwd.xml
b/RHEL/7/input/checks/file_owner_etc_passwd.xml
new file mode 120000
index 0000000..3c6a1fd
--- /dev/null
+++ b/RHEL/7/input/checks/file_owner_etc_passwd.xml
@@ -0,0 +1 @@
+../../../../shared/oval/file_owner_etc_passwd.xml
\ No newline at end of file
diff --git a/RHEL/7/input/profiles/rht-ccp.xml
b/RHEL/7/input/profiles/rht-ccp.xml
index a8d25a3..e4d9836 100644
--- a/RHEL/7/input/profiles/rht-ccp.xml
+++ b/RHEL/7/input/profiles/rht-ccp.xml
@@ -72,7 +72,7 @@ FILE PERMISSION CHECKS
<select idref="file_owner_etc_gshadow" selected="true"/>
<select idref="file_groupowner_etc_gshadow" selected="true"/>
<select idref="file_permissions_etc_gshadow" selected="true"/>
-<select idref="userowner_passwd_file" selected="true"/>
+<select idref="file_owner_etc_passwd" selected="true"/>
<select idref="groupowner_passwd_file" selected="true"/>
<select idref="file_permissions_etc_passwd" selected="true"/>
<select idref="userowner_group_file" selected="true"/>
diff --git a/RHEL/7/input/system/permissions/files.xml
b/RHEL/7/input/system/permissions/files.xml
index a580674..b6c6943 100644
--- a/RHEL/7/input/system/permissions/files.xml
+++ b/RHEL/7/input/system/permissions/files.xml
@@ -131,7 +131,7 @@ is critical for system security.</rationale>
<tested by="DS" on="20121026"/>
</Rule>
-<Rule id="userowner_passwd_file" severity="medium">
+<Rule id="file_owner_etc_passwd" severity="medium">
<title>Verify User Who Owns <tt>passwd</tt> File</title>
<description><fileowner-desc-macro file="/etc/passwd"
owner="root"/></description>
<ocil><fileowner-check-macro file="/etc/passwd" owner="root"/></ocil>
diff --git a/shared/oval/file_owner_etc_passwd.xml
b/shared/oval/file_owner_etc_passwd.xml
new file mode 100644
index 0000000..13dd0bf
--- /dev/null
+++ b/shared/oval/file_owner_etc_passwd.xml
@@ -0,0 +1,29 @@
+<def-group>
+ <definition class="compliance" id="file_owner_etc_passwd" version="1">
+ <metadata>
+ <title>Verify user who owns 'passwd' file</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ <platform>Red Hat Enterprise Linux 7</platform>
+ </affected>
+ <description>The /etc/passwd file should be owned by the appropriate
+ user.</description>
+ <reference source="MED" ref_id="20130807" ref_url="test_attestation" />
+ </metadata>
+ <criteria>
+ <criterion test_ref="test_file_owner_etc_passwd" />
+ </criteria>
+ </definition>
+ <unix:file_test check="all" check_existence="all_exist"
+ comment="Testing user ownership" id="test_file_owner_etc_passwd" version="1">
+ <unix:object object_ref="object_file_owner_etc_passwd" />
+ <unix:state state_ref="state_file_owner_etc_passwd" />
+ </unix:file_test>
+ <unix:file_state id="state_file_owner_etc_passwd" version="1">
+ <unix:user_id datatype="int">0</unix:user_id>
+ </unix:file_state>
+ <unix:file_object comment="/etc/passwd" id="object_file_owner_etc_passwd"
+ version="1">
+ <unix:filepath>/etc/passwd</unix:filepath>
+ </unix:file_object>
+</def-group>
--
1.8.3.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
