>From ebac172c7050f4faac041c0a96eb8fba10d32564 Mon Sep 17 00:00:00 2001
From: Shawn Wells <[email protected]>
Date: Fri, 27 Dec 2013 02:41:36 -0500
Subject: [PATCH 24/31] Renamed perms_group_file -> file_permissions_etc_group,
added to shared/
- XCCDF rename to match file perms template
- Tested on RHEL7, updated CPE
- Moved to shared/, added symlinks
---
RHEL/6/input/auxiliary/stig_overlay.xml | 2 +-
RHEL/6/input/checks/file_permissions_etc_group.xml | 38 +---------------------
RHEL/6/input/profiles/CS2.xml | 2 +-
RHEL/6/input/profiles/common.xml | 2 +-
.../6/input/profiles/fisma-medium-rhel6-server.xml | 2 +-
RHEL/6/input/profiles/nist-CL-IL-AL.xml | 2 +-
RHEL/6/input/profiles/rht-ccp.xml | 2 +-
RHEL/6/input/profiles/usgcb-rhel6-server.xml | 2 +-
RHEL/6/input/system/permissions/files.xml | 2 +-
RHEL/7/input/auxiliary/stig_overlay.xml | 2 +-
RHEL/7/input/checks/file_permissions_etc_group.xml | 1 +
RHEL/7/input/profiles/rht-ccp.xml | 2 +-
RHEL/7/input/system/permissions/files.xml | 2 +-
shared/oval/file_permissions_etc_group.xml | 38 ++++++++++++++++++++++
14 files changed, 51 insertions(+), 48 deletions(-)
mode change 100644 => 120000 RHEL/6/input/checks/file_permissions_etc_group.xml
create mode 120000 RHEL/7/input/checks/file_permissions_etc_group.xml
create mode 100644 shared/oval/file_permissions_etc_group.xml
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml
b/RHEL/6/input/auxiliary/stig_overlay.xml
index c799612..ff2e42c 100644
--- a/RHEL/6/input/auxiliary/stig_overlay.xml
+++ b/RHEL/6/input/auxiliary/stig_overlay.xml
@@ -132,7 +132,7 @@
<VMSinfo VKey="38459" SVKey="50259" VRelease="1" />
<title>The /etc/group file must be group-owned by root.</title>
</overlay>
- <overlay owner="disastig" ruleid="perms_group_file"
ownerid="RHEL-06-000044" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="file_permissions_etc_group"
ownerid="RHEL-06-000044" disa="366" severity="medium">
<VMSinfo VKey="38461" SVKey="50261" VRelease="1" />
<title>The /etc/group file must have mode 0644 or less
permissive.</title>
</overlay>
diff --git a/RHEL/6/input/checks/file_permissions_etc_group.xml
b/RHEL/6/input/checks/file_permissions_etc_group.xml
deleted file mode 100644
index 1139e02..0000000
--- a/RHEL/6/input/checks/file_permissions_etc_group.xml
+++ /dev/null
@@ -1,37 +0,0 @@
-<def-group>
- <definition class="compliance" id="file_permissions_etc_group" version="1">
- <metadata>
- <title>Verify permissions on 'group' file</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>File permissions for /etc/group should be set
- correctly.</description>
- <reference source="swells" ref_id="20130918" ref_url="test_attestation"
/>
- </metadata>
- <criteria>
- <criterion test_ref="test_file_permissions_etc_group" />
- </criteria>
- </definition>
- <unix:file_test check="all" check_existence="all_exist"
- comment="Testing /etc/group permissions" id="test_file_permissions_etc_group"
- version="1">
- <unix:object object_ref="object_file_permissions_etc_group" />
- <unix:state state_ref="state_file_permissions_etc_group" />
- </unix:file_test>
- <unix:file_state id="state_file_permissions_etc_group" version="1">
- <unix:uread datatype="boolean">true</unix:uread>
- <unix:uwrite datatype="boolean">true</unix:uwrite>
- <unix:uexec datatype="boolean">false</unix:uexec>
- <unix:gread datatype="boolean">true</unix:gread>
- <unix:gwrite datatype="boolean">false</unix:gwrite>
- <unix:gexec datatype="boolean">false</unix:gexec>
- <unix:oread datatype="boolean">true</unix:oread>
- <unix:owrite datatype="boolean">false</unix:owrite>
- <unix:oexec datatype="boolean">false</unix:oexec>
- </unix:file_state>
- <unix:file_object comment="/etc/group" id="object_file_permissions_etc_group"
- version="1">
- <unix:filepath>/etc/group</unix:filepath>
- </unix:file_object>
-</def-group>
diff --git a/RHEL/6/input/checks/file_permissions_etc_group.xml
b/RHEL/6/input/checks/file_permissions_etc_group.xml
new file mode 120000
index 0000000..7f7ce45
--- /dev/null
+++ b/RHEL/6/input/checks/file_permissions_etc_group.xml
@@ -0,0 +1 @@
+../../../../shared/oval/file_permissions_etc_group.xml
\ No newline at end of file
diff --git a/RHEL/6/input/profiles/CS2.xml b/RHEL/6/input/profiles/CS2.xml
index fef458b..1486b0a 100644
--- a/RHEL/6/input/profiles/CS2.xml
+++ b/RHEL/6/input/profiles/CS2.xml
@@ -159,7 +159,7 @@
<select idref="file_permissions_etc_passwd" selected="true"/>
<select idref="file_owner_etc_group" selected="true" />
<select idref="file_groupowner_etc_group" selected="true" />
-<select idref="perms_group_file" selected="true" />
+<select idref="file_permissions_etc_group" selected="true" />
<select idref="file_permissions_library_dirs" selected="true"/>
<select idref="file_ownership_library_dirs" selected="true"/>
<select idref="file_permissions_binary_dirs" selected="true"/>
diff --git a/RHEL/6/input/profiles/common.xml b/RHEL/6/input/profiles/common.xml
index 364c31a..55e2830 100644
--- a/RHEL/6/input/profiles/common.xml
+++ b/RHEL/6/input/profiles/common.xml
@@ -38,7 +38,7 @@
<select idref="file_owner_etc_group" selected="true" />
<select idref="file_groupowner_etc_group" selected="true" />
-<select idref="perms_group_file" selected="true" />
+<select idref="file_permissions_etc_group" selected="true" />
<select idref="file_permissions_library_dirs" selected="true"/>
<select idref="file_ownership_library_dirs" selected="true"/>
diff --git a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
index a9a1691..1b68a8f 100644
--- a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
+++ b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
@@ -44,7 +44,7 @@
<select idref="file_permissions_etc_shadow" selected="true"/>
<select idref="file_owner_etc_group" selected="true" />
<select idref="file_groupowner_etc_group" selected="true" />
-<select idref="perms_group_file" selected="true" />
+<select idref="file_permissions_etc_group" selected="true" />
<select idref="file_owner_etc_gshadow" selected="true" />
<select idref="file_groupowner_etc_gshadow" selected="true" />
<select idref="file_permissions_etc_gshadow" selected="true" />
diff --git a/RHEL/6/input/profiles/nist-CL-IL-AL.xml
b/RHEL/6/input/profiles/nist-CL-IL-AL.xml
index 1c0059c..b8c4e10 100644
--- a/RHEL/6/input/profiles/nist-CL-IL-AL.xml
+++ b/RHEL/6/input/profiles/nist-CL-IL-AL.xml
@@ -138,7 +138,7 @@ assurance."</description>
<select idref="file_permissions_etc_shadow" selected="true" \>
<select idref="file_owner_etc_group" selected="true" \>
<select idref="file_groupowner_etc_group" selected="true" \>
-<select idref="perms_group_file" selected="true" \>
+<select idref="file_permissions_etc_group" selected="true" \>
<select idref="file_owner_etc_gshadow" selected="true" \>
<select idref="file_groupowner_etc_gshadow" selected="true" \>
<select idref="file_permissions_etc_gshadow" selected="true" \>
diff --git a/RHEL/6/input/profiles/rht-ccp.xml
b/RHEL/6/input/profiles/rht-ccp.xml
index 47beccd..495fdb2 100644
--- a/RHEL/6/input/profiles/rht-ccp.xml
+++ b/RHEL/6/input/profiles/rht-ccp.xml
@@ -78,7 +78,7 @@
<select idref="file_permissions_etc_passwd" selected="true"/>
<select idref="file_owner_etc_group" selected="true"/>
<select idref="file_groupowner_etc_group" selected="true"/>
-<select idref="perms_group_file" selected="true"/>
+<select idref="file_permissions_etc_group" selected="true"/>
<select idref="file_permissions_library_dirs" selected="true"/>
<select idref="file_ownership_library_dirs" selected="true"/>
<select idref="file_permissions_binary_dirs" selected="true"/>
diff --git a/RHEL/6/input/profiles/usgcb-rhel6-server.xml
b/RHEL/6/input/profiles/usgcb-rhel6-server.xml
index 28cde12..403d14f 100644
--- a/RHEL/6/input/profiles/usgcb-rhel6-server.xml
+++ b/RHEL/6/input/profiles/usgcb-rhel6-server.xml
@@ -39,7 +39,7 @@
<select idref="file_permissions_etc_shadow" selected="true" /> <!-- RHEL5 as
400, RHEL6 as 000 -->
<select idref="userowner_shadow_file" selected="true" />
<select idref="groupowner_shadow_file" selected="true" />
-<select idref="perms_group_file" selected="true" />
+<select idref="file_permissions_etc_group" selected="true" />
<select idref="file_owner_etc_group" selected="true" />
<select idref="file_groupowner_etc_group" selected="true" />
<select idref="file_permissions_etc_passwd" selected="true" />
diff --git a/RHEL/6/input/system/permissions/files.xml
b/RHEL/6/input/system/permissions/files.xml
index 698d55a..4b36286 100644
--- a/RHEL/6/input/system/permissions/files.xml
+++ b/RHEL/6/input/system/permissions/files.xml
@@ -83,7 +83,7 @@ on the system. Protection of this file is important for
system security.</ration
<tested by="DS" on="20121026"/>
</Rule>
-<Rule id="perms_group_file" severity="medium">
+<Rule id="file_permissions_etc_group" severity="medium">
<title>Verify Permissions on <tt>group</tt> File</title>
<description><fileperms-desc-macro file="/etc/group"
perms="644"/></description>
<ocil><fileperms-check-macro file="/etc/group" perms="-rw-r--r--"/></ocil>
diff --git a/RHEL/7/input/auxiliary/stig_overlay.xml
b/RHEL/7/input/auxiliary/stig_overlay.xml
index 794e4c3..ca6bf57 100644
--- a/RHEL/7/input/auxiliary/stig_overlay.xml
+++ b/RHEL/7/input/auxiliary/stig_overlay.xml
@@ -132,7 +132,7 @@
<VMSinfo VKey="38459" SVKey="50259" VRelease="1" />
<title>The /etc/group file must be group-owned by root.</title>
</overlay>
- <overlay owner="disastig" ruleid="perms_group_file"
ownerid="RHEL-06-000044" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="file_permissions_etc_group"
ownerid="RHEL-06-000044" disa="366" severity="medium">
<VMSinfo VKey="38461" SVKey="50261" VRelease="1" />
<title>The /etc/group file must have mode 0644 or less
permissive.</title>
</overlay>
diff --git a/RHEL/7/input/checks/file_permissions_etc_group.xml
b/RHEL/7/input/checks/file_permissions_etc_group.xml
new file mode 120000
index 0000000..7f7ce45
--- /dev/null
+++ b/RHEL/7/input/checks/file_permissions_etc_group.xml
@@ -0,0 +1 @@
+../../../../shared/oval/file_permissions_etc_group.xml
\ No newline at end of file
diff --git a/RHEL/7/input/profiles/rht-ccp.xml
b/RHEL/7/input/profiles/rht-ccp.xml
index 573143a..5624d98 100644
--- a/RHEL/7/input/profiles/rht-ccp.xml
+++ b/RHEL/7/input/profiles/rht-ccp.xml
@@ -77,7 +77,7 @@ FILE PERMISSION CHECKS
<select idref="file_permissions_etc_passwd" selected="true"/>
<select idref="file_owner_etc_group" selected="true"/>
<select idref="file_groupowner_etc_group" selected="true"/>
-<select idref="perms_group_file" selected="true"/>
+<select idref="file_permissions_etc_group" selected="true"/>
<select idref="file_permissions_library_dirs" selected="true"/>
<select idref="file_ownership_library_dirs" selected="true"/>
<select idref="file_permissions_binary_dirs" selected="true"/>
diff --git a/RHEL/7/input/system/permissions/files.xml
b/RHEL/7/input/system/permissions/files.xml
index 7cdfc0e..112755b 100644
--- a/RHEL/7/input/system/permissions/files.xml
+++ b/RHEL/7/input/system/permissions/files.xml
@@ -83,7 +83,7 @@ on the system. Protection of this file is important for
system security.</ration
<tested by="DS" on="20121026"/>
</Rule>
-<Rule id="perms_group_file" severity="medium">
+<Rule id="file_permissions_etc_group" severity="medium">
<title>Verify Permissions on <tt>group</tt> File</title>
<description><fileperms-desc-macro file="/etc/group"
perms="644"/></description>
<ocil><fileperms-check-macro file="/etc/group" perms="-rw-r--r--"/></ocil>
diff --git a/shared/oval/file_permissions_etc_group.xml
b/shared/oval/file_permissions_etc_group.xml
new file mode 100644
index 0000000..2e0a38b
--- /dev/null
+++ b/shared/oval/file_permissions_etc_group.xml
@@ -0,0 +1,38 @@
+<def-group>
+ <definition class="compliance" id="file_permissions_etc_group" version="1">
+ <metadata>
+ <title>Verify permissions on 'group' file</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ <platform>Red Hat Enterprise Linux 7</platform>
+ </affected>
+ <description>File permissions for /etc/group should be set
+ correctly.</description>
+ <reference source="swells" ref_id="20130918" ref_url="test_attestation"
/>
+ </metadata>
+ <criteria>
+ <criterion test_ref="test_file_permissions_etc_group" />
+ </criteria>
+ </definition>
+ <unix:file_test check="all" check_existence="all_exist"
+ comment="Testing /etc/group permissions" id="test_file_permissions_etc_group"
+ version="1">
+ <unix:object object_ref="object_file_permissions_etc_group" />
+ <unix:state state_ref="state_file_permissions_etc_group" />
+ </unix:file_test>
+ <unix:file_state id="state_file_permissions_etc_group" version="1">
+ <unix:uread datatype="boolean">true</unix:uread>
+ <unix:uwrite datatype="boolean">true</unix:uwrite>
+ <unix:uexec datatype="boolean">false</unix:uexec>
+ <unix:gread datatype="boolean">true</unix:gread>
+ <unix:gwrite datatype="boolean">false</unix:gwrite>
+ <unix:gexec datatype="boolean">false</unix:gexec>
+ <unix:oread datatype="boolean">true</unix:oread>
+ <unix:owrite datatype="boolean">false</unix:owrite>
+ <unix:oexec datatype="boolean">false</unix:oexec>
+ </unix:file_state>
+ <unix:file_object comment="/etc/group" id="object_file_permissions_etc_group"
+ version="1">
+ <unix:filepath>/etc/group</unix:filepath>
+ </unix:file_object>
+</def-group>
--
1.8.3.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
