>From 89c957f6eb8ce52e17dcc3589fc88b0ed42f66bc Mon Sep 17 00:00:00 2001
From: Shawn Wells <[email protected]>
Date: Fri, 27 Dec 2013 02:59:15 -0500
Subject: [PATCH 29/31] Renamed XCCDF audit_logs_permissions to
file_permissions_var_log_audit, added to shared/
- Renamed XCCDF rule to align with fileperm template
- Tested on RHEL7, updated CPE, moved to shared/, created symlinks
---
RHEL/6/input/auxiliary/stig_overlay.xml | 2 +-
.../checks/file_permissions_var_log_audit.xml | 37 +---------------------
RHEL/6/input/profiles/CS2.xml | 2 +-
RHEL/6/input/profiles/common.xml | 2 +-
.../6/input/profiles/fisma-medium-rhel6-server.xml | 2 +-
RHEL/6/input/profiles/nist-CL-IL-AL.xml | 2 +-
RHEL/6/input/profiles/rht-ccp.xml | 2 +-
RHEL/6/input/system/auditing.xml | 2 +-
RHEL/7/input/auxiliary/stig_overlay.xml | 2 +-
.../checks/file_permissions_var_log_audit.xml | 1 +
RHEL/7/input/profiles/rht-ccp.xml | 2 +-
RHEL/7/input/system/auditing.xml | 2 +-
shared/oval/file_permissions_var_log_audit.xml | 37 ++++++++++++++++++++++
13 files changed, 49 insertions(+), 46 deletions(-)
mode change 100644 => 120000
RHEL/6/input/checks/file_permissions_var_log_audit.xml
create mode 120000 RHEL/7/input/checks/file_permissions_var_log_audit.xml
create mode 100644 shared/oval/file_permissions_var_log_audit.xml
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml
b/RHEL/6/input/auxiliary/stig_overlay.xml
index ff2e42c..0186138 100644
--- a/RHEL/6/input/auxiliary/stig_overlay.xml
+++ b/RHEL/6/input/auxiliary/stig_overlay.xml
@@ -1053,7 +1053,7 @@
<overlay owner="disastig" ruleid="met_inherently_auditing"
ownerid="RHEL-06-000382" disa="159" severity="medium">
<title>The operating system must use internal system clocks to
generate time stamps for audit records.</title>
</overlay>
- <overlay owner="disastig" ruleid="audit_logs_permissions"
ownerid="RHEL-06-000383" disa="163" severity="medium">
+ <overlay owner="disastig" ruleid="file_permissions_var_log_audit"
ownerid="RHEL-06-000383" disa="163" severity="medium">
<VMSinfo VKey="38498" SVKey="50299" VRelease="1" />
<title>Audit log files must have mode 0640 or less
permissive.</title>
</overlay>
diff --git a/RHEL/6/input/checks/file_permissions_var_log_audit.xml
b/RHEL/6/input/checks/file_permissions_var_log_audit.xml
deleted file mode 100644
index fae4702..0000000
--- a/RHEL/6/input/checks/file_permissions_var_log_audit.xml
+++ /dev/null
@@ -1,36 +0,0 @@
-<def-group>
- <definition class="compliance" id="file_permissions_var_log_audit"
version="1">
- <metadata>
- <title>Verify /var/log/audit Permissions</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>Checks for correct permissions for all log files in
/var/log/audit.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_file_permissions_var_log_audit" negate="true"
/>
- </criteria>
- </definition>
- <unix:file_test check="all" check_existence="at_least_one_exists"
comment="/var/log/audit files mode 0640"
id="test_file_permissions_var_log_audit" version="1">
- <unix:object object_ref="object_var_log_audit_files" />
- <unix:state state_ref="state_not_mode_0640" />
- </unix:file_test>
- <unix:file_object comment="/var/log/audit files"
id="object_var_log_audit_files" version="1">
- <unix:behaviors recurse="directories" recurse_direction="down"
max_depth="-1" recurse_file_system="local" />
- <unix:path operation="equals">/var/log/audit</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_not_mode_0640</filter>
- </unix:file_object>
- <unix:file_state id="state_not_mode_0640" version="1" operator="OR">
- <!-- if any one of these is true then mode is NOT 0640 (hence the OR
operator) -->
- <unix:suid datatype="boolean">true</unix:suid>
- <unix:sgid datatype="boolean">true</unix:sgid>
- <unix:sticky datatype="boolean">true</unix:sticky>
- <unix:uexec datatype="boolean">true</unix:uexec>
- <unix:gwrite datatype="boolean">true</unix:gwrite>
- <unix:gexec datatype="boolean">true</unix:gexec>
- <unix:oread datatype="boolean">true</unix:oread>
- <unix:owrite datatype="boolean">true</unix:owrite>
- <unix:oexec datatype="boolean">true</unix:oexec>
- </unix:file_state>
-</def-group>
diff --git a/RHEL/6/input/checks/file_permissions_var_log_audit.xml
b/RHEL/6/input/checks/file_permissions_var_log_audit.xml
new file mode 120000
index 0000000..ac79299
--- /dev/null
+++ b/RHEL/6/input/checks/file_permissions_var_log_audit.xml
@@ -0,0 +1 @@
+../../../../shared/oval/file_permissions_var_log_audit.xml
\ No newline at end of file
diff --git a/RHEL/6/input/profiles/CS2.xml b/RHEL/6/input/profiles/CS2.xml
index 1486b0a..ad0ee18 100644
--- a/RHEL/6/input/profiles/CS2.xml
+++ b/RHEL/6/input/profiles/CS2.xml
@@ -136,7 +136,7 @@
<select idref="audit_rules_dac_modification_setxattr" selected="true"/>
<select idref="audit_kernel_module_loading" selected="true"/>
<select idref="audit_config_immutable" selected="true" />
-<select idref="audit_logs_permissions" selected="true"/>
+<select idref="file_permissions_var_log_audit" selected="true"/>
<select idref="audit_logs_rootowner" selected="true" />
<select idref="audit_manual_logon_edits" selected="true" />
<select idref="audit_manual_session_edits" selected="true" />
diff --git a/RHEL/6/input/profiles/common.xml b/RHEL/6/input/profiles/common.xml
index 55e2830..07cfd51 100644
--- a/RHEL/6/input/profiles/common.xml
+++ b/RHEL/6/input/profiles/common.xml
@@ -45,7 +45,7 @@
<select idref="file_permissions_binary_dirs" selected="true"/>
<select idref="file_ownership_binary_dirs" selected="true"/>
-<select idref="audit_logs_permissions" selected="true"/>
+<select idref="file_permissions_var_log_audit" selected="true"/>
<select idref="accounts_password_minlen_login_defs" selected="true"/>
<select idref="accounts_minimum_age_login_defs" selected="true"/>
diff --git a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
index 1b68a8f..07e9ba9 100644
--- a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
+++ b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
@@ -64,7 +64,7 @@
<select idref="selinux_all_devicefiles_labeled" selected="true" />
<select idref="userowner_rsyslog_files" selected="true" />
<select idref="groupowner_rsyslog_files" selected="true" />
-<select idref="audit_logs_permissions" selected="true" />
+<select idref="file_permissions_var_log_audit" selected="true" />
<select idref="audit_logs_rootowner" selected="true" />
<select idref="audit_config_immutable" selected="true" />
<select idref="accounts_no_uid_except_zero" selected="true" />
diff --git a/RHEL/6/input/profiles/nist-CL-IL-AL.xml
b/RHEL/6/input/profiles/nist-CL-IL-AL.xml
index b8c4e10..06d2c69 100644
--- a/RHEL/6/input/profiles/nist-CL-IL-AL.xml
+++ b/RHEL/6/input/profiles/nist-CL-IL-AL.xml
@@ -131,7 +131,7 @@ assurance."</description>
<select idref="audit_config_immutable" selected="true" \>
<select idref="service_oddjobd_disabled" selected="true" \>
<select idref="rpm_verify_permissions" selected="true" \>
-<select idref="audit_logs_permissions" selected="true" \>
+<select idref="file_permissions_var_log_audit" selected="true" \>
<select idref="audit_logs_rootowner" selected="true" \>
<select idref="userowner_shadow_file" selected="true" \>
<select idref="groupowner_shadow_file" selected="true" \>
diff --git a/RHEL/6/input/profiles/rht-ccp.xml
b/RHEL/6/input/profiles/rht-ccp.xml
index 495fdb2..69fbb25 100644
--- a/RHEL/6/input/profiles/rht-ccp.xml
+++ b/RHEL/6/input/profiles/rht-ccp.xml
@@ -83,7 +83,7 @@
<select idref="file_ownership_library_dirs" selected="true"/>
<select idref="file_permissions_binary_dirs" selected="true"/>
<select idref="file_ownership_binary_dirs" selected="true"/>
-<select idref="audit_logs_permissions" selected="true"/>
+<select idref="file_permissions_var_log_audit" selected="true"/>
<select idref="user_owner_grub_conf" selected="true"/>
<select idref="group_owner_grub_conf" selected="true"/>
<select idref="permissions_grub_conf" selected="true"/>
diff --git a/RHEL/6/input/system/auditing.xml b/RHEL/6/input/system/auditing.xml
index 2777db1..6ab1527 100644
--- a/RHEL/6/input/system/auditing.xml
+++ b/RHEL/6/input/system/auditing.xml
@@ -675,7 +675,7 @@ audited.</rationale>
<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" />
</Rule>
-<Rule id="audit_logs_permissions">
+<Rule id="file_permissions_var_log_audit">
<title>System Audit Logs Must Have Mode 0640 or Less Permissive</title>
<description>
Change the mode of the audit log files with the following command:
diff --git a/RHEL/7/input/auxiliary/stig_overlay.xml
b/RHEL/7/input/auxiliary/stig_overlay.xml
index ca6bf57..39180cb 100644
--- a/RHEL/7/input/auxiliary/stig_overlay.xml
+++ b/RHEL/7/input/auxiliary/stig_overlay.xml
@@ -1053,7 +1053,7 @@
<overlay owner="disastig" ruleid="met_inherently_auditing"
ownerid="RHEL-06-000382" disa="159" severity="medium">
<title>The operating system must use internal system clocks to
generate time stamps for audit records.</title>
</overlay>
- <overlay owner="disastig" ruleid="audit_logs_permissions"
ownerid="RHEL-06-000383" disa="163" severity="medium">
+ <overlay owner="disastig" ruleid="file_permissions_var_log_audit"
ownerid="RHEL-06-000383" disa="163" severity="medium">
<VMSinfo VKey="38498" SVKey="50299" VRelease="1" />
<title>Audit log files must have mode 0640 or less
permissive.</title>
</overlay>
diff --git a/RHEL/7/input/checks/file_permissions_var_log_audit.xml
b/RHEL/7/input/checks/file_permissions_var_log_audit.xml
new file mode 120000
index 0000000..ac79299
--- /dev/null
+++ b/RHEL/7/input/checks/file_permissions_var_log_audit.xml
@@ -0,0 +1 @@
+../../../../shared/oval/file_permissions_var_log_audit.xml
\ No newline at end of file
diff --git a/RHEL/7/input/profiles/rht-ccp.xml
b/RHEL/7/input/profiles/rht-ccp.xml
index 5624d98..9a58d05 100644
--- a/RHEL/7/input/profiles/rht-ccp.xml
+++ b/RHEL/7/input/profiles/rht-ccp.xml
@@ -82,7 +82,7 @@ FILE PERMISSION CHECKS
<select idref="file_ownership_library_dirs" selected="true"/>
<select idref="file_permissions_binary_dirs" selected="true"/>
<select idref="file_ownership_binary_dirs" selected="true"/>
-<select idref="audit_logs_permissions" selected="true"/>
+<select idref="file_permissions_var_log_audit" selected="true"/>
<select idref="user_owner_grub_conf" selected="true"/>
<select idref="group_owner_grub_conf" selected="true"/>
<select idref="permissions_grub_conf" selected="true"/>
diff --git a/RHEL/7/input/system/auditing.xml b/RHEL/7/input/system/auditing.xml
index 355c7ef..9711628 100644
--- a/RHEL/7/input/system/auditing.xml
+++ b/RHEL/7/input/system/auditing.xml
@@ -675,7 +675,7 @@ audited.</rationale>
<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" />
</Rule>
-<Rule id="audit_logs_permissions">
+<Rule id="file_permissions_var_log_audit">
<title>System Audit Logs Must Have Mode 0640 or Less Permissive</title>
<description>
Change the mode of the audit log files with the following command:
diff --git a/shared/oval/file_permissions_var_log_audit.xml
b/shared/oval/file_permissions_var_log_audit.xml
new file mode 100644
index 0000000..a35ca2f
--- /dev/null
+++ b/shared/oval/file_permissions_var_log_audit.xml
@@ -0,0 +1,37 @@
+<def-group>
+ <definition class="compliance" id="file_permissions_var_log_audit"
version="1">
+ <metadata>
+ <title>Verify /var/log/audit Permissions</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ <platform>Red Hat Enterprise Linux 7</platform>
+ </affected>
+ <description>Checks for correct permissions for all log files in
/var/log/audit.</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="test_file_permissions_var_log_audit" negate="true"
/>
+ </criteria>
+ </definition>
+ <unix:file_test check="all" check_existence="at_least_one_exists"
comment="/var/log/audit files mode 0640"
id="test_file_permissions_var_log_audit" version="1">
+ <unix:object object_ref="object_var_log_audit_files" />
+ <unix:state state_ref="state_not_mode_0640" />
+ </unix:file_test>
+ <unix:file_object comment="/var/log/audit files"
id="object_var_log_audit_files" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down"
max_depth="-1" recurse_file_system="local" />
+ <unix:path operation="equals">/var/log/audit</unix:path>
+ <unix:filename operation="pattern match">^.*$</unix:filename>
+ <filter action="include">state_not_mode_0640</filter>
+ </unix:file_object>
+ <unix:file_state id="state_not_mode_0640" version="1" operator="OR">
+ <!-- if any one of these is true then mode is NOT 0640 (hence the OR
operator) -->
+ <unix:suid datatype="boolean">true</unix:suid>
+ <unix:sgid datatype="boolean">true</unix:sgid>
+ <unix:sticky datatype="boolean">true</unix:sticky>
+ <unix:uexec datatype="boolean">true</unix:uexec>
+ <unix:gwrite datatype="boolean">true</unix:gwrite>
+ <unix:gexec datatype="boolean">true</unix:gexec>
+ <unix:oread datatype="boolean">true</unix:oread>
+ <unix:owrite datatype="boolean">true</unix:owrite>
+ <unix:oexec datatype="boolean">true</unix:oexec>
+ </unix:file_state>
+</def-group>
--
1.8.3.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
