[PATCH] [RHEL/6] Allow /boot/grub/grub.conf permissions to be stronger than 0600

Thu, 03 Apr 2014 04:28:16 -0700 

When checking "Verify /boot/grub/grub.conf Permissions" rule,
allow the check to succeed also in case the underlying system
has stronger file permissions on /boot/grub/grub.conf file
than exactly 0600 (IOW instead of exact requirement of / for 0600
permissions, make the 0600 mode the upper bound of the allowed
value / range).

Please review.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
From 1203661223621428e00271a236432540cde59ff6 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <[email protected]>
Date: Thu, 3 Apr 2014 13:17:34 +0200
Subject: [PATCH] [RHEL/6] Allow /boot/grub/grub.conf permissions to be
 stronger than 0600

Signed-off-by: Jan Lieskovsky <[email protected]>
---
 RHEL/6/input/checks/file_permissions_grub_conf.xml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/RHEL/6/input/checks/file_permissions_grub_conf.xml b/RHEL/6/input/checks/file_permissions_grub_conf.xml
index 747f2d9..3347a8b 100644
--- a/RHEL/6/input/checks/file_permissions_grub_conf.xml
+++ b/RHEL/6/input/checks/file_permissions_grub_conf.xml
@@ -1,11 +1,11 @@
 <def-group>
-  <definition class="compliance" id="file_permissions_grub_conf" version="1">
+  <definition class="compliance" id="file_permissions_grub_conf" version="2">
     <metadata>
       <title>File /boot/grub/grub.conf Permissions</title>
       <affected family="unix">
         <platform>Red Hat Enterprise Linux 6</platform>
       </affected>
-      <description>File permissions for /boot/grub/grub.conf should be set to 0600.</description>
+      <description>File permissions for /boot/grub/grub.conf should be set to 0600 (or stronger).</description>
     </metadata>
     <criteria>
       <criterion test_ref="test_file_permissions_grub_conf" />
@@ -22,9 +22,7 @@
     <unix:filename>grub.conf</unix:filename>
   </unix:file_object>
 
-  <unix:file_state id="state_file_permissions_grub_conf" version="1">
-    <unix:uread datatype="boolean">true</unix:uread>
-    <unix:uwrite datatype="boolean">true</unix:uwrite>
+  <unix:file_state id="state_file_permissions_grub_conf" version="2">
     <unix:uexec datatype="boolean">false</unix:uexec>
     <unix:gread datatype="boolean">false</unix:gread>
     <unix:gwrite datatype="boolean">false</unix:gwrite>
-- 
1.8.3.1


_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Reply via email to