[shared] When checking permissions on /etc/group and /etc/passwd files,
don't require exactly 0644 mode, but allow also systems having
stronger file permissions on these files to meet the tests (IOW make
0644 mode the minimal safe requirement).
Please review.
Thank you && Regards, Jan
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
From 6b0e606598a049308fd100bf3710c6f469fce3f3 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <[email protected]>
Date: Thu, 3 Apr 2014 14:16:46 +0200
Subject: [PATCH] [shared] When checking permissions on /etc/group and
/etc/passwd allow also stronger permissions than just exactly 0644
Signed-off-by: Jan Lieskovsky <[email protected]>
---
shared/oval/file_permissions_etc_group.xml | 13 ++++++-------
shared/oval/file_permissions_etc_passwd.xml | 30 +++++++++++++----------------
2 files changed, 19 insertions(+), 24 deletions(-)
diff --git a/shared/oval/file_permissions_etc_group.xml b/shared/oval/file_permissions_etc_group.xml
index 2e0a38b..23e1ad3 100644
--- a/shared/oval/file_permissions_etc_group.xml
+++ b/shared/oval/file_permissions_etc_group.xml
@@ -1,5 +1,5 @@
<def-group>
- <definition class="compliance" id="file_permissions_etc_group" version="1">
+ <definition class="compliance" id="file_permissions_etc_group" version="2">
<metadata>
<title>Verify permissions on 'group' file</title>
<affected family="unix">
@@ -8,7 +8,7 @@
</affected>
<description>File permissions for /etc/group should be set
correctly.</description>
- <reference source="swells" ref_id="20130918" ref_url="test_attestation" />
+ <reference source="JL" ref_id="20140403" ref_url="test_attestation" />
</metadata>
<criteria>
<criterion test_ref="test_file_permissions_etc_group" />
@@ -20,14 +20,13 @@
<unix:object object_ref="object_file_permissions_etc_group" />
<unix:state state_ref="state_file_permissions_etc_group" />
</unix:file_test>
- <unix:file_state id="state_file_permissions_etc_group" version="1">
- <unix:uread datatype="boolean">true</unix:uread>
- <unix:uwrite datatype="boolean">true</unix:uwrite>
+ <unix:file_state id="state_file_permissions_etc_group" version="2">
+ <unix:suid datatype="boolean">false</unix:suid>
+ <unix:sgid datatype="boolean">false</unix:sgid>
+ <unix:sticky datatype="boolean">false</unix:sticky>
<unix:uexec datatype="boolean">false</unix:uexec>
- <unix:gread datatype="boolean">true</unix:gread>
<unix:gwrite datatype="boolean">false</unix:gwrite>
<unix:gexec datatype="boolean">false</unix:gexec>
- <unix:oread datatype="boolean">true</unix:oread>
<unix:owrite datatype="boolean">false</unix:owrite>
<unix:oexec datatype="boolean">false</unix:oexec>
</unix:file_state>
diff --git a/shared/oval/file_permissions_etc_passwd.xml b/shared/oval/file_permissions_etc_passwd.xml
index 7bddac9..823c54b 100644
--- a/shared/oval/file_permissions_etc_passwd.xml
+++ b/shared/oval/file_permissions_etc_passwd.xml
@@ -1,15 +1,15 @@
<def-group>
<!-- THIS FILE IS GENERATED by create_permission_checks.py. DO NOT EDIT. -->
- <definition class="compliance" id="file_permissions_etc_passwd" version="1">
+ <definition class="compliance" id="file_permissions_etc_passwd" version="2">
<metadata>
<title>Verify /etc/passwd Permissions</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
- <description>This test makes sure that /etc/passwd is owned by 0, group owned by 0, and has mode 0644. If
+ <description>This test makes sure that /etc/passwd is owned by 0, group owned by 0, and has mode 0644 (or stronger). If
the target file or directory has an extended ACL then it will fail the mode check.</description>
- <reference source="swells" ref_id="20130831" ref_url="test_attestation"/>
+ <reference source="JL" ref_id="20140403" ref_url="test_attestation"/>
</metadata>
<criteria>
<criterion test_ref="test_etc_passwd" />
@@ -19,7 +19,7 @@
<unix:object object_ref="object_etc_passwd" />
<unix:state state_ref="_etc_passwd_state_uid_0" />
<unix:state state_ref="_etc_passwd_state_gid_0" />
- <unix:state state_ref="_etc_passwd_state_mode_0644" />
+ <unix:state state_ref="_etc_passwd_state_mode_0644_or_stronger" />
</unix:file_test>
<unix:file_object comment="/etc/passwd" id="object_etc_passwd" version="1">
<unix:filepath>/etc/passwd</unix:filepath>
@@ -30,18 +30,14 @@
<unix:file_state id="_etc_passwd_state_gid_0" version="1">
<unix:group_id datatype="int" operation="equals">0</unix:group_id>
</unix:file_state>
- <unix:file_state id="_etc_passwd_state_mode_0644" version="1">
- <unix:suid datatype="boolean">false</unix:suid>
- <unix:sgid datatype="boolean">false</unix:sgid>
- <unix:sticky datatype="boolean">false</unix:sticky>
- <unix:uread datatype="boolean">true</unix:uread>
- <unix:uwrite datatype="boolean">true</unix:uwrite>
- <unix:uexec datatype="boolean">false</unix:uexec>
- <unix:gread datatype="boolean">true</unix:gread>
- <unix:gwrite datatype="boolean">false</unix:gwrite>
- <unix:gexec datatype="boolean">false</unix:gexec>
- <unix:oread datatype="boolean">true</unix:oread>
- <unix:owrite datatype="boolean">false</unix:owrite>
- <unix:oexec datatype="boolean">false</unix:oexec>
+ <unix:file_state id="_etc_passwd_state_mode_0644_or_stronger" version="2">
+ <unix:suid datatype="boolean">false</unix:suid>
+ <unix:sgid datatype="boolean">false</unix:sgid>
+ <unix:sticky datatype="boolean">false</unix:sticky>
+ <unix:uexec datatype="boolean">false</unix:uexec>
+ <unix:gwrite datatype="boolean">false</unix:gwrite>
+ <unix:gexec datatype="boolean">false</unix:gexec>
+ <unix:owrite datatype="boolean">false</unix:owrite>
+ <unix:oexec datatype="boolean">false</unix:oexec>
</unix:file_state>
</def-group>
--
1.8.3.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
