[PATCH] [RHEL/6] Don't require exact permissions on httpd directories / files (AKA allow also stronger permissions to meet the checks)

Thu, 03 Apr 2014 07:05:14 -0700 

[RHEL/6] Don't require exact permissions on httpd directories / files:
         * 0700 on /var/log/httpd directory
         * 0750 on /etc/httpd/conf directory
         * 0640 on /etc/httpd/conf/* files
         But allow also systems having stronger permission requirements
         on these files to meet the checks / policy.

Besides that the HTML version of the guide has spoken about 0700 mode
requirement for permissions of the /var/log/httpd directory (but in fact
the corresponding OVAL check was checking 0750 mode). This patch fixes
this inconsistency too (by making the OVAL check to check against 0700 mode).

Please review.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
From d02fe5b9e6ecf7182fedeb113c306ff2b4e0d868 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <[email protected]>
Date: Thu, 3 Apr 2014 15:43:16 +0200
Subject: [PATCH] [RHEL/6] Don't require exact permissions on httpd directories
 / files:          * 0700 on /var/log/httpd directory          * 0750 on
 /etc/httpd/conf directory          * 0640 on /etc/httpd/conf/* files         
 But allow also systems having stronger permission requirements          on
 these files to meet the checks / policy.

Signed-off-by: Jan Lieskovsky <[email protected]>
---
 RHEL/6/input/checks/dir_perms_etc_httpd_conf.xml        | 13 +++++++------
 RHEL/6/input/checks/dir_perms_var_log_httpd.xml         | 17 +++++++++--------
 .../checks/file_permissions_httpd_server_conf_files.xml | 12 +++++++-----
 3 files changed, 23 insertions(+), 19 deletions(-)

diff --git a/RHEL/6/input/checks/dir_perms_etc_httpd_conf.xml b/RHEL/6/input/checks/dir_perms_etc_httpd_conf.xml
index 305e57a..eb189ee 100644
--- a/RHEL/6/input/checks/dir_perms_etc_httpd_conf.xml
+++ b/RHEL/6/input/checks/dir_perms_etc_httpd_conf.xml
@@ -1,11 +1,12 @@
 <def-group>
-  <definition class="compliance" id="dir_perms_etc_httpd_conf" version="1">
+  <definition class="compliance" id="dir_perms_etc_httpd_conf" version="2">
     <metadata>
       <title>Directory /etc/httpd/conf/ Permissions</title>
       <affected family="unix">
         <platform>Red Hat Enterprise Linux 6</platform>
       </affected>
-      <description>Directory permissions for /etc/httpd/conf/ should be set to 0750.</description>
+      <description>Directory permissions for /etc/httpd/conf/ should be set to 0750 (or stronger).</description>
+      <reference source="JL" ref_id="20140403" ref_url="test_attestation"/>
     </metadata>
     <criteria>
       <criterion test_ref="test_dir_perms_etc_httpd_conf" />
@@ -22,10 +23,10 @@
     <unix:filename xsi:nil="true" />
   </unix:file_object>
 
-  <unix:file_state id="state_dir_perms_etc_httpd_conf" version="1">
-    <unix:uread datatype="boolean">true</unix:uread>
-    <unix:uwrite datatype="boolean">true</unix:uwrite>
-    <unix:uexec datatype="boolean">true</unix:uexec>
+  <unix:file_state id="state_dir_perms_etc_httpd_conf" version="2">
+    <unix:suid datatype="boolean">false</unix:suid>
+    <unix:sgid datatype="boolean">false</unix:sgid>
+    <unix:sticky datatype="boolean">false</unix:sticky>
     <unix:gread datatype="boolean">true</unix:gread>
     <unix:gwrite datatype="boolean">false</unix:gwrite>
     <unix:gexec datatype="boolean">true</unix:gexec>
diff --git a/RHEL/6/input/checks/dir_perms_var_log_httpd.xml b/RHEL/6/input/checks/dir_perms_var_log_httpd.xml
index 7df7d28..7e54e8a 100644
--- a/RHEL/6/input/checks/dir_perms_var_log_httpd.xml
+++ b/RHEL/6/input/checks/dir_perms_var_log_httpd.xml
@@ -1,11 +1,12 @@
 <def-group>
-  <definition class="compliance" id="dir_perms_var_log_httpd" version="1">
+  <definition class="compliance" id="dir_perms_var_log_httpd" version="2">
     <metadata>
       <title>Directory /var/log/httpd/ Permissions</title>
       <affected family="unix">
         <platform>Red Hat Enterprise Linux 6</platform>
       </affected>
-      <description>Directory permissions for /var/log/httpd should be set to 0750.</description>
+      <description>Directory permissions for /var/log/httpd should be set to 0700 (or stronger).</description>
+      <reference source="JL" ref_id="20140403" ref_url="test_attestation"/>
     </metadata>
     <criteria>
       <criterion test_ref="test_dir_perms_var_log_httpd" />
@@ -22,13 +23,13 @@
     <unix:filename xsi:nil="true" />
   </unix:file_object>
 
-  <unix:file_state id="state_dir_perms_var_log_httpd" version="1">
-    <unix:uread datatype="boolean">true</unix:uread>
-    <unix:uwrite datatype="boolean">true</unix:uwrite>
-    <unix:uexec datatype="boolean">true</unix:uexec>
-    <unix:gread datatype="boolean">true</unix:gread>
+  <unix:file_state id="state_dir_perms_var_log_httpd" version="2">
+    <unix:suid datatype="boolean">false</unix:suid>
+    <unix:sgid datatype="boolean">false</unix:sgid>
+    <unix:sticky datatype="boolean">false</unix:sticky>
+    <unix:gread datatype="boolean">false</unix:gread>
     <unix:gwrite datatype="boolean">false</unix:gwrite>
-    <unix:gexec datatype="boolean">true</unix:gexec>
+    <unix:gexec datatype="boolean">false</unix:gexec>
     <unix:oread datatype="boolean">false</unix:oread>
     <unix:owrite datatype="boolean">false</unix:owrite>
     <unix:oexec datatype="boolean">false</unix:oexec>
diff --git a/RHEL/6/input/checks/file_permissions_httpd_server_conf_files.xml b/RHEL/6/input/checks/file_permissions_httpd_server_conf_files.xml
index fb74501..d7a29a2 100644
--- a/RHEL/6/input/checks/file_permissions_httpd_server_conf_files.xml
+++ b/RHEL/6/input/checks/file_permissions_httpd_server_conf_files.xml
@@ -1,12 +1,13 @@
 <def-group>
   <definition class="compliance"
-  id="file_permissions_httpd_server_conf_files" version="1">
+  id="file_permissions_httpd_server_conf_files" version="2">
     <metadata>
       <title>Verify Permissions On Apache Web Server Configuration Files</title>
       <affected family="unix">
         <platform>Red Hat Enterprise Linux 6</platform>
       </affected>
-      <description>The /etc/httpd/conf/* files should have the appropriate permissions.</description>
+      <description>The /etc/httpd/conf/* files should have the appropriate permissions (0640 or stronger).</description>
+      <reference source="JL" ref_id="20140403" ref_url="test_attestation"/>
     </metadata>
     <criteria>
       <criterion test_ref="test_file_permissions_httpd_server_conf_files" />
@@ -18,9 +19,10 @@
     <unix:state state_ref="state_file_permissions_httpd_server_conf_files" />
   </unix:file_test>
   <unix:file_state id="state_file_permissions_httpd_server_conf_files"
-  version="1">
-    <unix:uread datatype="boolean">true</unix:uread>
-    <unix:uwrite datatype="boolean">true</unix:uwrite>
+  version="2">
+    <unix:suid datatype="boolean">false</unix:suid>
+    <unix:sgid datatype="boolean">false</unix:sgid>
+    <unix:sticky datatype="boolean">false</unix:sticky>
     <unix:uexec datatype="boolean">false</unix:uexec>
     <unix:gread datatype="boolean">true</unix:gread>
     <unix:gwrite datatype="boolean">false</unix:gwrite>
-- 
1.8.3.1


_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Reply via email to