Patch summary: The current implementation of accounts_umask_etc_profile check is checking just the first occurrence of umask keyword in /etc/profile file. But the last occurrence is the one that's actually applied. This can be checked via having:
umask 077 umask 022 in /etc/profile, login to a new log-in session for particular user (su - $USER), and running "umask" command without arguments (the last setting, e.g. 0022 is reported as the actual umask value used for file creation. Can be verified by checking mode of newly created file in that session). So instead of checking just first value (and possibly reporting false-negative test result), check all occurrences (and report proper result). Testing report: The patch has been tested on RHEL-6 & works properly. Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
From e32b7d5800d16f40e46d6448c6fc64c7f2887d1a Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Wed, 16 Apr 2014 18:29:28 +0200 Subject: [PATCH] [RHEL/6] accounts_umask_etc_profile - when checking umask check all the occurrences not just the first one (because the last listed one is actually the one applied) Signed-off-by: Jan Lieskovsky <[email protected]> --- RHEL/6/input/checks/accounts_umask_etc_profile.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/RHEL/6/input/checks/accounts_umask_etc_profile.xml b/RHEL/6/input/checks/accounts_umask_etc_profile.xml index 18e1226..5789d4a 100644 --- a/RHEL/6/input/checks/accounts_umask_etc_profile.xml +++ b/RHEL/6/input/checks/accounts_umask_etc_profile.xml @@ -9,7 +9,7 @@ </affected> <description>The default umask for all users should be set correctly</description> - <reference source="MED" ref_id="20130807" ref_url="test_attestation" /> + <reference source="JL" ref_id="20140416" ref_url="test_attestation" /> </metadata> <criteria> <criterion test_ref="test_accounts_umask_etc_profile" /> @@ -27,9 +27,9 @@ </ind:textfilecontent54_state> <external_variable comment="user umask" datatype="string" id="var_accounts_user_umask" version="1" /> <ind:textfilecontent54_object id="obj_accounts_umask_etc_profile" - version="1"> + version="2"> <ind:filepath>/etc/profile</ind:filepath> <ind:pattern operation="pattern match">^[\s]*umask[\s]+([^#\s]*)</ind:pattern> - <ind:instance datatype="int">1</ind:instance> + <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group> -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
