On 4/16/14, 2:40 AM, Jan Lieskovsky wrote:
Kernel command line options are recognized / honoured also when present in UPPER / MiXeD case => make the (selinux|enforcing)=0 test within enable_selinux_bootloader check to work properly also in case this "non-standard" types of font case would be used in /etc/grub.conf.Patch summary: * Make the (selinux|enforcing)=0 test within enable_selinux_bootloader check case insensitive (update the regex) * Update criteria / object / state comments where appropriate * Update test attestation stamp Testing report: Tested on RHEL-6 and works properly. Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team 0001-RHEL-6-Make-the-selinux-enforcing-0-test-within-enab.patch From 814c9d785328e978365073518391778b51c4763a Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky<[email protected]> Date: Wed, 16 Apr 2014 11:30:13 +0200 Subject: [PATCH] [RHEL/6] Make the (selinux|enforcing)=0 test within enable_selinux_bootloader check case-insensitive Signed-off-by: Jan Lieskovsky<[email protected]> --- RHEL/6/input/checks/enable_selinux_bootloader.xml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/RHEL/6/input/checks/enable_selinux_bootloader.xml b/RHEL/6/input/checks/enable_selinux_bootloader.xml index 2a1caf2..18a524f 100644 --- a/RHEL/6/input/checks/enable_selinux_bootloader.xml +++ b/RHEL/6/input/checks/enable_selinux_bootloader.xml @@ -6,24 +6,24 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description> - Check if selinux=0 OR enforcing=0 within /etc/grub.conf lines, fail if found. + Case-insensitive check if selinux=0 OR enforcing=0 within /etc/grub.conf lines, fail if found. </description> - <reference source="swells" ref_id="20130901" ref_url="test_attestation" /> + <reference source="JL" ref_id="20140416" ref_url="test_attestation" /> </metadata> <criteria> - <criterion comment="check value selinux|enforcing=0 in /etc/grub.conf, fail if found" test_ref="test_selinux_grub" /> + <criterion comment="case-insensitive check value selinux|enforcing=0 in /etc/grub.conf, fail if found" test_ref="test_selinux_grub" /> </criteria> </definition> <ind:textfilecontent54_test check="all" check_existence="none_exist" - comment="check value selinux|enforcing=0 in /etc/grub.conf, fail if found" + comment="case-insensitive check value selinux|enforcing=0 in /etc/grub.conf, fail if found" id="test_selinux_grub" version="1"> <ind:object object_ref="object_selinux_grub" /> </ind:textfilecontent54_test> <ind:textfilecontent54_object id="object_selinux_grub" - comment="check value selinux|enforcing=0 in /etc/grub.conf, fail if found" - version="1"> + comment="case-insensitive check value selinux|enforcing=0 in /etc/grub.conf, fail if found" + version="2"> <ind:filepath>/etc/grub.conf</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*kernel[\s]+.*(selinux|enforcing)=0.*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*kernel[\s]+.*(?i)(selinux|enforcing)(?-i)=0.*$</ind:pattern> <ind:instance datatype="int" operation="equals">1</ind:instance> </ind:textfilecontent54_object> </def-group> -- 1.8.3.1
ack
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
