Hi Should the "library directories" test include subdirectories or just directories themselves? The required '/' at the expression end doesn't look right. Mentioned directories (/lib, /lib64, /usr/lib, and /usr/lib64) would not match the pattern.
Jan On Apr 22, 2014, at 11:49, Shawn Wells wrote: > > On 4/22/14, 11:23 AM, Renshaw, Richard /c wrote: >> In my particular case, it would fail the ‘file_ownership_library_dirs’ >> CCE-27424-1, test by finding this file: >> >> 528273 12 -rwsr-xr-x 1 abrt abrt 9904 Aug 13 2013 >> /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache >> >> Patched ssg-rhel6-oval.xml to include a / at the end of the directory in the >> pattern match >> >> --- orig.ssg-rhel6-oval.xml 2014-04-22 10:14:05.181639519 -0500 >> +++ ssg-rhel6-oval.xml 2014-04-22 10:15:26.376636705 -0500 >> @@ -10573,13 +10573,13 @@ >> </linux:rpminfo_object> >> <unix:file_object comment="library directories" id="oval:ssg:obj:1862" >> version="1"> >> <!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories >> belong to user with uid 0 (root) --> >> - <unix:path operation="pattern >> match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path> >> + <unix:path operation="pattern >> match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path> >> <unix:filename xsi:nil="true"/> >> <filter action="include">oval:ssg:ste:2182</filter> >> </unix:file_object> >> <unix:file_object comment="library files" id="oval:ssg:obj:1863" >> version="1"> >> <!-- Check that files within /lib, /lib64, /usr/lib, and /usr/lib64 >> directories belong to user with uid 0 (root) --> >> - <unix:path operation="pattern >> match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path> >> + <unix:path operation="pattern >> match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path> >> <unix:filename operation="pattern match">^.*$</unix:filename> >> <filter action="include">oval:ssg:ste:2182</filter> >> </unix:file_object> >> >> >> Verified it passes on my test system. >> >> Thanks, >> Rick Renshaw > > > I'm able to replicate: > >> $ sudo ./testcheck.py file_ownership_library_dirs.xml >> $ sudo vim /tmp/file_ownership_library_dirs4UFZxe.xml-results >> ...... >> <system_data> >> <unix-sys:file_item id="1300351" status="exists"> >> >> <unix-sys:filepath>/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache</unix-sys:filepath> >> <unix-sys:path>/usr/libexec</unix-sys:path> > > As Rick called out, /usr/libexec is artificially being scanned. >> $ sudo ./testcheck.py file_ownership_library_dirs.xml >> Evaluating with OVAL tempfile : /tmp/file_ownership_library_dirsKSd7er.xml >> Writing results to : /tmp/file_ownership_library_dirsKSd7er.xml-results >> Definition oval:scap-security-guide.testing:def:100: true >> Evaluation done. > > Acking and pushing this patch: > https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=55b5ec008650ead4249edc6305196326aa09b2fd > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide Jan Ruzicka Senior Software Engineer Comtech Mobile Datacom Corporation 20430 Century Blvd, Germantown, MD 20874 Office: 240-686-3300 Fax: 240-686-3301 The information contained in this message may be privileged and/or confidential. If you are not the intended recipient, or responsible for delivering this message to the intended recipient, any review, forwarding, dissemination, distribution or copying of this communication or any attachment(s) is strictly prohibited. If you have received this message in error, please so notify the sender immediately, and delete it and all attachments from your computer and network. _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
