The proposed patch replaces rsyslog_files_permissions OVAL unknown test stub with actual check implementation.
The check: * first searches /etc/rsyslog.conf for (uncommented) presence of /var/log/* log files paths and stores these paths into list, * then selects just file objects (from all the system ones) having path matching some of the selected ones, * lastly compares (via file object state) if the permissions are 0600 or stronger. The change has been tested on both, RHEL-6 & RHEL-7 & seems to work properly (=> update the test_attestations, created links & moved the test to shared within the patch proposal too). Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
From ac3614fd9dce1960e6b99fadf5c16106fe82539e Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Fri, 20 Jun 2014 11:40:54 +0200 Subject: [PATCH] [RHEL/6, RHEL/7, shared] Replace rsyslog_files_permissions OVAL unknown test stub with actual check implementation Signed-off-by: Jan Lieskovsky <[email protected]> --- RHEL/6/input/checks/rsyslog_files_permissions.xml | 22 +------ RHEL/6/input/system/logging.xml | 2 +- RHEL/7/input/checks/rsyslog_files_permissions.xml | 1 + RHEL/7/input/system/logging.xml | 2 +- shared/oval/rsyslog_files_permissions.xml | 71 +++++++++++++++++++++++ 5 files changed, 75 insertions(+), 23 deletions(-) mode change 100644 => 120000 RHEL/6/input/checks/rsyslog_files_permissions.xml create mode 120000 RHEL/7/input/checks/rsyslog_files_permissions.xml create mode 100644 shared/oval/rsyslog_files_permissions.xml diff --git a/RHEL/6/input/checks/rsyslog_files_permissions.xml b/RHEL/6/input/checks/rsyslog_files_permissions.xml deleted file mode 100644 index 71ea5aa..0000000 --- a/RHEL/6/input/checks/rsyslog_files_permissions.xml +++ /dev/null @@ -1,21 +0,0 @@ -<def-group> - <definition class="compliance" - id="rsyslog_files_permissions" version="1"> - <metadata> - <title>Confirm Existence and Permissions of System Log - Files</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>File permissions for all syslog log files should - be set correctly.</description> - </metadata> - <criteria> - <criterion comment="check permissions of all syslog log files" - test_ref="test_rsyslog_files_permissions" /> - </criteria> - </definition> - <ind:unknown_test check="all" - comment="use extended content to evaluated this test" - id="test_rsyslog_files_permissions" version="1" /> -</def-group> diff --git a/RHEL/6/input/checks/rsyslog_files_permissions.xml b/RHEL/6/input/checks/rsyslog_files_permissions.xml new file mode 120000 index 0000000..dad5e05 --- /dev/null +++ b/RHEL/6/input/checks/rsyslog_files_permissions.xml @@ -0,0 +1 @@ +../../../../shared/oval/rsyslog_files_permissions.xml \ No newline at end of file diff --git a/RHEL/6/input/system/logging.xml b/RHEL/6/input/system/logging.xml index c7fc389..baf9bfc 100644 --- a/RHEL/6/input/system/logging.xml +++ b/RHEL/6/input/system/logging.xml @@ -185,7 +185,7 @@ users could change the logged data, eliminating their forensic value. <ident cce="27190-8" /> <oval id="rsyslog_files_permissions" /> <ref nist="" disa="1314"/> -<tested by="DS" on="20121024"/> +<tested by="JL" on="20140620"/> </Rule> </Group> diff --git a/RHEL/7/input/checks/rsyslog_files_permissions.xml b/RHEL/7/input/checks/rsyslog_files_permissions.xml new file mode 120000 index 0000000..dad5e05 --- /dev/null +++ b/RHEL/7/input/checks/rsyslog_files_permissions.xml @@ -0,0 +1 @@ +../../../../shared/oval/rsyslog_files_permissions.xml \ No newline at end of file diff --git a/RHEL/7/input/system/logging.xml b/RHEL/7/input/system/logging.xml index 993d214..8b08ea4 100644 --- a/RHEL/7/input/system/logging.xml +++ b/RHEL/7/input/system/logging.xml @@ -185,7 +185,7 @@ users could change the logged data, eliminating their forensic value. <ident cce="RHEL7-CCE-TBD" /> <oval id="rsyslog_files_permissions" /> <ref nist="" disa="1314"/> -<tested by="DS" on="20121024"/> +<tested by="JL" on="20140620"/> </Rule> </Group> diff --git a/shared/oval/rsyslog_files_permissions.xml b/shared/oval/rsyslog_files_permissions.xml new file mode 100644 index 0000000..d8113ed --- /dev/null +++ b/shared/oval/rsyslog_files_permissions.xml @@ -0,0 +1,71 @@ +<def-group> + <definition class="compliance" id="rsyslog_files_permissions" version="1"> + <metadata> + <title>Confirm Existence and Permissions of System Log Files</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description>File permissions for all syslog log files should be set correctly.</description> + <reference source="JL" ref_id="RHEL6_20140620" ref_url="test_attestation" /> + <reference source="JL" ref_id="RHEL7_20140620" ref_url="test_attestation" /> + </metadata> + <criteria> + <criterion comment="check permissions of all rsyslog log files" + test_ref="test_rsyslog_files_permissions" /> + </criteria> + </definition> + + <!-- First get list of paths of log files configured in /etc/rsyslog.conf + and store them into variable. Then turn these paths into file objects. + Lastly check if file permissions of these selected file objects are 0600 + or stronger. + + Result: True if all log files retrieved from /etc/rsyslog.conf have + permissions 0600 or stronger, False otherwise + --> + <unix:file_test id="test_rsyslog_files_permissions" version="1" check="all" + check_existence="all_exist" comment="Test rsyslog log files permissions"> + <unix:object object_ref="object_rsyslog_file_permissions" /> + <unix:state state_ref="state_rsyslog_file_permissions" /> + </unix:file_test> + + <ind:textfilecontent54_object id="object_log_files_from_rsyslog_conf" + version="1"> + <ind:filepath>/etc/rsyslog.conf</ind:filepath> + <!-- Select all (uncommented) /var/log/* files path entries present in + /etc/rsyslog.conf + --> + <ind:pattern operation="pattern match">^[^#]+[\s][-]?(\/var\/log\/.*)</ind:pattern> + <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <!-- Store the selected log files list into variable --> + <local_variable id="variable_rsyslog_log_files_list" version="1" + datatype="string" comment="list of rsyslog log files"> + <object_component item_field="subexpression" object_ref="object_log_files_from_rsyslog_conf" /> + </local_variable> + + <!-- From all the system file objects select only those having filepath + matching some of the previously selected paths stored in log files + list + --> + <unix:file_object id="object_rsyslog_file_permissions" version="1" comment="rsyslog log files"> + <unix:filepath var_ref="variable_rsyslog_log_files_list" var_check="at least one" /> + </unix:file_object> + + <unix:file_state id="state_rsyslog_file_permissions" version="1" + comment="permissions are 0600 or stronger"> + <unix:suid datatype="boolean">false</unix:suid> + <unix:sgid datatype="boolean">false</unix:sgid> + <unix:sticky datatype="boolean">false</unix:sticky> + <unix:uexec datatype="boolean">false</unix:uexec> + <unix:gread datatype="boolean">false</unix:gread> + <unix:gwrite datatype="boolean">false</unix:gwrite> + <unix:gexec datatype="boolean">false</unix:gexec> + <unix:oread datatype="boolean">false</unix:oread> + <unix:owrite datatype="boolean">false</unix:owrite> + <unix:oexec datatype="boolean">false</unix:oexec> + </unix:file_state> + +</def-group> -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
