1) This patch deletes the unused file_permissions_boot_grub_grub_conf.xml OVAL check (since file_permissions_grub_conf.xml one is used instead of it).
2) Also updates file_permissions_grub_conf.xml - replace path+filename with filepath element & add test_attestation. Tested on RHEL-6, and seems to be working properly. Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
From f2c47c7c4f757f25d9e2a37266ecb4d078980dc7 Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Wed, 25 Jun 2014 18:53:37 +0200 Subject: [PATCH] [RHEL/6] Delete unused file_permissions_boot_grub_grub_conf.xml OVAL check (file_permissions_grub_conf.xml is used instead) [RHEL/6] file_permissions_grub_conf.xml: * replace path+filename with filepath * equip with test_attestation Signed-off-by: Jan Lieskovsky <[email protected]> --- .../file_permissions_boot_grub_grub_conf.xml | 47 ---------------------- RHEL/6/input/checks/file_permissions_grub_conf.xml | 6 +-- 2 files changed, 3 insertions(+), 50 deletions(-) delete mode 100644 RHEL/6/input/checks/file_permissions_boot_grub_grub_conf.xml diff --git a/RHEL/6/input/checks/file_permissions_boot_grub_grub_conf.xml b/RHEL/6/input/checks/file_permissions_boot_grub_grub_conf.xml deleted file mode 100644 index da0afec..0000000 --- a/RHEL/6/input/checks/file_permissions_boot_grub_grub_conf.xml +++ /dev/null @@ -1,47 +0,0 @@ -<def-group> - <!-- THIS FILE IS GENERATED by create_permission_checks.py. DO NOT EDIT. --> - <definition class="compliance" id="file_permissions_boot_grub_grub_conf" version="1"> - <metadata> - <title>Verify /boot/grub/grub.conf Permissions</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>This test makes sure that /boot/grub/grub.conf is owned by 0, group owned by 0, and has mode 0600. If - the target file or directory has an extended ACL then it will fail the mode check.</description> - <reference source="swells" ref_id="20130831" ref_url="test_attestation"/> - </metadata> - <criteria> - <criterion test_ref="test_boot_grub_grub_conf" /> - </criteria> - </definition> - <unix:file_test check="all" check_existence="all_exist" comment="/boot/grub/grub.conf mode and ownership" id="test_boot_grub_grub_conf" version="1"> - <unix:object object_ref="object_boot_grub_grub_conf" /> - <unix:state state_ref="_boot_grub_grub_conf_state_uid_0" /> - <unix:state state_ref="_boot_grub_grub_conf_state_gid_0" /> - <unix:state state_ref="_boot_grub_grub_conf_state_mode_0600" /> - </unix:file_test> - <unix:file_object comment="/boot/grub/grub.conf" id="object_boot_grub_grub_conf" version="1"> - <unix:path>/boot/grub</unix:path> - <unix:filename>grub.conf</unix:filename> - </unix:file_object> - <unix:file_state id="_boot_grub_grub_conf_state_uid_0" version="1"> - <unix:user_id datatype="int" operation="equals">0</unix:user_id> - </unix:file_state> - <unix:file_state id="_boot_grub_grub_conf_state_gid_0" version="1"> - <unix:group_id datatype="int" operation="equals">0</unix:group_id> - </unix:file_state> - <unix:file_state id="_boot_grub_grub_conf_state_mode_0600" version="1"> - <unix:suid datatype="boolean">false</unix:suid> - <unix:sgid datatype="boolean">false</unix:sgid> - <unix:sticky datatype="boolean">false</unix:sticky> - <unix:uread datatype="boolean">true</unix:uread> - <unix:uwrite datatype="boolean">true</unix:uwrite> - <unix:uexec datatype="boolean">false</unix:uexec> - <unix:gread datatype="boolean">false</unix:gread> - <unix:gwrite datatype="boolean">false</unix:gwrite> - <unix:gexec datatype="boolean">false</unix:gexec> - <unix:oread datatype="boolean">false</unix:oread> - <unix:owrite datatype="boolean">false</unix:owrite> - <unix:oexec datatype="boolean">false</unix:oexec> - </unix:file_state> -</def-group> diff --git a/RHEL/6/input/checks/file_permissions_grub_conf.xml b/RHEL/6/input/checks/file_permissions_grub_conf.xml index 3347a8b..3dc48db 100644 --- a/RHEL/6/input/checks/file_permissions_grub_conf.xml +++ b/RHEL/6/input/checks/file_permissions_grub_conf.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>File permissions for /boot/grub/grub.conf should be set to 0600 (or stronger).</description> + <reference source="JL" ref_id="RHEL6_20140625" ref_url="test_attestation"/> </metadata> <criteria> <criterion test_ref="test_file_permissions_grub_conf" /> @@ -17,9 +18,8 @@ <unix:state state_ref="state_file_permissions_grub_conf" /> </unix:file_test> - <unix:file_object comment="/boot/grub/grub.conf" id="object_file_permissions_grub_conf" version="1"> - <unix:path>/boot/grub</unix:path> - <unix:filename>grub.conf</unix:filename> + <unix:file_object comment="/boot/grub/grub.conf" id="object_file_permissions_grub_conf" version="2"> + <unix:filepath>/boot/grub/grub.conf</unix:filepath> </unix:file_object> <unix:file_state id="state_file_permissions_grub_conf" version="2"> -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
