Re: [PATCH] [RHEL/6] Delete unused file_permissions_boot_grub_grub_conf.xml OVAL check [RHEL/6] Small changes in file_permissions_grub_conf.xml

Thu, 26 Jun 2014 11:26:33 -0700 


On 6/25/14, 1:02 PM, Jan Lieskovsky wrote:

1) This patch deletes the unused file_permissions_boot_grub_grub_conf.xml OVAL
check (since file_permissions_grub_conf.xml one is used instead of it).

2) Also updates file_permissions_grub_conf.xml - replace path+filename with
    filepath element & add test_attestation.

Tested on RHEL-6, and seems to be working properly.

Please review.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team

0001-RHEL-6-Delete-unused-file_permissions_boot_grub_grub.patch


 From f2c47c7c4f757f25d9e2a37266ecb4d078980dc7 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky<[email protected]>
Date: Wed, 25 Jun 2014 18:53:37 +0200
Subject: [PATCH] [RHEL/6] Delete unused
  file_permissions_boot_grub_grub_conf.xml OVAL check
  (file_permissions_grub_conf.xml is used instead)

[RHEL/6] file_permissions_grub_conf.xml:
          * replace path+filename with filepath
          * equip with test_attestation

Signed-off-by: Jan Lieskovsky<[email protected]>
---
  .../file_permissions_boot_grub_grub_conf.xml       | 47 ----------------------
  RHEL/6/input/checks/file_permissions_grub_conf.xml |  6 +--
  2 files changed, 3 insertions(+), 50 deletions(-)
  delete mode 100644 
RHEL/6/input/checks/file_permissions_boot_grub_grub_conf.xml

diff --git a/RHEL/6/input/checks/file_permissions_boot_grub_grub_conf.xml 
b/RHEL/6/input/checks/file_permissions_boot_grub_grub_conf.xml
deleted file mode 100644
index da0afec..0000000
--- a/RHEL/6/input/checks/file_permissions_boot_grub_grub_conf.xml
+++ /dev/null
@@ -1,47 +0,0 @@
-<def-group>
- <!-- THIS FILE IS GENERATED by create_permission_checks.py.  DO NOT EDIT.  -->
-  <definition class="compliance" id="file_permissions_boot_grub_grub_conf" 
version="1">
-    <metadata>
-      <title>Verify /boot/grub/grub.conf Permissions</title>
-      <affected family="unix">
-        <platform>Red Hat Enterprise Linux 6</platform>
-      </affected>
-      <description>This test makes sure that /boot/grub/grub.conf is owned by 
0, group owned by 0, and has mode 0600. If
-      the target file or directory has an extended ACL then it will fail the mode 
check.</description>
-      <reference source="swells" ref_id="20130831" ref_url="test_attestation"/>
-    </metadata>
-    <criteria>
-      <criterion test_ref="test_boot_grub_grub_conf" />
-    </criteria>
-  </definition>
-  <unix:file_test check="all" check_existence="all_exist" comment="/boot/grub/grub.conf mode and 
ownership" id="test_boot_grub_grub_conf" version="1">
-    <unix:object object_ref="object_boot_grub_grub_conf" />
-    <unix:state state_ref="_boot_grub_grub_conf_state_uid_0" />
-    <unix:state state_ref="_boot_grub_grub_conf_state_gid_0" />
-    <unix:state state_ref="_boot_grub_grub_conf_state_mode_0600" />
-  </unix:file_test>
-  <unix:file_object comment="/boot/grub/grub.conf" id="object_boot_grub_grub_conf" 
version="1">
-    <unix:path>/boot/grub</unix:path>
-    <unix:filename>grub.conf</unix:filename>
-  </unix:file_object>
-  <unix:file_state id="_boot_grub_grub_conf_state_uid_0" version="1">
-    <unix:user_id datatype="int" operation="equals">0</unix:user_id>
-  </unix:file_state>
-  <unix:file_state id="_boot_grub_grub_conf_state_gid_0" version="1">
-    <unix:group_id datatype="int" operation="equals">0</unix:group_id>
-  </unix:file_state>
-  <unix:file_state id="_boot_grub_grub_conf_state_mode_0600" version="1">
-       <unix:suid datatype="boolean">false</unix:suid>
-       <unix:sgid datatype="boolean">false</unix:sgid>
-       <unix:sticky datatype="boolean">false</unix:sticky>
-       <unix:uread datatype="boolean">true</unix:uread>
-       <unix:uwrite datatype="boolean">true</unix:uwrite>
-       <unix:uexec datatype="boolean">false</unix:uexec>
-       <unix:gread datatype="boolean">false</unix:gread>
-       <unix:gwrite datatype="boolean">false</unix:gwrite>
-       <unix:gexec datatype="boolean">false</unix:gexec>
-       <unix:oread datatype="boolean">false</unix:oread>
-       <unix:owrite datatype="boolean">false</unix:owrite>
-       <unix:oexec datatype="boolean">false</unix:oexec>
-  </unix:file_state>
-</def-group>
diff --git a/RHEL/6/input/checks/file_permissions_grub_conf.xml 
b/RHEL/6/input/checks/file_permissions_grub_conf.xml
index 3347a8b..3dc48db 100644
--- a/RHEL/6/input/checks/file_permissions_grub_conf.xml
+++ b/RHEL/6/input/checks/file_permissions_grub_conf.xml
@@ -6,6 +6,7 @@
          <platform>Red Hat Enterprise Linux 6</platform>
        </affected>
        <description>File permissions for /boot/grub/grub.conf should be set to 0600 
(or stronger).</description>
+      <reference source="JL" ref_id="RHEL6_20140625" 
ref_url="test_attestation"/>
      </metadata>
      <criteria>
        <criterion test_ref="test_file_permissions_grub_conf" />
@@ -17,9 +18,8 @@
      <unix:state state_ref="state_file_permissions_grub_conf" />
    </unix:file_test>
- <unix:file_object comment="/boot/grub/grub.conf" id="object_file_permissions_grub_conf" version="1"> 
-    <unix:path>/boot/grub</unix:path>
-    <unix:filename>grub.conf</unix:filename>
+  <unix:file_object comment="/boot/grub/grub.conf" id="object_file_permissions_grub_conf" 
version="2">
+    <unix:filepath>/boot/grub/grub.conf</unix:filepath>
    </unix:file_object>
<unix:file_state id="state_file_permissions_grub_conf" version="2"> 
-- 1.8.3.1


ack


--
Shawn Wells
Director, Innovation Programs
[email protected] | 443.534.0130
@shawndwells


_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Reply via email to