Re: Symbolic link permissions cause test to fail

Mon, 03 Aug 2015 13:08:23 -0700 


On 7/31/15 2:51 PM, Gabe Alford wrote:

Do you happen to generate and/or save an HTML report? You can generate 
a report, click on the "Verify that Shared Library Files have 
Restrictive Permissions" link which should open a new window, and 
check out the "OVAL details" section would should give you a list of 
the offending files.

+1. Need to see OVAL results to evaluate what files are being detected.

For reference, the underlying OVAL code looks like this:
(from shared/oval/file_permissions_library_dirs.xml)


  <unix:file_object comment="library directories" 
id="object_file_permissions_lib_dir" version="1">
    <!-- Check that /lib, /lib64, /usr/lib, /usr/lib64 directories 
have safe permissions (go-w) -->
    <unix:path operation="pattern 
match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>

    <unix:filename xsi:nil="true" />

    <filter 
action="include">state_perms_nogroupwrite_noworldwrite</filter>

    <filter action="exclude">perms_state_symlink</filter>
  </unix:file_object>


  <unix:file_object comment="library files" 
id="object_file_permissions_lib_files" version="1">
    <!-- Check the files within /lib, /lib64, /usr/lib, /usr/lib64 
directories have safe permissions (go-w) -->
    <unix:path operation="pattern 
match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>

    <unix:filename operation="pattern match">^.*$</unix:filename>

    <filter 
action="include">state_perms_nogroupwrite_noworldwrite</filter>

    <filter action="exclude">perms_state_symlink</filter>
  </unix:file_object>


  <unix:file_state id="state_perms_nogroupwrite_noworldwrite" 
version="1" operator="OR">

    <unix:gwrite datatype="boolean">true</unix:gwrite>
    <unix:owrite datatype="boolean">true</unix:owrite>
  </unix:file_state>

  <unix:file_state id="perms_state_symlink" version="1">
    <unix:type operation="equals">symbolic link</unix:type>
  </unix:file_state>




symbolic links are being specifically excluded from /var/{lib lib64} and 
/{lib lib64}. Files that aren't symlinks are being evaluated for no 
group write and no world write.


--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/





















					Reply via email to