Hi, I am having an issue with OVAL test file_permissions_ungroupowned in CentOS 5. I believe it is a bug in the oscap version that it is available in CentOS 5 (kind of old, v1.0.8).
Here is the procedure I am doing: 1. Download and build scap-security-guide for RHEL5 in my Fedora 23 machine; then copy the output to my CentOS 5 testing server: wget https://github.com/OpenSCAP/scap-security-guide/archive/v0.1.29.tar.gz -O scap-security-guide-0.1.29.tar.gz tar -zxf scap-security-guide-0.1.29.tar.gz make -C scap-security-guide-0.1.29/RHEL/5 dist scp -r scap-security-guide-0.1.29/RHEL/5/dist/content centos5-test: Now in the CentOS 5 testing server, create a tailoring file to run file_permissions_ungroupowned test alone: cat >ssg-centos5-xccdf-tailoring.xml <<"EOF" <?xml version="1.0" encoding="UTF-8"?> <Tailoring xmlns="http://checklists.nist.gov/xccdf/1.2"; id="xccdf_ssg-centos5_tailoring_xccdf"> <version time="2016-06-14T19:50:57">1</version> <Profile id="xccdf_my_profile_stig-centos5-upstream_tailored"> <title>CentOS 5 [TAILORED]</title> <select idref="file_permissions_ungroupowned" selected="true"/> </Profile> </Tailoring> EOF Create a file without corresponding group in /etc/group: touch /an_unowned_group_file chgrp 4567 /an_unowned_group_file find / -nogroup 2>/dev/null /an_unowned_group_file <-- Check that it is found Finally run oscap: oscap xccdf eval \ --tailoring-file ssg-centos5-xccdf-tailoring.xml \ --profile xccdf_my_profile_stig-centos5-upstream_tailored \ --cpe content/ssg-rhel5-cpe-dictionary.xml \ content/ssg-centos5-xccdf.xml ... and output is: Title Ensure All Files Are Owned by a Group Rule file_permissions_ungroupowned Ident GEN001170 Result pass I would expect that the test fails since there is at least one file without existing group. I took a look at the OVAL definition scap-security-guide-0.1.29/RHEL/5/input/oval/file_permissions_ungroupowned.xml but I do not see anything wrong. Do you have any idea why this test is passing when it should fail? Regards -- Rodolfo Martínez
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected] https://github.com/OpenSCAP/scap-security-guide/
