Here is the relevant part of the file_permissions_ungroupowned OVAL test:
<unix:file_object comment="all local files"
id="file_permissions_ungroupowned_object" version="1">
<unix:behaviors recurse="directories" recurse_direction="down"
max_depth="-1" recurse_file_system="local" />
<unix:path operation="equals">/</unix:path>
<unix:filename operation="pattern match">.*</unix:filename>
<filter
action="exclude">file_permissions_ungroupowned_list_match</filter>
</unix:file_object>
If I create 'aaa' file in /tmp and chage the GID to a non-existing group in
/etc/group, the test should fail, but it passes.
If I change the file name pattern match from '.*' to 'a.*' or change the
path to /tmp, the test fails correctly.
Is there any limitation in the amount of files that oscap can process?
Thanks
--
Rodolfo Martínez
On Tue, Jun 14, 2016 at 11:55 PM, Rodolfo Martínez <[email protected]> wrote:
> Hi,
>
> I am having an issue with OVAL test file_permissions_ungroupowned in
> CentOS 5. I believe it is a bug in the oscap version that it is available
> in CentOS 5 (kind of old, v1.0.8).
>
> Here is the procedure I am doing:
>
> 1. Download and build scap-security-guide for RHEL5 in my Fedora 23
> machine; then copy the output to my CentOS 5 testing server:
>
> wget
> https://github.com/OpenSCAP/scap-security-guide/archive/v0.1.29.tar.gz -O
> scap-security-guide-0.1.29.tar.gz
>
> tar -zxf scap-security-guide-0.1.29.tar.gz
>
> make -C scap-security-guide-0.1.29/RHEL/5 dist
>
> scp -r scap-security-guide-0.1.29/RHEL/5/dist/content centos5-test:
>
> Now in the CentOS 5 testing server, create a tailoring file to run
> file_permissions_ungroupowned test alone:
>
> cat >ssg-centos5-xccdf-tailoring.xml <<"EOF"
> <?xml version="1.0" encoding="UTF-8"?>
> <Tailoring xmlns="http://checklists.nist.gov/xccdf/1.2";
> id="xccdf_ssg-centos5_tailoring_xccdf">
> <version time="2016-06-14T19:50:57">1</version>
> <Profile id="xccdf_my_profile_stig-centos5-upstream_tailored">
> <title>CentOS 5 [TAILORED]</title>
> <select idref="file_permissions_ungroupowned" selected="true"/>
> </Profile>
> </Tailoring>
> EOF
>
> Create a file without corresponding group in /etc/group:
>
> touch /an_unowned_group_file
>
> chgrp 4567 /an_unowned_group_file
>
> find / -nogroup 2>/dev/null
> /an_unowned_group_file <-- Check that it is found
>
>
> Finally run oscap:
>
> oscap xccdf eval \
> --tailoring-file ssg-centos5-xccdf-tailoring.xml \
> --profile xccdf_my_profile_stig-centos5-upstream_tailored \
> --cpe content/ssg-rhel5-cpe-dictionary.xml \
> content/ssg-centos5-xccdf.xml
>
> ... and output is:
>
> Title Ensure All Files Are Owned by a Group
> Rule file_permissions_ungroupowned
> Ident GEN001170
> Result pass
>
> I would expect that the test fails since there is at least one file
> without existing group.
>
> I took a look at the OVAL definition
> scap-security-guide-0.1.29/RHEL/5/input/oval/file_permissions_ungroupowned.xml
> but I do not see anything wrong.
>
> Do you have any idea why this test is passing when it should fail?
>
> Regards
>
> --
> Rodolfo Martínez
>
--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/admin/lists/[email protected]
https://github.com/OpenSCAP/scap-security-guide/
