On Fri, Jun 17, 2016 at 12:47 PM, Shawn Wells <[email protected]> wrote:
> > > On 6/15/16 2:09 PM, Rodolfo Martínez wrote: > > Here is the relevant part of the file_permissions_ungroupowned OVAL test: > > <unix:file_object comment="all local files" > id="file_permissions_ungroupowned_object" version="1"> > <unix:behaviors recurse="directories" recurse_direction="down" > max_depth="-1" recurse_file_system="local" /> > <unix:path operation="equals">/</unix:path> > <unix:filename operation="pattern match">.*</unix:filename> > <filter > action="exclude">file_permissions_ungroupowned_list_match</filter> > </unix:file_object> > > If I create 'aaa' file in /tmp and chage the GID to a non-existing group > in /etc/group, the test should fail, but it passes. > > If I change the file name pattern match from '.*' to 'a.*' or change the > path to /tmp, the test fails correctly. > > Is there any limitation in the amount of files that oscap can process? > > Thanks > > > -- > Rodolfo Martínez > > On Tue, Jun 14, 2016 at 11:55 PM, Rodolfo Martínez < <[email protected]> > [email protected]> wrote: > >> Hi, >> >> I am having an issue with OVAL test file_permissions_ungroupowned in >> CentOS 5. I believe it is a bug in the oscap version that it is available >> in CentOS 5 (kind of old, v1.0.8). >> >> Here is the procedure I am doing: >> >> 1. Download and build scap-security-guide for RHEL5 in my Fedora 23 >> machine; then copy the output to my CentOS 5 testing server: >> >> wget >> https://github.com/OpenSCAP/scap-security-guide/archive/v0.1.29.tar.gz >> -O scap-security-guide-0.1.29.tar.gz >> >> tar -zxf scap-security-guide-0.1.29.tar.gz >> >> make -C scap-security-guide-0.1.29/RHEL/5 dist >> >> scp -r scap-security-guide-0.1.29/RHEL/5/dist/content centos5-test: >> >> Now in the CentOS 5 testing server, create a tailoring file to run >> file_permissions_ungroupowned test alone: >> >> cat >ssg-centos5-xccdf-tailoring.xml <<"EOF" >> <?xml version="1.0" encoding="UTF-8"?> >> <Tailoring xmlns="http://checklists.nist.gov/xccdf/1.2"; >> id="xccdf_ssg-centos5_tailoring_xccdf"> >> <version time="2016-06-14T19:50:57">1</version> >> <Profile id="xccdf_my_profile_stig-centos5-upstream_tailored"> >> <title>CentOS 5 [TAILORED]</title> >> <select idref="file_permissions_ungroupowned" selected="true"/> >> </Profile> >> </Tailoring> >> EOF >> >> Create a file without corresponding group in /etc/group: >> >> touch /an_unowned_group_file >> >> chgrp 4567 /an_unowned_group_file >> >> find / -nogroup 2>/dev/null >> /an_unowned_group_file <-- Check that it is found >> >> >> Finally run oscap: >> >> >> oscap xccdf eval \ >> --tailoring-file ssg-centos5-xccdf-tailoring.xml \ >> --profile xccdf_my_profile_stig-centos5-upstream_tailored \ >> --cpe content/ssg-rhel5-cpe-dictionary.xml \ >> content/ssg-centos5-xccdf.xml >> >> ... and output is: >> >> Title Ensure All Files Are Owned by a Group >> Rule file_permissions_ungroupowned >> Ident GEN001170 >> Result pass >> >> I would expect that the test fails since there is at least one file >> without existing group. >> >> I took a look at the OVAL definition >> scap-security-guide-0.1.29/RHEL/5/input/oval/file_permissions_ungroupowned.xml >> but I do not see anything wrong. >> >> Do you have any idea why this test is passing when it should fail? >> >> Regards >> > > Hi Rodolfo, > > Thanks for reporting this! I've updated the RHEL5 content to use the > updated file_permissions_ungroupowned check: > https://github.com/OpenSCAP/scap-security-guide/pull/1296 > > That should get merged in the next few days pending peer review. If > you could test the PR and verify this works for you, that'd be great! > > Shawn > > -- > SCAP Security Guide mailing list > [email protected] > > https://lists.fedorahosted.org/admin/lists/[email protected] > https://github.com/OpenSCAP/scap-security-guide/ > > Hi Shawn, I think the problem is not with the OVAL definition, the shared and RHEL5 versions are practically the same. I think the issue is in oscap. Below is the test of the PR. It is still not working correctly. # touch /tmp/ungroupedowned_file # chgrp 4567 /tmp/ungroupedowned_file # find / -nogroup 2>/dev/null /tmp/ungroupedowned_file <== Confirmation that it is an ungrouped owned file # oscap xccdf eval \ --tailoring-file ssg-centos5-xccdf-tailoring.xml \ --profile xccdf_my_profile_stig-centos5-upstream_tailored \ --cpe content/ssg-rhel5-cpe-dictionary.xml \ content/ssg-centos5-xccdf.xml Title Ensure All Files Are Owned by a Group Rule file_permissions_ungroupowned Ident GEN001170 Result pass <== It should fail Same OVAL definition is working fine in RHEL/CentOS 6 and 7 with openscap-1.2.x -- Rodolfo Martínez
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected] https://github.com/OpenSCAP/scap-security-guide/
