It looks like I made a typo in one of the criteria that caused this issue. I fixed that and resubmitted.
From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Shawn Wells Sent: Tuesday, October 01, 2013 11:24 AM To: scap-security-guide@lists.fedorahosted.org Subject: Re: [PATCH] Added OVAL content for the file_ownership_binary_dirs rule as the file file_ownership_binary_dirs.xml and added the oval id to the corresponding XCCDF content in files.xml
You're encountering the same issue I did... perhaps I'm the LCD here... ;)
Check out results for /usr/local/bin below. I ran the following to ensure everything is root before testing:
[shawn@SSG-RHEL6 checks]$ sudo bash [root@SSG-RHEL6 checks]# DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin" [root@SSG-RHEL6 checks]# for dirPath in $DIRS; do
find $dirPath \! -user root -exec chown root '{}' \;
done
[root@SSG-RHEL6 checks]# exit exit [shawn@SSG-RHEL6 checks]$ ./testcheck.py file_ownership_binary_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_binary_dirsU1mqUp.xml Writing results to : /tmp/file_ownership_binary_dirsU1mqUp.xml-results Definition oval:scap-security-guide.testing:def:261: true Evaluation done.
On 10/1/13 10:06 AM, Caleb Cooper wrote:
Signed-off-by: Caleb Cooper coopercd@ornl.govmailto:coopercd@ornl.gov
---
RHEL6/input/checks/file_ownership_binary_dirs.xml | 163 +++++++++++++++++++++
1 files changed, 163 insertions(+), 0 deletions(-)
create mode 100644 RHEL6/input/checks/file_ownership_binary_dirs.xml
diff --git a/RHEL6/input/checks/file_ownership_binary_dirs.xml b/RHEL6/input/checks/file_ownership_binary_dirs.xml
new file mode 100644
index 0000000..b787191
--- /dev/null
+++ b/RHEL6/input/checks/file_ownership_binary_dirs.xml
@@ -0,0 +1,163 @@
+<def-group>
+ <definition class="compliance" id="file_ownership_binary_dirs" version="1">
+ <metadata>
+ <title>Verify that System Executables Have Root Ownership</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <description>Checks that /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and objects therein, are owned by root</description>
+ <reference source="swells" ref_id="20130914" ref_url="test_attestation" />
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="test_ownership_bin_dir" />
+ <criterion test_ref="test_ownership_sbin_dir" />
+ <criterion test_ref="test_ownership_usr_bin_dir" />
+ <criterion test_ref="test_ownership_usr_sbin_dir" />
+ <criterion test_ref="test_ownership_usr_local_bin_dir" />
+ <criterion test_ref="test_ownership_usr_local_bin_dir" />
+ <criterion test_ref="test_ownership_bin_files" />
+ <criterion test_ref="test_ownership_sbin_files" />
+ <criterion test_ref="test_ownership_usr_bin_files" />
+ <criterion test_ref="test_ownership_usr_sbin_files" />
+ <criterion test_ref="test_ownership_usr_local_sbin_files" />
+ <criterion test_ref="test_ownership_usr_local_sbin_files" />
+ </criteria>
+ </definition>
+
+ <unix:file_test check="all" check_existence="none_exist" comment="/bin directories uid root" id="test_ownership_bin_dir" version="1">
+ <unix:object object_ref="file_ownership_object_bin_dir" />
+ </unix:file_test>
+
+ <unix:file_test check="all" check_existence="none_exist" comment="/bin files uid root" id="test_ownership_bin_files" version="1">
+ <unix:object object_ref="object_file_ownership_bin_files" />
+ </unix:file_test>
+
+ <unix:file_object comment="/lib directories" id="file_ownership_object_bin_dir" version="1">
Minor note: lib/bin in comment
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+ <unix:path operation="equals">/bin</unix:path>
+ <unix:filename xsi:nil="true" />
+ <filter action="include">state_owner_not_root</filter>
+ </unix:file_object>
+
+ <unix:file_object comment="/bin files" id="object_file_ownership_bin_files" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+ <unix:path operation="equals">/bin</unix:path>
+ <unix:filename operation="pattern match">^.*$</unix:filename>
+ <filter action="include">state_owner_not_root</filter>
+ </unix:file_object>
+
.... testing for non-root under /bin...... [shawn@SSG-RHEL6 checks]$ sudo chown shawn:shawn /bin/awk [shawn@SSG-RHEL6 checks]$ ./testcheck.py file_ownership_binary_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_binary_dirs6eQhsR.xml Writing results to : /tmp/file_ownership_binary_dirs6eQhsR.xml-results Definition oval:scap-security-guide.testing:def:261: false Evaluation done.
+ <unix:file_test check="all" check_existence="none_exist" comment="/sbin directories uid root" id="test_ownership_sbin_dir" version="1">
+ <unix:object object_ref="object_file_ownership_sbin_dir" />
+ </unix:file_test>
+
+ <unix:file_test check="all" check_existence="none_exist" comment="/sbin files uid root" id="test_ownership_sbin_files" version="1">
+ <unix:object object_ref="object_file_ownership_sbin_files" />
+ </unix:file_test>
+
+ <unix:file_object comment="/sbin directories" id="object_file_ownership_sbin_dir" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+ <unix:path operation="equals">/sbin</unix:path>
+ <unix:filename xsi:nil="true" />
+ <filter action="include">state_owner_not_root</filter>
+ </unix:file_object>
+
+ <unix:file_object comment="/sbin files" id="object_file_ownership_sbin_files" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+ <unix:path operation="equals">/sbin</unix:path>
+ <unix:filename operation="pattern match">^.*$</unix:filename>
+ <filter action="include">state_owner_not_root</filter>
+ </unix:file_object>
..... testing for non-root under /sbin ..... [shawn@SSG-RHEL6 checks]$ sudo rm /usr/local/bin/filetest [shawn@SSG-RHEL6 checks]$ sudo chown shawn:shawn /sbin/addpart [shawn@SSG-RHEL6 checks]$ ./testcheck.py file_ownership_binary_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_binary_dirsu4wrQh.xml Writing results to : /tmp/file_ownership_binary_dirsu4wrQh.xml-results Definition oval:scap-security-guide.testing:def:261: false Evaluation done.
+
+ <unix:file_test check="all" check_existence="none_exist" comment="/usr/bin directories uid root" id="test_ownership_usr_bin_dir" version="1">
+ <unix:object object_ref="object_file_ownership_usr_bin_dir" />
+ </unix:file_test>
+
+ <unix:file_test check="all" check_existence="none_exist" comment="/usr/bin files uid root" id="test_ownership_usr_bin_files" version="1">
+ <unix:object object_ref="object_file_ownership_usr_bin_files" />
+ </unix:file_test>
+
+ <unix:file_object comment="/usr/bin directories" id="object_file_ownership_usr_bin_dir" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+ <unix:path operation="equals">/usr/bin</unix:path>
+ <unix:filename xsi:nil="true" />
+ <filter action="include">state_owner_not_root</filter>
+ </unix:file_object>
+
+ <unix:file_object comment="/usr/bin files" id="object_file_ownership_usr_bin_files" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+ <unix:path operation="equals">/usr/bin</unix:path>
+ <unix:filename operation="pattern match">^.*$</unix:filename>
+ <filter action="include">state_owner_not_root</filter>
+ </unix:file_object>
..... testing for non-root under /usr/bin ..... [shawn@SSG-RHEL6 checks]$ sudo chown root:root /bin/awk [shawn@SSG-RHEL6 checks]$ sudo chown shawn:shawn /usr/bin/a2p [shawn@SSG-RHEL6 checks]$ ./testcheck.py file_ownership_binary_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_binary_dirs2wHH6V.xml Writing results to : /tmp/file_ownership_binary_dirs2wHH6V.xml-results Definition oval:scap-security-guide.testing:def:261: false Evaluation done.
+
+ <unix:file_test check="all" check_existence="none_exist" comment="/usr/sbin directories uid root" id="test_ownership_usr_sbin_dir" version="1">
+ <unix:object object_ref="object_file_ownership_usr_sbin_dir" />
+ </unix:file_test>
+
+ <unix:file_test check="all" check_existence="none_exist" comment="/usr/sbin files uid root" id="test_ownership_usr_sbin_files" version="1">
+ <unix:object object_ref="object_file_ownership_usr_sbin_files" />
+ </unix:file_test>
+
+ <unix:file_object comment="/usr/sbin directories" id="object_file_ownership_usr_sbin_dir" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+ <unix:path operation="equals">/usr/sbin</unix:path>
+ <unix:filename xsi:nil="true" />
+ <filter action="include">state_owner_not_root</filter>
+ </unix:file_object>
+
+ <unix:file_object comment="/usr/sbin files" id="object_file_ownership_usr_sbin_files" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+ <unix:path operation="equals">/usr/sbin</unix:path>
+ <unix:filename operation="pattern match">^.*$</unix:filename>
+ <filter action="include">state_owner_not_root</filter>
+ </unix:file_object>
..... testing for non-root under /usr/sbin ..... [shawn@SSG-RHEL6 checks]$ sudo chown root:root /sbin/addpart [shawn@SSG-RHEL6 checks]$ sudo chown shawn:shawn /usr/sbin/accept [shawn@SSG-RHEL6 checks]$ ./testcheck.py file_ownership_binary_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_binary_dirsddwRzZ.xml Writing results to : /tmp/file_ownership_binary_dirsddwRzZ.xml-results Definition oval:scap-security-guide.testing:def:261: false Evaluation done.
+
+ <unix:file_test check="all" check_existence="none_exist" comment="/usr/local/bin directories uid root" id="test_ownership_usr_local_bin_dir" version="1">
+ <unix:object object_ref="object_file_ownership_usr_local_bin_dir" />
+ </unix:file_test>
+
+ <unix:file_test check="all" check_existence="none_exist" comment="/usr/local/bin files uid root" id="test_ownership_usr_local_bin_files" version="1">
+ <unix:object object_ref="object_file_ownership_usr_local_bin_files" />
+ </unix:file_test>
+
+ <unix:file_object comment="/usr/local/bin directories" id="object_file_ownership_usr_local_bin_dir" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+ <unix:path operation="equals">/usr/local/bin</unix:path>
+ <unix:filename xsi:nil="true" />
+ <filter action="include">state_owner_not_root</filter>
+ </unix:file_object>
..... testing for non-root under /usr/local/bin ..... [shawn@SSG-RHEL6 checks]$ sudo touch /usr/local/bin/filetest ; sudo chown shawn:shawn /usr/local/bin/filetest [shawn@SSG-RHEL6 checks]$ sudo chown root:root /usr/bin/a2p [shawn@SSG-RHEL6 checks]$ ./testcheck.py file_ownership_binary_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_binary_dirsno1sSt.xml Writing results to : /tmp/file_ownership_binary_dirsno1sSt.xml-results Definition oval:scap-security-guide.testing:def:261: true Evaluation done. [shawn@SSG-RHEL6 checks]$ ll /usr/local/bin/filetest -rw-r--r--. 1 shawn shawn 0 Oct 1 00:09 /usr/local/bin/filetest
+
+ <unix:file_object comment="/usr/local/bin files" id="object_file_ownership_usr_local_bin_files" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+ <unix:path operation="equals">/usr/local/bin</unix:path>
+ <unix:filename operation="pattern match">^.*$</unix:filename>
+ <filter action="include">state_owner_not_root</filter>
+ </unix:file_object>
+
+ <unix:file_test check="all" check_existence="none_exist" comment="/usr/local/sbin directories uid root" id="test_ownership_usr_local_sbin_dir" version="1">
+ <unix:object object_ref="object_file_ownership_usr_local_sbin_dir" />
+ </unix:file_test>
+
+ <unix:file_test check="all" check_existence="none_exist" comment="/usr/local/sbin files uid root" id="test_ownership_usr_local_sbin_files" version="1">
+ <unix:object object_ref="object_file_ownership_usr_local_sbin_files" />
+ </unix:file_test>
+
+ <unix:file_object comment="/usr/local/sbin directories" id="object_file_ownership_usr_local_sbin_dir" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+ <unix:path operation="equals">/usr/local/sbin</unix:path>
+ <unix:filename xsi:nil="true" />
+ <filter action="include">state_owner_not_root</filter>
+ </unix:file_object>
+
+ <unix:file_object comment="/usr/local/sbin files" id="object_file_ownership_usr_local_sbin_files" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
+ <unix:path operation="equals">/usr/local/sbin</unix:path>
+ <unix:filename operation="pattern match">^.*$</unix:filename>
+ <filter action="include">state_owner_not_root</filter>
+ </unix:file_object>
..... testing for non-root under /usr/local/sbin ..... [shawn@SSG-RHEL6 checks]$ sudo chown root:root /usr/sbin/accept [shawn@SSG-RHEL6 checks]$ sudo touch /usr/local/sbin/test ; sudo chown shawn:shawn /usr/local/sbin/test [shawn@SSG-RHEL6 checks]$ ./testcheck.py file_ownership_binary_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_binary_dirszY6fXL.xml Writing results to : /tmp/file_ownership_binary_dirszY6fXL.xml-results Definition oval:scap-security-guide.testing:def:261: false Evaluation done.
+
+ <unix:file_state id="state_owner_not_root" version="1" operator="OR">
+<!-- <unix:group_id datatype="int" operation="not equal">0</unix:group_id> -->
+ <unix:user_id datatype="int" operation="not equal">0</unix:user_id>
+ </unix:file_state>
+</def-group>