You're encountering the same issue I did... perhaps I'm the LCD here... ;)
Check out results for /usr/local/bin below. I ran the following to ensure everything is root before testing:
[shawn@SSG-RHEL6 checks]$ sudo bash [root@SSG-RHEL6 checks]# DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin" [root@SSG-RHEL6 checks]# for dirPath in $DIRS; do
find $dirPath \! -user root -exec chown root '{}' \;
done
[root@SSG-RHEL6 checks]# exit exit [shawn@SSG-RHEL6 checks]$ ./testcheck.py file_ownership_binary_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_binary_dirsU1mqUp.xml Writing results to : /tmp/file_ownership_binary_dirsU1mqUp.xml-results Definition oval:scap-security-guide.testing:def:261: true Evaluation done.
On 10/1/13 10:06 AM, Caleb Cooper wrote:
Signed-off-by: Caleb Cooper coopercd@ornl.gov
RHEL6/input/checks/file_ownership_binary_dirs.xml | 163 +++++++++++++++++++++ 1 files changed, 163 insertions(+), 0 deletions(-) create mode 100644 RHEL6/input/checks/file_ownership_binary_dirs.xml
diff --git a/RHEL6/input/checks/file_ownership_binary_dirs.xml b/RHEL6/input/checks/file_ownership_binary_dirs.xml new file mode 100644 index 0000000..b787191 --- /dev/null +++ b/RHEL6/input/checks/file_ownership_binary_dirs.xml @@ -0,0 +1,163 @@ +<def-group>
<definition class="compliance" id="file_ownership_binary_dirs" version="1">
<metadata>
<title>Verify that System Executables Have Root Ownership</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>Checks that /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and objects therein, are owned by root</description>
<reference source="swells" ref_id="20130914" ref_url="test_attestation" />
</metadata>
<criteria operator="AND">
<criterion test_ref="test_ownership_bin_dir" />
<criterion test_ref="test_ownership_sbin_dir" />
<criterion test_ref="test_ownership_usr_bin_dir" />
<criterion test_ref="test_ownership_usr_sbin_dir" />
<criterion test_ref="test_ownership_usr_local_bin_dir" />
<criterion test_ref="test_ownership_usr_local_bin_dir" />
<criterion test_ref="test_ownership_bin_files" />
<criterion test_ref="test_ownership_sbin_files" />
<criterion test_ref="test_ownership_usr_bin_files" />
<criterion test_ref="test_ownership_usr_sbin_files" />
<criterion test_ref="test_ownership_usr_local_sbin_files" />
<criterion test_ref="test_ownership_usr_local_sbin_files" />
</criteria>
</definition>
- <unix:file_test check="all" check_existence="none_exist" comment="/bin directories uid root" id="test_ownership_bin_dir" version="1">
- <unix:object object_ref="file_ownership_object_bin_dir" />
- </unix:file_test>
- <unix:file_test check="all" check_existence="none_exist" comment="/bin files uid root" id="test_ownership_bin_files" version="1">
- <unix:object object_ref="object_file_ownership_bin_files" />
- </unix:file_test>
- <unix:file_object comment="/lib directories" id="file_ownership_object_bin_dir" version="1">
Minor note: lib/bin in comment
- <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
- <unix:path operation="equals">/bin</unix:path>
- <unix:filename xsi:nil="true" />
- <filter action="include">state_owner_not_root</filter>
- </unix:file_object>
- <unix:file_object comment="/bin files" id="object_file_ownership_bin_files" version="1">
- <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
- <unix:path operation="equals">/bin</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_owner_not_root</filter>
- </unix:file_object>
.... testing for non-root under /bin...... [shawn@SSG-RHEL6 checks]$ sudo chown shawn:shawn /bin/awk [shawn@SSG-RHEL6 checks]$ ./testcheck.py file_ownership_binary_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_binary_dirs6eQhsR.xml Writing results to : /tmp/file_ownership_binary_dirs6eQhsR.xml-results Definition oval:scap-security-guide.testing:def:261: false Evaluation done.
- <unix:file_test check="all" check_existence="none_exist" comment="/sbin directories uid root" id="test_ownership_sbin_dir" version="1">
- <unix:object object_ref="object_file_ownership_sbin_dir" />
- </unix:file_test>
- <unix:file_test check="all" check_existence="none_exist" comment="/sbin files uid root" id="test_ownership_sbin_files" version="1">
- <unix:object object_ref="object_file_ownership_sbin_files" />
- </unix:file_test>
- <unix:file_object comment="/sbin directories" id="object_file_ownership_sbin_dir" version="1">
- <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
- <unix:path operation="equals">/sbin</unix:path>
- <unix:filename xsi:nil="true" />
- <filter action="include">state_owner_not_root</filter>
- </unix:file_object>
- <unix:file_object comment="/sbin files" id="object_file_ownership_sbin_files" version="1">
- <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
- <unix:path operation="equals">/sbin</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_owner_not_root</filter>
- </unix:file_object>
..... testing for non-root under /sbin ..... [shawn@SSG-RHEL6 checks]$ sudo rm /usr/local/bin/filetest [shawn@SSG-RHEL6 checks]$ sudo chown shawn:shawn /sbin/addpart [shawn@SSG-RHEL6 checks]$ ./testcheck.py file_ownership_binary_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_binary_dirsu4wrQh.xml Writing results to : /tmp/file_ownership_binary_dirsu4wrQh.xml-results Definition oval:scap-security-guide.testing:def:261: false Evaluation done.
- <unix:file_test check="all" check_existence="none_exist" comment="/usr/bin directories uid root" id="test_ownership_usr_bin_dir" version="1">
- <unix:object object_ref="object_file_ownership_usr_bin_dir" />
- </unix:file_test>
- <unix:file_test check="all" check_existence="none_exist" comment="/usr/bin files uid root" id="test_ownership_usr_bin_files" version="1">
- <unix:object object_ref="object_file_ownership_usr_bin_files" />
- </unix:file_test>
- <unix:file_object comment="/usr/bin directories" id="object_file_ownership_usr_bin_dir" version="1">
- <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
- <unix:path operation="equals">/usr/bin</unix:path>
- <unix:filename xsi:nil="true" />
- <filter action="include">state_owner_not_root</filter>
- </unix:file_object>
- <unix:file_object comment="/usr/bin files" id="object_file_ownership_usr_bin_files" version="1">
- <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
- <unix:path operation="equals">/usr/bin</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_owner_not_root</filter>
- </unix:file_object>
..... testing for non-root under /usr/bin ..... [shawn@SSG-RHEL6 checks]$ sudo chown root:root /bin/awk [shawn@SSG-RHEL6 checks]$ sudo chown shawn:shawn /usr/bin/a2p [shawn@SSG-RHEL6 checks]$ ./testcheck.py file_ownership_binary_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_binary_dirs2wHH6V.xml Writing results to : /tmp/file_ownership_binary_dirs2wHH6V.xml-results Definition oval:scap-security-guide.testing:def:261: false Evaluation done.
- <unix:file_test check="all" check_existence="none_exist" comment="/usr/sbin directories uid root" id="test_ownership_usr_sbin_dir" version="1">
- <unix:object object_ref="object_file_ownership_usr_sbin_dir" />
- </unix:file_test>
- <unix:file_test check="all" check_existence="none_exist" comment="/usr/sbin files uid root" id="test_ownership_usr_sbin_files" version="1">
- <unix:object object_ref="object_file_ownership_usr_sbin_files" />
- </unix:file_test>
- <unix:file_object comment="/usr/sbin directories" id="object_file_ownership_usr_sbin_dir" version="1">
- <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
- <unix:path operation="equals">/usr/sbin</unix:path>
- <unix:filename xsi:nil="true" />
- <filter action="include">state_owner_not_root</filter>
- </unix:file_object>
- <unix:file_object comment="/usr/sbin files" id="object_file_ownership_usr_sbin_files" version="1">
- <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
- <unix:path operation="equals">/usr/sbin</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_owner_not_root</filter>
- </unix:file_object>
..... testing for non-root under /usr/sbin ..... [shawn@SSG-RHEL6 checks]$ sudo chown root:root /sbin/addpart [shawn@SSG-RHEL6 checks]$ sudo chown shawn:shawn /usr/sbin/accept [shawn@SSG-RHEL6 checks]$ ./testcheck.py file_ownership_binary_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_binary_dirsddwRzZ.xml Writing results to : /tmp/file_ownership_binary_dirsddwRzZ.xml-results Definition oval:scap-security-guide.testing:def:261: false Evaluation done.
- <unix:file_test check="all" check_existence="none_exist" comment="/usr/local/bin directories uid root" id="test_ownership_usr_local_bin_dir" version="1">
- <unix:object object_ref="object_file_ownership_usr_local_bin_dir" />
- </unix:file_test>
- <unix:file_test check="all" check_existence="none_exist" comment="/usr/local/bin files uid root" id="test_ownership_usr_local_bin_files" version="1">
- <unix:object object_ref="object_file_ownership_usr_local_bin_files" />
- </unix:file_test>
- <unix:file_object comment="/usr/local/bin directories" id="object_file_ownership_usr_local_bin_dir" version="1">
- <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
- <unix:path operation="equals">/usr/local/bin</unix:path>
- <unix:filename xsi:nil="true" />
- <filter action="include">state_owner_not_root</filter>
- </unix:file_object>
..... testing for non-root under /usr/local/bin ..... [shawn@SSG-RHEL6 checks]$ sudo touch /usr/local/bin/filetest ; sudo chown shawn:shawn /usr/local/bin/filetest [shawn@SSG-RHEL6 checks]$ sudo chown root:root /usr/bin/a2p [shawn@SSG-RHEL6 checks]$ ./testcheck.py file_ownership_binary_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_binary_dirsno1sSt.xml Writing results to : /tmp/file_ownership_binary_dirsno1sSt.xml-results Definition oval:scap-security-guide.testing:def:261: true Evaluation done. [shawn@SSG-RHEL6 checks]$ ll /usr/local/bin/filetest -rw-r--r--. 1 shawn shawn 0 Oct 1 00:09 /usr/local/bin/filetest
- <unix:file_object comment="/usr/local/bin files" id="object_file_ownership_usr_local_bin_files" version="1">
- <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
- <unix:path operation="equals">/usr/local/bin</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_owner_not_root</filter>
- </unix:file_object>
- <unix:file_test check="all" check_existence="none_exist" comment="/usr/local/sbin directories uid root" id="test_ownership_usr_local_sbin_dir" version="1">
- <unix:object object_ref="object_file_ownership_usr_local_sbin_dir" />
- </unix:file_test>
- <unix:file_test check="all" check_existence="none_exist" comment="/usr/local/sbin files uid root" id="test_ownership_usr_local_sbin_files" version="1">
- <unix:object object_ref="object_file_ownership_usr_local_sbin_files" />
- </unix:file_test>
- <unix:file_object comment="/usr/local/sbin directories" id="object_file_ownership_usr_local_sbin_dir" version="1">
- <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
- <unix:path operation="equals">/usr/local/sbin</unix:path>
- <unix:filename xsi:nil="true" />
- <filter action="include">state_owner_not_root</filter>
- </unix:file_object>
- <unix:file_object comment="/usr/local/sbin files" id="object_file_ownership_usr_local_sbin_files" version="1">
- <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
- <unix:path operation="equals">/usr/local/sbin</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_owner_not_root</filter>
- </unix:file_object>
..... testing for non-root under /usr/local/sbin ..... [shawn@SSG-RHEL6 checks]$ sudo chown root:root /usr/sbin/accept [shawn@SSG-RHEL6 checks]$ sudo touch /usr/local/sbin/test ; sudo chown shawn:shawn /usr/local/sbin/test [shawn@SSG-RHEL6 checks]$ ./testcheck.py file_ownership_binary_dirs.xml Evaluating with OVAL tempfile : /tmp/file_ownership_binary_dirszY6fXL.xml Writing results to : /tmp/file_ownership_binary_dirszY6fXL.xml-results Definition oval:scap-security-guide.testing:def:261: false Evaluation done.
- <unix:file_state id="state_owner_not_root" version="1" operator="OR">
+<!-- <unix:group_id datatype="int" operation="not equal">0</unix:group_id> -->
- <unix:user_id datatype="int" operation="not equal">0</unix:user_id>
- </unix:file_state>
+</def-group>