Here is the relevant part of the file_permissions_ungroupowned OVAL
test:
<unix:file_object comment="all local files"
id="file_permissions_ungroupowned_object" version="1">
<unix:behaviors recurse="directories" recurse_direction="down"
max_depth="-1" recurse_file_system="local" />
<unix:path operation="equals">/</unix:path>
<unix:filename operation="pattern match">.*</unix:filename>
<filter
action="exclude">file_permissions_ungroupowned_list_match</filter>
</unix:file_object>
If I create 'aaa' file in /tmp and chage the GID to a non-existing
group in /etc/group, the test should fail, but it passes.
If I change the file name pattern match from '.*' to 'a.*' or change
the path to /tmp, the test fails correctly.
Is there any limitation in the amount of files that oscap can process?
Thanks
--
Rodolfo Martínez
On Tue, Jun 14, 2016 at 11:55 PM, Rodolfo Martínez <rmtzcx(a)gmail.com
<mailto:rmtzcx@gmail.com>> wrote:
Hi,
I am having an issue with OVAL test file_permissions_ungroupowned
in CentOS 5. I believe it is a bug in the oscap version that it is
available in CentOS 5 (kind of old, v1.0.8).
Here is the procedure I am doing:
1. Download and build scap-security-guide for RHEL5 in my Fedora
23 machine; then copy the output to my CentOS 5 testing server:
wget
https://github.com/OpenSCAP/scap-security-guide/archive/v0.1.29.tar.gz
-O scap-security-guide-0.1.29.tar.gz
tar -zxf scap-security-guide-0.1.29.tar.gz
make -C scap-security-guide-0.1.29/RHEL/5 dist
scp -r scap-security-guide-0.1.29/RHEL/5/dist/content centos5-test:
Now in the CentOS 5 testing server, create a tailoring file to run
file_permissions_ungroupowned test alone:
cat >ssg-centos5-xccdf-tailoring.xml <<"EOF"
<?xml version="1.0" encoding="UTF-8"?>
<Tailoring
xmlns="http://checklists.nist.gov/xccdf/1.2"
id="xccdf_ssg-centos5_tailoring_xccdf">
<version time="2016-06-14T19:50:57">1</version>
<Profile id="xccdf_my_profile_stig-centos5-upstream_tailored">
<title>CentOS 5 [TAILORED]</title>
<select idref="file_permissions_ungroupowned"
selected="true"/>
</Profile>
</Tailoring>
EOF
Create a file without corresponding group in /etc/group:
touch /an_unowned_group_file
chgrp 4567 /an_unowned_group_file
find / -nogroup 2>/dev/null
/an_unowned_group_file <-- Check that it is found
Finally run oscap:
oscap xccdf eval \
--tailoring-file ssg-centos5-xccdf-tailoring.xml \
--profile xccdf_my_profile_stig-centos5-upstream_tailored \
--cpe content/ssg-rhel5-cpe-dictionary.xml \
content/ssg-centos5-xccdf.xml
... and output is:
Title Ensure All Files Are Owned by a Group
Rule file_permissions_ungroupowned
Ident GEN001170
Result pass
I would expect that the test fails since there is at least one
file without existing group.
I took a look at the OVAL definition
scap-security-guide-0.1.29/RHEL/5/input/oval/file_permissions_ungroupowned.xml
but I do not see anything wrong.
Do you have any idea why this test is passing when it should fail?
Regards
Hi Rodolfo,
Thanks for reporting this! I've updated the RHEL5 content to use
the updated file_permissions_ungroupowned check:
That should get merged in the next few days pending peer review. If
you could test the PR and verify this works for you, that'd be great!
Shawn