good to chat with you -- as we discussed, let's try updating the checks/templates/file_dir_permissions templates file for this (and for future file permission checks). (and then commit changes from the template list and also the resultant OVAL.)
On 09/05/2012 12:39 PM, kstailey.lists@gmail.com wrote:
From: Kenneth Stailey kstailey.lists@gmail.com
By using mode 0 for the /etc/gshadow file we avoid switching to a less restrictive protection mode and avoid having the file permissions to deviate from the permissions recorded in the RPM database.
Signed-off-by: Kenneth Stailey kstailey.lists@gmail.com
.../input/checks/file_permissions_etc_gshadow.xml | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/checks/file_permissions_etc_gshadow.xml b/RHEL6/input/checks/file_permissions_etc_gshadow.xml index d86a582..674f7bc 100644 --- a/RHEL6/input/checks/file_permissions_etc_gshadow.xml +++ b/RHEL6/input/checks/file_permissions_etc_gshadow.xml @@ -19,9 +19,9 @@ <unix:object object_ref="obj_20038" /> <unix:state state_ref="state_1000400" /> </unix:file_test>
- <unix:file_state id="state_1000400"
- <unix:file_state id="state_1000000" version="1">
- <unix:uread datatype="boolean">true</unix:uread>
- <unix:uread datatype="boolean">false</unix:uread> <unix:uwrite datatype="boolean">false</unix:uwrite> <unix:uexec datatype="boolean">false</unix:uexec> <unix:gread datatype="boolean">false</unix:gread>