On 6/15/16 2:09 PM, Rodolfo Martínez wrote:
Here is the relevant part of the file_permissions_ungroupowned OVAL test:
<unix:file_object comment="all local files"
id="file_permissions_ungroupowned_object" version="1">
<unix:behaviors recurse="directories"
recurse_direction="down"
max_depth="-1" recurse_file_system="local" />
<unix:path operation="equals">/</unix:path>
<unix:filename operation="pattern match">.*</unix:filename>
<filter
action="exclude">file_permissions_ungroupowned_list_match</filter>
</unix:file_object>
If I create 'aaa' file in /tmp and chage the GID to a non-existing group
in /etc/group, the test should fail, but it passes.
If I change the file name pattern match from '.*' to 'a.*' or change the
path to /tmp, the test fails correctly.
Is there any limitation in the amount of files that oscap can process?
Thanks
--
Rodolfo Martínez
On Tue, Jun 14, 2016 at 11:55 PM, Rodolfo Martínez < <rmtzcx(a)gmail.com>
rmtzcx(a)gmail.com> wrote:
> Hi,
>
> I am having an issue with OVAL test file_permissions_ungroupowned in
> CentOS 5. I believe it is a bug in the oscap version that it is available
> in CentOS 5 (kind of old, v1.0.8).
>
> Here is the procedure I am doing:
>
> 1. Download and build scap-security-guide for RHEL5 in my Fedora 23
> machine; then copy the output to my CentOS 5 testing server:
>
> wget
>
https://github.com/OpenSCAP/scap-security-guide/archive/v0.1.29.tar.gz
> -O scap-security-guide-0.1.29.tar.gz
>
> tar -zxf scap-security-guide-0.1.29.tar.gz
>
> make -C scap-security-guide-0.1.29/RHEL/5 dist
>
> scp -r scap-security-guide-0.1.29/RHEL/5/dist/content centos5-test:
>
> Now in the CentOS 5 testing server, create a tailoring file to run
> file_permissions_ungroupowned test alone:
>
> cat >ssg-centos5-xccdf-tailoring.xml <<"EOF"
> <?xml version="1.0" encoding="UTF-8"?>
> <Tailoring
xmlns="http://checklists.nist.gov/xccdf/1.2"
> id="xccdf_ssg-centos5_tailoring_xccdf">
> <version time="2016-06-14T19:50:57">1</version>
> <Profile id="xccdf_my_profile_stig-centos5-upstream_tailored">
> <title>CentOS 5 [TAILORED]</title>
> <select idref="file_permissions_ungroupowned"
selected="true"/>
> </Profile>
> </Tailoring>
> EOF
>
> Create a file without corresponding group in /etc/group:
>
> touch /an_unowned_group_file
>
> chgrp 4567 /an_unowned_group_file
>
> find / -nogroup 2>/dev/null
> /an_unowned_group_file <-- Check that it is found
>
>
> Finally run oscap:
>
>
> oscap xccdf eval \
> --tailoring-file ssg-centos5-xccdf-tailoring.xml \
> --profile xccdf_my_profile_stig-centos5-upstream_tailored \
> --cpe content/ssg-rhel5-cpe-dictionary.xml \
> content/ssg-centos5-xccdf.xml
>
> ... and output is:
>
> Title Ensure All Files Are Owned by a Group
> Rule file_permissions_ungroupowned
> Ident GEN001170
> Result pass
>
> I would expect that the test fails since there is at least one file
> without existing group.
>
> I took a look at the OVAL definition
> scap-security-guide-0.1.29/RHEL/5/input/oval/file_permissions_ungroupowned.xml
> but I do not see anything wrong.
>
> Do you have any idea why this test is passing when it should fail?
>
> Regards
>
Hi Rodolfo,
Thanks for reporting this! I've updated the RHEL5 content to use the
updated file_permissions_ungroupowned check:
https://github.com/OpenSCAP/scap-security-guide/pull/1296
That should get merged in the next few days pending peer review. If
you could test the PR and verify this works for you, that'd be great!
Shawn
--
SCAP Security Guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/scap-security-guide@lists.fedo...
https://github.com/OpenSCAP/scap-security-guide/
Hi Shawn,
I think the problem is not with the OVAL definition, the shared and RHEL5
versions are practically the same. I think the issue is in oscap. Below is
the test of the PR. It is still not working correctly.
# touch /tmp/ungroupedowned_file
# chgrp 4567 /tmp/ungroupedowned_file
# find / -nogroup 2>/dev/null
/tmp/ungroupedowned_file <== Confirmation that it is an ungrouped owned
file
# oscap xccdf eval \
--tailoring-file ssg-centos5-xccdf-tailoring.xml \
--profile xccdf_my_profile_stig-centos5-upstream_tailored \
--cpe content/ssg-rhel5-cpe-dictionary.xml \
content/ssg-centos5-xccdf.xml
Title Ensure All Files Are Owned by a Group
Rule file_permissions_ungroupowned
Ident GEN001170
Result pass <== It should fail
Same OVAL definition is working fine in RHEL/CentOS 6 and 7 with
openscap-1.2.x
--
Rodolfo Martínez