Hello Rodolfo,
I just did a quick glance as I currently don't have the cycles to look into
this but the "state_at_system_accounts_at_allow_uid" exclude filter is
where this is not working. It is not filtering UIDs greater than 1 or 500
for that matter.
Specifically this subexpression is what is failing:
<ind:subexpression operation="greater than or equal"
datatype="int">500</ind:subexpression>
Gabe
On Thu, Jun 2, 2016 at 8:52 PM, Rodolfo Martínez <rmtzcx(a)gmail.com> wrote:
Hi mpreisler,
Thanks for you suggestion in IRC.
This what I have so far, but it is still not working. I feel I am close,
but it is not working yet. I would appreciate any suggestion
<def-group>
<definition class="compliance" id="at_system_accounts"
version="1">
<metadata>
<title>No system accounts in /etc/at.allow</title>
<affected family="unix">
<platform>CentOS 5</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<description>Group owner for /etc/at.allow and /etc/at.deny must
exist.</description>
</metadata>
<criteria>
<criterion test_ref="test_at_system_accounts_at_allow" />
</criteria>
</definition>
<!-- This variable should get all users from /etc/passwd that has UID >=
500 -->
<local_variable id="var_at_system_accounts_allow_list"
comment="Accounts
Allowed" datatype="string" version="1">
<object_component item_field="subexpression"
object_ref="object_at_system_accounts_allow_list" />
</local_variable>
<ind:textfilecontent54_object id="object_at_system_accounts_allow_list"
version="1">
<ind:filepath>/etc/passwd</ind:filepath>
<ind:pattern operation="pattern
match">^([^:]+):[^:]+:[\d]+:[\d]+:[^:]*:[^:]+:[^:]*$</ind:pattern>
<ind:instance operation="greater than or equal"
datatype="int">1</ind:instance>
<filter
action="include">state_at_system_accounts_etc_passwd</filter>
</ind:textfilecontent54_object>
<ind:textfilecontent54_state id="state_at_system_accounts_etc_passwd"
version="1">
<ind:filepath>/etc/passwd</ind:filepath>
<ind:pattern operation="pattern
match">^[^:]+:[^:]+:([\d]+):[\d]+:[^:]*:[^:]+:[^:]*$</ind:pattern>
<ind:instance operation="greater than or equal"
datatype="int">1</ind:instance>
<ind:subexpression operation="greater than or equal"
datatype="int">500</ind:subexpression>
</ind:textfilecontent54_state>
<!-- Test to check that there is no system accounts in /etc/at.allow -->
<ind:textfilecontent54_test check="all"
check_existence="none_exist"
id="test_at_system_accounts_at_allow" comment="Testing /etc/at.allow for
system accounts" version="1">
<ind:object object_ref="object_at_system_accounts_allow" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object comment="/etc/at.allow"
id="object_at_system_accounts_allow" version="1">
<!-- Get all users from /etc/at.allow -->
<ind:filepath>/etc/at.allow</ind:filepath>
<ind:pattern operation="pattern match">^(.+)$</ind:pattern>
<ind:instance operation="greater than or equal"
datatype="int">1</ind:instance>
<!-- Exclude root -->
<filter
action="exclude">state_at_system_accounts_at_allow_root</filter>
<!-- Exclude all user accounts -->
<filter
action="exclude">state_at_system_accounts_at_allow_uid</filter>
</ind:textfilecontent54_object>
<ind:textfilecontent54_state id="state_at_system_accounts_at_allow_root"
version="1">
<ind:text>root</ind:text>
</ind:textfilecontent54_state>
<unix:password_state id="state_at_system_accounts_at_allow_uid"
version="1">
<unix:username var_ref="var_at_system_accounts_allow_list"
var_check="at least one" />
</unix:password_state>
</def-group>
--
Rodolfo
--
Rodolfo Martínez
On Tue, May 31, 2016 at 5:43 PM, Rodolfo Martínez <rmtzcx(a)gmail.com>
wrote:
> Hi List,
>
> After many hours playing with SSG and OpenSCAP and not able to do what
> I want I need some help.
>
> Forgive me if I use SCAP or OpenSCAP terms incorrectly, I am new to
> SSG and I am still getting familiar.
>
> The following OVAL test searches for system accounts (UID < 500) in
> /etc/at.allow (I am showing just the relevant parts of
> RHEL/5/input/oval/at_system_accounts.xml to explain my problem):
>
> <criteria>
> <criterion test_ref="test_at_system_accounts_at_allow" />
> </criteria>
>
> <unix:password_test check="all" check_existence="none_exist"
> comment="Testing system accounts in /etc/at.allow"
> id="test_at_system_accounts_at_allow" version="1">
> <unix:object object_ref="object_at_system_accounts_at_allow" />
> </unix:password_test>
>
> <unix:password_object id="object_at_system_accounts_at_allow"
version="1">
> <unix:username operation="equals"
> var_ref="var_at_system_accounts_allow_list" var_check="at least
one"
> datatype="string" />
> <filter
action="include">state_at_system_accounts_at_allow_uid</filter>
> </unix:password_object>
>
> <local_variable id="var_at_system_accounts_allow_list"
> comment="Accounts Allowed" datatype="string"
version="1">
> <object_component item_field="subexpression"
> object_ref="object_at_system_accounts_allow_list" />
> </local_variable>
>
> <ind:textfilecontent54_object comment="/etc/at.allow"
> id="object_at_system_accounts_allow_list" version="1">
> <ind:filepath>/etc/at.allow</ind:filepath>
> <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
> <ind:instance operation="greater than or equal"
> datatype="int">0</ind:instance>
> </ind:textfilecontent54_object>
>
> <unix:password_state id="state_at_system_accounts_at_allow_uid"
> version="1">
> <unix:user_id datatype="int" operation="less
than">500</unix:user_id>
> </unix:password_state>
>
>
> The test above gets the users information from the sources specified
> in NSS (/etc/nsswitch.conf) which is correct, however I want to create
> a version that uses /etc/passwd directly. Why? We have many
> (thousands?) of RHEL 5 based servers with LDAP integration, and many
> (thousands?) of accounts in the LDAP servers.
>
> Simple tests like RHEL/5/input/oval/at_system_accounts.xml and
> RHEL/5/input/oval/cron_system_accounts.xml can take hours to run
> because they retrieve *all* users information from the LDAP servers
> and they do it *for each entry* in /etc/at.allow and /etc/cron.allow.
> Also, if we run OpenSCAP (oscap) at the same time in a few servers
> they hit the LDAP servers really bad.
>
> I have been trying to replace password_test and password_object by
> textfilecontent54_test and textfilecontent54_object without any luck.
> If you want, I can share my at_system_accounts.xml file that I thought
> it was going to work.
>
> I would really appreciate any help or hint?
>
>
> Regards
> --
> Rodolfo Martínez
>
--
SCAP Security Guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/scap-security-guide@lists.fedo...
https://github.com/OpenSCAP/scap-security-guide/