1) This patch deletes the unused file_permissions_boot_grub_grub_conf.xml OVAL check (since file_permissions_grub_conf.xml one is used instead of it).
2) Also updates file_permissions_grub_conf.xml - replace path+filename with filepath element & add test_attestation.
Tested on RHEL-6, and seems to be working properly.
Please review.
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
On 6/25/14, 1:02 PM, Jan Lieskovsky wrote:
- This patch deletes the unused file_permissions_boot_grub_grub_conf.xml OVAL
check (since file_permissions_grub_conf.xml one is used instead of it).
- Also updates file_permissions_grub_conf.xml - replace path+filename with filepath element & add test_attestation.
Tested on RHEL-6, and seems to be working properly.
Please review.
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
0001-RHEL-6-Delete-unused-file_permissions_boot_grub_grub.patch
From f2c47c7c4f757f25d9e2a37266ecb4d078980dc7 Mon Sep 17 00:00:00 2001 From: Jan Lieskovskyjlieskov@redhat.com Date: Wed, 25 Jun 2014 18:53:37 +0200 Subject: [PATCH] [RHEL/6] Delete unused file_permissions_boot_grub_grub_conf.xml OVAL check (file_permissions_grub_conf.xml is used instead)
[RHEL/6] file_permissions_grub_conf.xml: * replace path+filename with filepath * equip with test_attestation
Signed-off-by: Jan Lieskovskyjlieskov@redhat.com
.../file_permissions_boot_grub_grub_conf.xml | 47 ---------------------- RHEL/6/input/checks/file_permissions_grub_conf.xml | 6 +-- 2 files changed, 3 insertions(+), 50 deletions(-) delete mode 100644 RHEL/6/input/checks/file_permissions_boot_grub_grub_conf.xml
diff --git a/RHEL/6/input/checks/file_permissions_boot_grub_grub_conf.xml b/RHEL/6/input/checks/file_permissions_boot_grub_grub_conf.xml deleted file mode 100644 index da0afec..0000000 --- a/RHEL/6/input/checks/file_permissions_boot_grub_grub_conf.xml +++ /dev/null @@ -1,47 +0,0 @@ -<def-group>
<!-- THIS FILE IS GENERATED by create_permission_checks.py. DO NOT EDIT. -->
<definition class="compliance" id="file_permissions_boot_grub_grub_conf" version="1">
<metadata>
<title>Verify /boot/grub/grub.conf Permissions</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>This test makes sure that /boot/grub/grub.conf is owned by 0, group owned by 0, and has mode 0600. If
the target file or directory has an extended ACL then it will fail the mode check.</description>
<reference source="swells" ref_id="20130831" ref_url="test_attestation"/>
</metadata>
<criteria>
<criterion test_ref="test_boot_grub_grub_conf" />
</criteria>
</definition>
- <unix:file_test check="all" check_existence="all_exist" comment="/boot/grub/grub.conf mode and ownership" id="test_boot_grub_grub_conf" version="1">
- <unix:object object_ref="object_boot_grub_grub_conf" />
- <unix:state state_ref="_boot_grub_grub_conf_state_uid_0" />
- <unix:state state_ref="_boot_grub_grub_conf_state_gid_0" />
- <unix:state state_ref="_boot_grub_grub_conf_state_mode_0600" />
- </unix:file_test>
- <unix:file_object comment="/boot/grub/grub.conf" id="object_boot_grub_grub_conf" version="1">
- unix:path/boot/grub</unix:path>
- unix:filenamegrub.conf</unix:filename>
- </unix:file_object>
- <unix:file_state id="_boot_grub_grub_conf_state_uid_0" version="1">
- <unix:user_id datatype="int" operation="equals">0</unix:user_id>
- </unix:file_state>
- <unix:file_state id="_boot_grub_grub_conf_state_gid_0" version="1">
- <unix:group_id datatype="int" operation="equals">0</unix:group_id>
- </unix:file_state>
- <unix:file_state id="_boot_grub_grub_conf_state_mode_0600" version="1">
- <unix:suid datatype="boolean">false</unix:suid>
- <unix:sgid datatype="boolean">false</unix:sgid>
- <unix:sticky datatype="boolean">false</unix:sticky>
- <unix:uread datatype="boolean">true</unix:uread>
- <unix:uwrite datatype="boolean">true</unix:uwrite>
- <unix:uexec datatype="boolean">false</unix:uexec>
- <unix:gread datatype="boolean">false</unix:gread>
- <unix:gwrite datatype="boolean">false</unix:gwrite>
- <unix:gexec datatype="boolean">false</unix:gexec>
- <unix:oread datatype="boolean">false</unix:oread>
- <unix:owrite datatype="boolean">false</unix:owrite>
- <unix:oexec datatype="boolean">false</unix:oexec>
- </unix:file_state>
-</def-group> diff --git a/RHEL/6/input/checks/file_permissions_grub_conf.xml b/RHEL/6/input/checks/file_permissions_grub_conf.xml index 3347a8b..3dc48db 100644 --- a/RHEL/6/input/checks/file_permissions_grub_conf.xml +++ b/RHEL/6/input/checks/file_permissions_grub_conf.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>File permissions for /boot/grub/grub.conf should be set to 0600 (or stronger).</description>
<reference source="JL" ref_id="RHEL6_20140625" ref_url="test_attestation"/> </metadata> <criteria> <criterion test_ref="test_file_permissions_grub_conf" />
@@ -17,9 +18,8 @@ <unix:state state_ref="state_file_permissions_grub_conf" /> </unix:file_test>
- <unix:file_object comment="/boot/grub/grub.conf" id="object_file_permissions_grub_conf" version="1">
- unix:path/boot/grub</unix:path>
- unix:filenamegrub.conf</unix:filename>
<unix:file_object comment="/boot/grub/grub.conf" id="object_file_permissions_grub_conf" version="2">
unix:filepath/boot/grub/grub.conf</unix:filepath> </unix:file_object>
<unix:file_state id="state_file_permissions_grub_conf" version="2">
-- 1.8.3.1
ack
----- Original Message -----
From: "Shawn Wells" shawn@redhat.com To: scap-security-guide@lists.fedorahosted.org Sent: Thursday, June 26, 2014 8:25:43 PM Subject: Re: [PATCH] [RHEL/6] Delete unused file_permissions_boot_grub_grub_conf.xml OVAL check [RHEL/6] Small changes in file_permissions_grub_conf.xml
On 6/25/14, 1:02 PM, Jan Lieskovsky wrote:
- This patch deletes the unused file_permissions_boot_grub_grub_conf.xml
OVAL check (since file_permissions_grub_conf.xml one is used instead of it).
- Also updates file_permissions_grub_conf.xml - replace path+filename with filepath element & add test_attestation.
Tested on RHEL-6, and seems to be working properly.
Please review.
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
0001-RHEL-6-Delete-unused-file_permissions_boot_grub_grub.patch From f2c47c7c4f757f25d9e2a37266ecb4d078980dc7 Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky jlieskov@redhat.com Date: Wed, 25 Jun 2014 18:53:37 +0200 Subject: [PATCH] [RHEL/6] Delete unused file_permissions_boot_grub_grub_conf.xml OVAL check (file_permissions_grub_conf.xml is used instead)
[RHEL/6] file_permissions_grub_conf.xml: * replace path+filename with filepath * equip with test_attestation
Signed-off-by: Jan Lieskovsky jlieskov@redhat.com --- .../file_permissions_boot_grub_grub_conf.xml | 47
RHEL/6/input/checks/file_permissions_grub_conf.xml | 6 +-- 2 files changed, 3 insertions(+), 50 deletions(-) delete mode 100644 RHEL/6/input/checks/file_permissions_boot_grub_grub_conf.xml
diff --git a/RHEL/6/input/checks/file_permissions_boot_grub_grub_conf.xml b/RHEL/6/input/checks/file_permissions_boot_grub_grub_conf.xml deleted file mode 100644 index da0afec..0000000 --- a/RHEL/6/input/checks/file_permissions_boot_grub_grub_conf.xml +++ /dev/null @@ -1,47 +0,0 @@ -<def-group>
- <!-- THIS FILE IS GENERATED by create_permission_checks.py. DO NOT EDIT.
-->
- <definition class="compliance" id="file_permissions_boot_grub_grub_conf"
version="1">
<metadata>
<title>Verify /boot/grub/grub.conf Permissions</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>This test makes sure that /boot/grub/grub.conf is owned
by 0, group owned by 0, and has mode 0600. If
the target file or directory has an extended ACL then it will fail the
mode check.</description>
<reference source="swells" ref_id="20130831"
ref_url="test_attestation"/>
</metadata>
<criteria>
<criterion test_ref="test_boot_grub_grub_conf" />
</criteria>
</definition>
- <unix:file_test check="all" check_existence="all_exist"
comment="/boot/grub/grub.conf mode and ownership" id="test_boot_grub_grub_conf" version="1">
- <unix:object object_ref="object_boot_grub_grub_conf" />
- <unix:state state_ref="_boot_grub_grub_conf_state_uid_0" />
- <unix:state state_ref="_boot_grub_grub_conf_state_gid_0" />
- <unix:state state_ref="_boot_grub_grub_conf_state_mode_0600" />
- </unix:file_test>
- <unix:file_object comment="/boot/grub/grub.conf"
id="object_boot_grub_grub_conf" version="1">
- unix:path/boot/grub</unix:path>
- unix:filenamegrub.conf</unix:filename>
- </unix:file_object>
- <unix:file_state id="_boot_grub_grub_conf_state_uid_0" version="1">
- <unix:user_id datatype="int" operation="equals">0</unix:user_id>
- </unix:file_state>
- <unix:file_state id="_boot_grub_grub_conf_state_gid_0" version="1">
- <unix:group_id datatype="int" operation="equals">0</unix:group_id>
- </unix:file_state>
- <unix:file_state id="_boot_grub_grub_conf_state_mode_0600" version="1">
- <unix:suid datatype="boolean">false</unix:suid>
- <unix:sgid datatype="boolean">false</unix:sgid>
- <unix:sticky datatype="boolean">false</unix:sticky>
- <unix:uread datatype="boolean">true</unix:uread>
- <unix:uwrite datatype="boolean">true</unix:uwrite>
- <unix:uexec datatype="boolean">false</unix:uexec>
- <unix:gread datatype="boolean">false</unix:gread>
- <unix:gwrite datatype="boolean">false</unix:gwrite>
- <unix:gexec datatype="boolean">false</unix:gexec>
- <unix:oread datatype="boolean">false</unix:oread>
- <unix:owrite datatype="boolean">false</unix:owrite>
- <unix:oexec datatype="boolean">false</unix:oexec>
- </unix:file_state>
-</def-group> diff --git a/RHEL/6/input/checks/file_permissions_grub_conf.xml b/RHEL/6/input/checks/file_permissions_grub_conf.xml index 3347a8b..3dc48db 100644 --- a/RHEL/6/input/checks/file_permissions_grub_conf.xml +++ b/RHEL/6/input/checks/file_permissions_grub_conf.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>File permissions for /boot/grub/grub.conf should be set to 0600 (or stronger).</description>
<reference source="JL" ref_id="RHEL6_20140625"
ref_url="test_attestation"/> </metadata> <criteria> <criterion test_ref="test_file_permissions_grub_conf" /> @@ -17,9 +18,8 @@ <unix:state state_ref="state_file_permissions_grub_conf" /> </unix:file_test>
- <unix:file_object comment="/boot/grub/grub.conf"
id="object_file_permissions_grub_conf" version="1">
- unix:path/boot/grub</unix:path>
- unix:filenamegrub.conf</unix:filename>
- <unix:file_object comment="/boot/grub/grub.conf"
id="object_file_permissions_grub_conf" version="2">
unix:filepath/boot/grub/grub.conf</unix:filepath> </unix:file_object>
<unix:file_state id="state_file_permissions_grub_conf" version="2">
-- 1.8.3.1
ack
Thanks, pushed.
Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
-- Shawn Wells Director, Innovation Programs shawn@redhat.com | 443.534.0130 @shawndwells
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org