When checking "Verify /boot/grub/grub.conf Permissions" rule, allow the check to succeed also in case the underlying system has stronger file permissions on /boot/grub/grub.conf file than exactly 0600 (IOW instead of exact requirement of / for 0600 permissions, make the 0600 mode the upper bound of the allowed value / range).
Please review.
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
On 4/3/14, 6:27 AM, Jan Lieskovsky wrote:
When checking "Verify /boot/grub/grub.conf Permissions" rule, allow the check to succeed also in case the underlying system has stronger file permissions on /boot/grub/grub.conf file than exactly 0600 (IOW instead of exact requirement of / for 0600 permissions, make the 0600 mode the upper bound of the allowed value / range).
Please review.
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
0001-RHEL-6-Allow-boot-grub-grub.conf-permissions-to-be-s.patch
From 1203661223621428e00271a236432540cde59ff6 Mon Sep 17 00:00:00 2001 From: Jan Lieskovskyjlieskov@redhat.com Date: Thu, 3 Apr 2014 13:17:34 +0200 Subject: [PATCH] [RHEL/6] Allow /boot/grub/grub.conf permissions to be stronger than 0600
Signed-off-by: Jan Lieskovskyjlieskov@redhat.com
RHEL/6/input/checks/file_permissions_grub_conf.xml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/RHEL/6/input/checks/file_permissions_grub_conf.xml b/RHEL/6/input/checks/file_permissions_grub_conf.xml index 747f2d9..3347a8b 100644 --- a/RHEL/6/input/checks/file_permissions_grub_conf.xml +++ b/RHEL/6/input/checks/file_permissions_grub_conf.xml @@ -1,11 +1,11 @@
<def-group> - <definition class="compliance" id="file_permissions_grub_conf" version="1"> + <definition class="compliance" id="file_permissions_grub_conf" version="2"> <metadata> <title>File /boot/grub/grub.conf Permissions</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>File permissions for /boot/grub/grub.conf should be set to 0600.</description> + <description>File permissions for /boot/grub/grub.conf should be set to 0600 (or stronger).</description> </metadata> <criteria> <criterion test_ref="test_file_permissions_grub_conf" /> @@ -22,9 +22,7 @@ <unix:filename>grub.conf</unix:filename> </unix:file_object>
- <unix:file_state id="state_file_permissions_grub_conf" version="1">
- <unix:uread datatype="boolean">true</unix:uread>
- <unix:uwrite datatype="boolean">true</unix:uwrite>
- <unix:file_state id="state_file_permissions_grub_conf" version="2"> <unix:uexec datatype="boolean">false</unix:uexec> <unix:gread datatype="boolean">false</unix:gread> <unix:gwrite datatype="boolean">false</unix:gwrite>
-- 1.8.3.1
This seems to be another patch that slipped through the cracks (GitHub, here we come....).
Perfectly sane - ack
scap-security-guide@lists.fedorahosted.org
-
Jan Lieskovsky -
Shawn Wells