From: Kenneth Stailey kstailey.lists@gmail.com
Second try as changes that went in ahread of this fixed the perms on /etc/shadow but not /etc/gshadow.
Kenneth Stailey (1): Use mode 0 for gshadow file
.../input/checks/file_permissions_etc_gshadow.xml | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-)
From: Kenneth Stailey kstailey.lists@gmail.com
By using mode 0 for the /etc/gshadow file we avoid switching to a less restrictive protection mode and avoid having the file permissions to deviate from the permissions recorded in the RPM database.
Signed-off-by: Kenneth Stailey kstailey.lists@gmail.com --- .../input/checks/file_permissions_etc_gshadow.xml | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/checks/file_permissions_etc_gshadow.xml b/RHEL6/input/checks/file_permissions_etc_gshadow.xml index d86a582..674f7bc 100644 --- a/RHEL6/input/checks/file_permissions_etc_gshadow.xml +++ b/RHEL6/input/checks/file_permissions_etc_gshadow.xml @@ -19,9 +19,9 @@ <unix:object object_ref="obj_20038" /> <unix:state state_ref="state_1000400" /> </unix:file_test> - <unix:file_state id="state_1000400" + <unix:file_state id="state_1000000" version="1"> - <unix:uread datatype="boolean">true</unix:uread> + <unix:uread datatype="boolean">false</unix:uread> <unix:uwrite datatype="boolean">false</unix:uwrite> <unix:uexec datatype="boolean">false</unix:uexec> <unix:gread datatype="boolean">false</unix:gread>
good to chat with you -- as we discussed, let's try updating the checks/templates/file_dir_permissions templates file for this (and for future file permission checks). (and then commit changes from the template list and also the resultant OVAL.)
On 09/05/2012 12:39 PM, kstailey.lists@gmail.com wrote:
From: Kenneth Stailey kstailey.lists@gmail.com
By using mode 0 for the /etc/gshadow file we avoid switching to a less restrictive protection mode and avoid having the file permissions to deviate from the permissions recorded in the RPM database.
Signed-off-by: Kenneth Stailey kstailey.lists@gmail.com
.../input/checks/file_permissions_etc_gshadow.xml | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/checks/file_permissions_etc_gshadow.xml b/RHEL6/input/checks/file_permissions_etc_gshadow.xml index d86a582..674f7bc 100644 --- a/RHEL6/input/checks/file_permissions_etc_gshadow.xml +++ b/RHEL6/input/checks/file_permissions_etc_gshadow.xml @@ -19,9 +19,9 @@ <unix:object object_ref="obj_20038" /> <unix:state state_ref="state_1000400" /> </unix:file_test>
- <unix:file_state id="state_1000400"
- <unix:file_state id="state_1000000" version="1">
- <unix:uread datatype="boolean">true</unix:uread>
- <unix:uread datatype="boolean">false</unix:uread> <unix:uwrite datatype="boolean">false</unix:uwrite> <unix:uexec datatype="boolean">false</unix:uexec> <unix:gread datatype="boolean">false</unix:gread>
On Wed, Sep 5, 2012 at 4:40 PM, Jeffrey Blank blank@eclipse.ncsc.mil wrote:
good to chat with you -- as we discussed, let's try updating the checks/templates/file_dir_permissions templates file for this (and for future file permission checks). (and then commit changes from the template list and also the resultant OVAL.)
Nice to talk with you too. Thanks for pointing out the templates directory. I've redone the change by updating the file_dir_permissions.csv file and generating the file_permissions_etc_gshadow.xml from that. I'll send this out as email.
From: Kenneth Stailey kstailey.lists@gmail.com
By using mode 0 for the /etc/gshadow file we avoid switching to a less restrictive protection mode and avoid having the file permissions to deviate from the permissions recorded in the RPM database.
Signed-off-by: Kenneth Stailey kstailey.lists@gmail.com --- .../input/checks/file_permissions_etc_gshadow.xml | 57 ++++++++++++---------- .../checks/templates/file_dir_permissions.csv | 1 + 2 files changed, 33 insertions(+), 25 deletions(-)
diff --git a/RHEL6/input/checks/file_permissions_etc_gshadow.xml b/RHEL6/input/checks/file_permissions_etc_gshadow.xml index d86a582..17c3e0c 100644 --- a/RHEL6/input/checks/file_permissions_etc_gshadow.xml +++ b/RHEL6/input/checks/file_permissions_etc_gshadow.xml @@ -1,39 +1,46 @@ <def-group> - <definition class="compliance" - id="file_permissions_etc_gshadow" version="1"> + <!-- THIS FILE IS GENERATED by create_permission_checks.py. DO NOT EDIT. --> + <definition class="compliance" id="file_permissions_etc_gshadow" version="1"> <metadata> - <title>Verify permissions on 'gshadow' file</title> + <title>Verify /etc/gshadow Permissions</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>File permissions for /etc/gshadow should be set - correctly.</description> + <description>This test makes sure that /etc/gshadow is owned by 0, group owned by 0, and has mode 0000. If + the target file or directory has an extended ACL then it will fail the mode check.</description> </metadata> <criteria> - <criterion test_ref="test_20044" /> + <criterion test_ref="test_etc_gshadow" /> </criteria> </definition> - <unix:file_test check="all" check_existence="all_exist" - comment="Testing gshadow permissions" - id="test_20044" version="1"> - <unix:object object_ref="obj_20038" /> - <unix:state state_ref="state_1000400" /> + <unix:file_test check="all" check_existence="all_exist" comment="/etc/gshadow mode and ownership" id="test_etc_gshadow" version="1"> + <unix:object object_ref="object_etc_gshadow" /> + <unix:state state_ref="state_uid_0" /> + <unix:state state_ref="state_gid_0" /> + <unix:state state_ref="state_mode_0000" /> </unix:file_test> - <unix:file_state id="state_1000400" - version="1"> - <unix:uread datatype="boolean">true</unix:uread> - <unix:uwrite datatype="boolean">false</unix:uwrite> - <unix:uexec datatype="boolean">false</unix:uexec> - <unix:gread datatype="boolean">false</unix:gread> - <unix:gwrite datatype="boolean">false</unix:gwrite> - <unix:gexec datatype="boolean">false</unix:gexec> - <unix:oread datatype="boolean">false</unix:oread> - <unix:owrite datatype="boolean">false</unix:owrite> - <unix:oexec datatype="boolean">false</unix:oexec> - </unix:file_state> - <unix:file_object comment="/etc/gshadow" - id="obj_20038" version="1"> + <unix:file_object comment="/etc/gshadow" id="object_etc_gshadow" version="1"> unix:path/etc</unix:path> unix:filenamegshadow</unix:filename> </unix:file_object> + <unix:file_state id="state_uid_0" version="1"> + <unix:user_id datatype="int" operation="equals">0</unix:user_id> + </unix:file_state> + <unix:file_state id="state_gid_0" version="1"> + <unix:group_id datatype="int" operation="equals">0</unix:group_id> + </unix:file_state> + <unix:file_state id="state_mode_0000" version="1"> + <unix:suid datatype="boolean">false</unix:suid> + <unix:sgid datatype="boolean">false</unix:sgid> + <unix:sticky datatype="boolean">false</unix:sticky> + <unix:uread datatype="boolean">false</unix:uread> + <unix:uwrite datatype="boolean">false</unix:uwrite> + <unix:uexec datatype="boolean">false</unix:uexec> + <unix:gread datatype="boolean">false</unix:gread> + <unix:gwrite datatype="boolean">false</unix:gwrite> + <unix:gexec datatype="boolean">false</unix:gexec> + <unix:oread datatype="boolean">false</unix:oread> + <unix:owrite datatype="boolean">false</unix:owrite> + <unix:oexec datatype="boolean">false</unix:oexec> + </unix:file_state> </def-group> diff --git a/RHEL6/input/checks/templates/file_dir_permissions.csv b/RHEL6/input/checks/templates/file_dir_permissions.csv index 781f413..1e0164e 100644 --- a/RHEL6/input/checks/templates/file_dir_permissions.csv +++ b/RHEL6/input/checks/templates/file_dir_permissions.csv @@ -1,3 +1,4 @@ /etc,shadow,0,0,0000 +/etc,gshadow,0,0,0000 /etc,passwd,0,0,0644 /boot/grub,grub.conf,0,0,0600
Look good, please push.
On 09/05/2012 05:11 PM, kstailey.lists@gmail.com wrote:
From: Kenneth Stailey kstailey.lists@gmail.com
By using mode 0 for the /etc/gshadow file we avoid switching to a less restrictive protection mode and avoid having the file permissions to deviate from the permissions recorded in the RPM database.
Signed-off-by: Kenneth Stailey kstailey.lists@gmail.com
.../input/checks/file_permissions_etc_gshadow.xml | 57 ++++++++++++---------- .../checks/templates/file_dir_permissions.csv | 1 + 2 files changed, 33 insertions(+), 25 deletions(-)
diff --git a/RHEL6/input/checks/file_permissions_etc_gshadow.xml b/RHEL6/input/checks/file_permissions_etc_gshadow.xml index d86a582..17c3e0c 100644 --- a/RHEL6/input/checks/file_permissions_etc_gshadow.xml +++ b/RHEL6/input/checks/file_permissions_etc_gshadow.xml @@ -1,39 +1,46 @@
<def-group> - <definition class="compliance" - id="file_permissions_etc_gshadow" version="1"> + <!-- THIS FILE IS GENERATED by create_permission_checks.py. DO NOT EDIT. --> + <definition class="compliance" id="file_permissions_etc_gshadow" version="1"> <metadata> - <title>Verify permissions on 'gshadow' file</title> + <title>Verify /etc/gshadow Permissions</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>File permissions for /etc/gshadow should be set - correctly.</description> + <description>This test makes sure that /etc/gshadow is owned by 0, group owned by 0, and has mode 0000. If + the target file or directory has an extended ACL then it will fail the mode check.</description> </metadata> <criteria> - <criterion test_ref="test_20044" /> + <criterion test_ref="test_etc_gshadow" /> </criteria> </definition> - <unix:file_test check="all" check_existence="all_exist" - comment="Testing gshadow permissions" - id="test_20044" version="1"> - <unix:object object_ref="obj_20038" /> - <unix:state state_ref="state_1000400" /> + <unix:file_test check="all" check_existence="all_exist" comment="/etc/gshadow mode and ownership" id="test_etc_gshadow" version="1"> + <unix:object object_ref="object_etc_gshadow" /> + <unix:state state_ref="state_uid_0" /> + <unix:state state_ref="state_gid_0" /> + <unix:state state_ref="state_mode_0000" /> </unix:file_test> - <unix:file_state id="state_1000400" - version="1"> - <unix:uread datatype="boolean">true</unix:uread> - <unix:uwrite datatype="boolean">false</unix:uwrite> - <unix:uexec datatype="boolean">false</unix:uexec> - <unix:gread datatype="boolean">false</unix:gread> - <unix:gwrite datatype="boolean">false</unix:gwrite> - <unix:gexec datatype="boolean">false</unix:gexec> - <unix:oread datatype="boolean">false</unix:oread> - <unix:owrite datatype="boolean">false</unix:owrite> - <unix:oexec datatype="boolean">false</unix:oexec> - </unix:file_state> - <unix:file_object comment="/etc/gshadow" - id="obj_20038" version="1"> + <unix:file_object comment="/etc/gshadow" id="object_etc_gshadow" version="1"> <unix:path>/etc</unix:path> <unix:filename>gshadow</unix:filename> </unix:file_object> + <unix:file_state id="state_uid_0" version="1"> + <unix:user_id datatype="int" operation="equals">0</unix:user_id> + </unix:file_state> + <unix:file_state id="state_gid_0" version="1"> + <unix:group_id datatype="int" operation="equals">0</unix:group_id> + </unix:file_state> + <unix:file_state id="state_mode_0000" version="1"> + <unix:suid datatype="boolean">false</unix:suid> + <unix:sgid datatype="boolean">false</unix:sgid> + <unix:sticky datatype="boolean">false</unix:sticky> + <unix:uread datatype="boolean">false</unix:uread> + <unix:uwrite datatype="boolean">false</unix:uwrite> + <unix:uexec datatype="boolean">false</unix:uexec> + <unix:gread datatype="boolean">false</unix:gread> + <unix:gwrite datatype="boolean">false</unix:gwrite> + <unix:gexec datatype="boolean">false</unix:gexec> + <unix:oread datatype="boolean">false</unix:oread> + <unix:owrite datatype="boolean">false</unix:owrite> + <unix:oexec datatype="boolean">false</unix:oexec> + </unix:file_state> </def-group> diff --git a/RHEL6/input/checks/templates/file_dir_permissions.csv b/RHEL6/input/checks/templates/file_dir_permissions.csv index 781f413..1e0164e 100644 --- a/RHEL6/input/checks/templates/file_dir_permissions.csv +++ b/RHEL6/input/checks/templates/file_dir_permissions.csv @@ -1,3 +1,4 @@ /etc,shadow,0,0,0000 +/etc,gshadow,0,0,0000 /etc,passwd,0,0,0644 /boot/grub,grub.conf,0,0,0600
On Wed, Sep 5, 2012 at 5:09 PM, Kenneth Stailey kstailey.lists@gmail.com wrote:
On Wed, Sep 5, 2012 at 4:40 PM, Jeffrey Blank blank@eclipse.ncsc.mil wrote:
good to chat with you -- as we discussed, let's try updating the checks/templates/file_dir_permissions templates file for this (and for future file permission checks). (and then commit changes from the template list and also the resultant OVAL.)
Nice to talk with you too. Thanks for pointing out the templates directory. I've redone the change by updating the file_dir_permissions.csv file and generating the file_permissions_etc_gshadow.xml from that. I'll send this out as email.
Regarding templates, I noticed that RHEL6/input/checks/templates/file_dir_permissions.csv used to have /var/log,cron,0,0,0600, in it but not now, yet RHEL6/input/checks/file_permissions_var_log_cron.xml still exists and has a comment that it was generated from a template.
The same seems true for RHEL6/input/checks/templates/sysctl_values.csv once having net.ipv6.conf.default.accept_redirects but no more, yet generated file RHEL6/input/checks/templates/sysctl_net_ipv6_conf_default_accept_redirects.xml still exists.
This was all on purpose. Except the removal of the /var/log/cron file, which I had forgotten to take are of until now. It only existed as a vestige of some testing, and now is gone. The reasoning there is that requirements for /var/log will subsume any individual checks for files in that directory. A strategy for file permissions is being documented here (as part of the STIG consensus work): https://fedorahosted.org/scap-security-guide/wiki/STIGfileperms
The generation of OVAL checks for file permissions should be templated as much as possible. Note that I'm not saying the template is as good as it should be, however.
Please see earlier posts from Michael Palmiotto on why the IPv6 sysctl tests are not templated. This is to permit tests to pass if IPv6 is not active at all.
On 09/05/2012 05:43 PM, Kenneth Stailey wrote:
On Wed, Sep 5, 2012 at 5:09 PM, Kenneth Stailey kstailey.lists@gmail.com wrote:
On Wed, Sep 5, 2012 at 4:40 PM, Jeffrey Blank blank@eclipse.ncsc.mil wrote:
good to chat with you -- as we discussed, let's try updating the checks/templates/file_dir_permissions templates file for this (and for future file permission checks). (and then commit changes from the template list and also the resultant OVAL.)
Nice to talk with you too. Thanks for pointing out the templates directory. I've redone the change by updating the file_dir_permissions.csv file and generating the file_permissions_etc_gshadow.xml from that. I'll send this out as email.
Regarding templates, I noticed that RHEL6/input/checks/templates/file_dir_permissions.csv used to have /var/log,cron,0,0,0600, in it but not now, yet RHEL6/input/checks/file_permissions_var_log_cron.xml still exists and has a comment that it was generated from a template.
The same seems true for RHEL6/input/checks/templates/sysctl_values.csv once having net.ipv6.conf.default.accept_redirects but no more, yet generated file RHEL6/input/checks/templates/sysctl_net_ipv6_conf_default_accept_redirects.xml still exists. _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
Jeffrey Blank -
Kenneth Stailey