I noticed that the name of the check didn't make any sense, delved in deeper, and discovered that the correct check more closely met the templated sysctl checks.
- Maura Dailey
Signed-off-by: Maura Dailey <maura(a)eclipse.ncsc.mil>
---
.../checks/core_dump_suid_progs_limits_conf.xml | 30 --------------------
RHEL6/input/checks/sysctl_fs_suid_dumpable.xml | 28 ++++++++++++++++++
RHEL6/input/checks/templates/sysctl_values.csv | 1 +
RHEL6/input/system/permissions/execution.xml | 2 +-
4 files changed, 30 insertions(+), 31 deletions(-)
delete mode 100644 RHEL6/input/checks/core_dump_suid_progs_limits_conf.xml
create mode 100644 RHEL6/input/checks/sysctl_fs_suid_dumpable.xml
diff --git a/RHEL6/input/checks/core_dump_suid_progs_limits_conf.xml b/RHEL6/input/checks/core_dump_suid_progs_limits_conf.xml
deleted file mode 100644
index 066957a..0000000
--- a/RHEL6/input/checks/core_dump_suid_progs_limits_conf.xml
+++ /dev/null
@@ -1,30 +0,0 @@
-<def-group>
- <definition class="compliance" id="core_dump_suid_progs_limits_conf"
- version="1">
- <metadata>
- <title>Disable Core Dumps for setuid programs</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>Core dumps for setuid programs should be
- disabled</description>
- </metadata>
- <criteria>
- <criterion comment="Are core dumps for setuid programs disabled?"
- test_ref="test_core_dump_suid_progs_limits_conf" />
- </criteria>
- </definition>
- <ind:textfilecontent54_test check="all" check_existence="none_exist"
- comment="Tests the value of the ^[\s]*fs\.suid_dumpable[\s]*=([\s]*) expression in the /etc/sysctl.conf file"
- id="test_core_dump_suid_progs_limits_conf" version="2">
- <ind:object object_ref="object_core_dump_suid_progs_limits_conf" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_core_dump_suid_progs_limits_conf"
- version="1">
- <ind:path>/etc/security</ind:path>
- <ind:filename>limits.conf</ind:filename>
- <ind:pattern operation="pattern match">
- ^fs.suid_dumpable\s+=\s+1$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-</def-group>
diff --git a/RHEL6/input/checks/sysctl_fs_suid_dumpable.xml b/RHEL6/input/checks/sysctl_fs_suid_dumpable.xml
new file mode 100644
index 0000000..e358366
--- /dev/null
+++ b/RHEL6/input/checks/sysctl_fs_suid_dumpable.xml
@@ -0,0 +1,28 @@
+<def-group>
+ <!-- THIS FILE IS GENERATED by create_sysctl_checks.py. DO NOT EDIT. -->
+ <definition class="compliance" id="sysctl_fs_suid_dumpable" version="1">
+ <metadata>
+ <title>Kernel Runtime Parameter "fs.suid_dumpable" Check</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <description>The kernel runtime parameter "fs.suid_dumpable" should be set to "0".</description>
+ </metadata>
+ <criteria>
+ <criterion comment="kernel runtime parameter fs.suid_dumpable set to 0" test_ref="test_sysctl_fs_suid_dumpable" />
+ </criteria>
+ </definition>
+
+ <unix:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter fs.suid_dumpable set to 0" id="test_sysctl_fs_suid_dumpable" version="1">
+ <unix:object object_ref="object_sysctl_fs_suid_dumpable" />
+ <unix:state state_ref="state_sysctl_fs_suid_dumpable" />
+ </unix:sysctl_test>
+
+ <unix:sysctl_object id="object_sysctl_fs_suid_dumpable" version="1">
+ <unix:name>fs.suid_dumpable</unix:name>
+ </unix:sysctl_object>
+
+ <unix:sysctl_state id="state_sysctl_fs_suid_dumpable" version="1">
+ <unix:value datatype="int" operation="equals">0</unix:value>
+ </unix:sysctl_state>
+</def-group>
diff --git a/RHEL6/input/checks/templates/sysctl_values.csv b/RHEL6/input/checks/templates/sysctl_values.csv
index ae38b46..b318c47 100644
--- a/RHEL6/input/checks/templates/sysctl_values.csv
+++ b/RHEL6/input/checks/templates/sysctl_values.csv
@@ -17,3 +17,4 @@ net.ipv4.ip_forward,0
net.ipv4.tcp_syncookies,1
net.ipv6.conf.default.accept_redirects,0
net.ipv6.conf.default.accept_ra,0
+fs.suid_dumpable,0
diff --git a/RHEL6/input/system/permissions/execution.xml b/RHEL6/input/system/permissions/execution.xml
index d742d60..86d2ea7 100644
--- a/RHEL6/input/system/permissions/execution.xml
+++ b/RHEL6/input/system/permissions/execution.xml
@@ -101,7 +101,7 @@ user who initiated execution of the program. Disabling the ability for any
setuid program to write a core file decreases the risk of unauthorized access
of such data.</rationale>
<ident cce="27044-7" />
-<oval id="core_dump_suid_progs_limits_conf" />
+<oval id="sysctl_fs_suid_dumpable" />
<ref nist="SI-11" />
</Rule>
</Group>
--
1.7.1