I am new to OpenSCAP and am stuck
Operating System is CentOS 7.1 oscap version is 1.1.1
I am using "ssg.rhel7.ds..xml" to scan with.
The Rule "Verify that Shared Library Files have Restrictive Permissions" indicate a "FAIL"
I am using SCAP-Workbench. When I run a scan, that Rule fails. Apparently the Rule is looking for NO Group or Other write permissions (555) But on CentOS 7.1, the /lib and /lib64 directories do not exist by default and Symbolic links are used instead. They point to the real directories /usr/lib and /usr/lib64 respectively. By default, apparently, symbolic links have file permissions of "777". This is why I think the test is failing. I don't see how to do an effective "chmod" on a symbolic link. So I thot I would simply take the directories of interest (/lib and /lib64) out of the Rule criteria. But I don't know how to do that.
I need help correcting this Rule test so the test will indicate a "PASS".
I suppose I could actually delete the two symbolic links but I might break something
Ideas?
Ron
Do you happen to generate and/or save an HTML report? You can generate a report, click on the "Verify that Shared Library Files have Restrictive Permissions" link which should open a new window, and check out the "OVAL details" section would should give you a list of the offending files.
On Thu, Jul 30, 2015 at 11:22 AM, Ron Backman backvan@gmail.com wrote:
I am new to OpenSCAP and am stuck
Operating System is CentOS 7.1 oscap version is 1.1.1
I am using "ssg.rhel7.ds..xml" to scan with.
The Rule "Verify that Shared Library Files have Restrictive Permissions" indicate a "FAIL"
I am using SCAP-Workbench. When I run a scan, that Rule fails. Apparently the Rule is looking for NO Group or Other write permissions (555) But on CentOS 7.1, the /lib and /lib64 directories do not exist by default and Symbolic links are used instead. They point to the real directories /usr/lib and /usr/lib64 respectively. By default, apparently, symbolic links have file permissions of "777". This is why I think the test is failing. I don't see how to do an effective "chmod" on a symbolic link. So I thot I would simply take the directories of interest (/lib and /lib64) out of the Rule criteria. But I don't know how to do that.
I need help correcting this Rule test so the test will indicate a "PASS".
I suppose I could actually delete the two symbolic links but I might break something
Ideas?
Ron
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
On 7/31/15 2:51 PM, Gabe Alford wrote:
Do you happen to generate and/or save an HTML report? You can generate a report, click on the "Verify that Shared Library Files have Restrictive Permissions" link which should open a new window, and check out the "OVAL details" section would should give you a list of the offending files.
+1. Need to see OVAL results to evaluate what files are being detected.
For reference, the underlying OVAL code looks like this: (from shared/oval/file_permissions_library_dirs.xml)
<unix:file_object comment="library directories" id="object_file_permissions_lib_dir" version="1"> <!-- Check that /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) --> <unix:path operation="pattern match">^/lib(|64)|^/usr/lib(|64)</unix:path> <unix:filename xsi:nil="true" /> <filter action="include">state_perms_nogroupwrite_noworldwrite</filter> <filter action="exclude">perms_state_symlink</filter> </unix:file_object>
<unix:file_object comment="library files" id="object_file_permissions_lib_files" version="1"> <!-- Check the files within /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) --> <unix:path operation="pattern match">^/lib(|64)|^/usr/lib(|64)</unix:path> <unix:filename operation="pattern match">^.*$</unix:filename> <filter action="include">state_perms_nogroupwrite_noworldwrite</filter> <filter action="exclude">perms_state_symlink</filter> </unix:file_object>
<unix:file_state id="state_perms_nogroupwrite_noworldwrite" version="1" operator="OR"> <unix:gwrite datatype="boolean">true</unix:gwrite> <unix:owrite datatype="boolean">true</unix:owrite> </unix:file_state>
<unix:file_state id="perms_state_symlink" version="1"> <unix:type operation="equals">symbolic link</unix:type> </unix:file_state>
symbolic links are being specifically excluded from /var/{lib lib64} and /{lib lib64}. Files that aren't symlinks are being evaluated for no group write and no world write.
scap-security-guide@lists.fedorahosted.org
-
Gabe Alford -
Ron Backman -
Shawn Wells