[PATCH] grub.conf is not guaranteed to be in /boot/grub if the system is using EFI, so I added a test for its default location in /boot/efi/EFI/redhat
There isn't any way to do this the clever way, following the symlink /etc/grub.conf, so for now at least, I added a second path to check, the path for EFI in a default install.
Signed-off-by: Maura Dailey maura@eclipse.ncsc.mil --- RHEL6/input/checks/file_group_owner_grub_conf.xml | 18 +++++++++++++++--- RHEL6/input/checks/file_user_owner_grub_conf.xml | 18 +++++++++++++++--- 2 files changed, 30 insertions(+), 6 deletions(-)
diff --git a/RHEL6/input/checks/file_group_owner_grub_conf.xml b/RHEL6/input/checks/file_group_owner_grub_conf.xml index 3fc076a..4856fdf 100644 --- a/RHEL6/input/checks/file_group_owner_grub_conf.xml +++ b/RHEL6/input/checks/file_group_owner_grub_conf.xml @@ -1,14 +1,16 @@ <def-group> <definition class="compliance" id="file_group_owner_grub_conf" version="1"> <metadata> - <title>File /boot/grub/grub.conf Owned By root Group </title> + <title>File grub.conf Owned By root Group </title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>The /boot/grub/grub.conf file should be owned by the root group.</description> + <description>The grub.conf file should be owned by the root group.</description> + <reference source="MED" ref_id="20130830" ref_url="test_attestation" /> </metadata> - <criteria> + <criteria operator="OR"> <criterion test_ref="test_file_group_owner_grub_conf" /> + <criterion test_ref="test_file_group_owner_efi_grub_conf" /> </criteria> </definition>
@@ -17,11 +19,21 @@ <unix:state state_ref="state_file_group_owner_grub_conf" /> </unix:file_test>
+ <unix:file_test check="all" check_existence="all_exist" comment="/boot/efi/EFI/redhat/grub.conf owned by root" id="test_file_group_owner_efi_grub_conf" version="1"> + <unix:object object_ref="object_file_group_owner_efi_grub_conf" /> + <unix:state state_ref="state_file_group_owner_grub_conf" /> + </unix:file_test> + <unix:file_object comment="/boot/grub/grub.conf" id="object_file_group_owner_grub_conf" version="1"> unix:path/boot/grub</unix:path> unix:filenamegrub.conf</unix:filename> </unix:file_object>
+ <unix:file_object comment="/boot/efi/EFI/redhat/grub.conf" id="object_file_group_owner_efi_grub_conf" version="1"> + unix:path/boot/efi/EFI/redhat</unix:path> + unix:filenamegrub.conf</unix:filename> + </unix:file_object> + <unix:file_state id="state_file_group_owner_grub_conf" version="1"> <unix:group_id datatype="int">0</unix:group_id> </unix:file_state> diff --git a/RHEL6/input/checks/file_user_owner_grub_conf.xml b/RHEL6/input/checks/file_user_owner_grub_conf.xml index 53d5e2f..290d883 100644 --- a/RHEL6/input/checks/file_user_owner_grub_conf.xml +++ b/RHEL6/input/checks/file_user_owner_grub_conf.xml @@ -1,14 +1,16 @@ <def-group> <definition class="compliance" id="file_user_owner_grub_conf" version="1"> <metadata> - <title>File /boot/grub/grub.conf Owned By root User</title> + <title>File grub.conf Owned By root User</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>The /boot/grub/grub.conf file should be owned by the root user.</description> + <description>The grub.conf file should be owned by the root user.</description> + <reference source="MED" ref_id="20130830" ref_url="test_attestation" /> </metadata> - <criteria> + <criteria operator="OR"> <criterion test_ref="test_file_user_owner_grub_conf" /> + <criterion test_ref="test_file_user_owner_efi_grub_conf" /> </criteria> </definition>
@@ -17,11 +19,21 @@ <unix:state state_ref="state_file_user_owner_grub_conf" /> </unix:file_test>
+ <unix:file_test check="all" check_existence="all_exist" comment="/boot/efi/EFI/redhat/grub.conf owned by root" id="test_file_user_owner_efi_grub_conf" version="1"> + <unix:object object_ref="object_file_user_owner_efi_grub_conf" /> + <unix:state state_ref="state_file_user_owner_grub_conf" /> + </unix:file_test> + <unix:file_object comment="/boot/grub/grub.conf" id="object_file_user_owner_grub_conf" version="1"> unix:path/boot/grub</unix:path> unix:filenamegrub.conf</unix:filename> </unix:file_object>
+ <unix:file_object comment="/boot/efi/EFI/redhat/grub.conf" id="object_file_user_owner_efi_grub_conf" version="1"> + unix:path/boot/efi/EFI/redhat</unix:path> + unix:filenamegrub.conf</unix:filename> + </unix:file_object> + <unix:file_state id="state_file_user_owner_grub_conf" version="1"> <unix:user_id datatype="int">0</unix:user_id> </unix:file_state>
No one's ACKED/NACKED these. Also, Shawn committed a patch that tries to template these checks, but templated checks won't work unless the system is guaranteed not to be using EFI or unless the template can handle two alternate file locations.
- Maura Dailey
On 08/30/2013 02:54 PM, Maura Dailey wrote:
There isn't any way to do this the clever way, following the symlink /etc/grub.conf, so for now at least, I added a second path to check, the path for EFI in a default install.
Signed-off-by: Maura Dailey maura@eclipse.ncsc.mil
RHEL6/input/checks/file_group_owner_grub_conf.xml | 18 +++++++++++++++--- RHEL6/input/checks/file_user_owner_grub_conf.xml | 18 +++++++++++++++--- 2 files changed, 30 insertions(+), 6 deletions(-)
diff --git a/RHEL6/input/checks/file_group_owner_grub_conf.xml b/RHEL6/input/checks/file_group_owner_grub_conf.xml index 3fc076a..4856fdf 100644 --- a/RHEL6/input/checks/file_group_owner_grub_conf.xml +++ b/RHEL6/input/checks/file_group_owner_grub_conf.xml @@ -1,14 +1,16 @@
<def-group> <definition class="compliance" id="file_group_owner_grub_conf" version="1"> <metadata> - <title>File /boot/grub/grub.conf Owned By root Group </title> + <title>File grub.conf Owned By root Group </title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>The /boot/grub/grub.conf file should be owned by the root group.</description> + <description>The grub.conf file should be owned by the root group.</description> + <reference source="MED" ref_id="20130830" ref_url="test_attestation" /> </metadata> - <criteria> + <criteria operator="OR"> <criterion test_ref="test_file_group_owner_grub_conf" /> + <criterion test_ref="test_file_group_owner_efi_grub_conf" /> </criteria> </definition>
@@ -17,11 +19,21 @@ <unix:state state_ref="state_file_group_owner_grub_conf" /> </unix:file_test>
<unix:file_test check="all" check_existence="all_exist" comment="/boot/efi/EFI/redhat/grub.conf owned by root" id="test_file_group_owner_efi_grub_conf" version="1">
<unix:object object_ref="object_file_group_owner_efi_grub_conf" />
<unix:state state_ref="state_file_group_owner_grub_conf" />
</unix:file_test>
<unix:file_object comment="/boot/grub/grub.conf" id="object_file_group_owner_grub_conf" version="1"> unix:path/boot/grub</unix:path> unix:filenamegrub.conf</unix:filename> </unix:file_object>
<unix:file_object comment="/boot/efi/EFI/redhat/grub.conf" id="object_file_group_owner_efi_grub_conf" version="1">
unix:path/boot/efi/EFI/redhat</unix:path>
unix:filenamegrub.conf</unix:filename>
</unix:file_object>
<unix:file_state id="state_file_group_owner_grub_conf" version="1"> <unix:group_id datatype="int">0</unix:group_id> </unix:file_state>
diff --git a/RHEL6/input/checks/file_user_owner_grub_conf.xml b/RHEL6/input/checks/file_user_owner_grub_conf.xml index 53d5e2f..290d883 100644 --- a/RHEL6/input/checks/file_user_owner_grub_conf.xml +++ b/RHEL6/input/checks/file_user_owner_grub_conf.xml @@ -1,14 +1,16 @@
<def-group> <definition class="compliance" id="file_user_owner_grub_conf" version="1"> <metadata> - <title>File /boot/grub/grub.conf Owned By root User</title> + <title>File grub.conf Owned By root User</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>The /boot/grub/grub.conf file should be owned by the root user.</description> + <description>The grub.conf file should be owned by the root user.</description> + <reference source="MED" ref_id="20130830" ref_url="test_attestation" /> </metadata> - <criteria> + <criteria operator="OR"> <criterion test_ref="test_file_user_owner_grub_conf" /> + <criterion test_ref="test_file_user_owner_efi_grub_conf" /> </criteria> </definition>
@@ -17,11 +19,21 @@ <unix:state state_ref="state_file_user_owner_grub_conf" /> </unix:file_test>
<unix:file_test check="all" check_existence="all_exist" comment="/boot/efi/EFI/redhat/grub.conf owned by root" id="test_file_user_owner_efi_grub_conf" version="1">
<unix:object object_ref="object_file_user_owner_efi_grub_conf" />
<unix:state state_ref="state_file_user_owner_grub_conf" />
</unix:file_test>
<unix:file_object comment="/boot/grub/grub.conf" id="object_file_user_owner_grub_conf" version="1"> unix:path/boot/grub</unix:path> unix:filenamegrub.conf</unix:filename> </unix:file_object>
<unix:file_object comment="/boot/efi/EFI/redhat/grub.conf" id="object_file_user_owner_efi_grub_conf" version="1">
unix:path/boot/efi/EFI/redhat</unix:path>
unix:filenamegrub.conf</unix:filename>
</unix:file_object>
<unix:file_state id="state_file_user_owner_grub_conf" version="1"> <unix:user_id datatype="int">0</unix:user_id> </unix:file_state>
On 9/10/13 12:55 PM, Maura Dailey wrote:
No one's ACKED/NACKED these. Also, Shawn committed a patch that tries to template these checks, but templated checks won't work unless the system is guaranteed not to be using EFI or unless the template can handle two alternate file locations.
They only handle one.... I'd say just take grub out of templates & replace with your (superior) editions.
On 8/30/13 2:54 PM, Maura Dailey wrote:
- <unix:file_object comment="/boot/efi/EFI/redhat/grub.conf" id="object_file_group_owner_efi_grub_conf" version="1">
- unix:path/boot/efi/EFI/redhat</unix:path>
- unix:filenamegrub.conf</unix:filename>
- </unix:file_object>
Please convert to filepath
+++ b/RHEL6/input/checks/file_user_owner_grub_conf.xml @@ -1,14 +1,16 @@
<def-group> <definition class="compliance" id="file_user_owner_grub_conf" version="1"> <metadata> - <title>File /boot/grub/grub.conf Owned By root User</title> + <title>File grub.conf Owned By root User</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>The /boot/grub/grub.conf file should be owned by the root user.</description> + <description>The grub.conf file should be owned by the root user.</description>
This may sound silly, but we shouldn't assume ISSE/ISSMs know where grub.conf is. This should be modified akin to "While the standard location for grub.conf is /boot/grub.conf, on EFI systems, check /boot/efi/EFI/redhat/grub.conf"
<reference source="MED" ref_id="20130830" ref_url="test_attestation" />- <unix:file_object comment="/boot/efi/EFI/redhat/grub.conf" id="object_file_user_owner_efi_grub_conf" version="1">
- unix:path/boot/efi/EFI/redhat</unix:path>
- unix:filenamegrub.conf</unix:filename>
- </unix:file_object>
filepath vs filename
On 09/10/2013 01:51 PM, Shawn Wells wrote:
On 8/30/13 2:54 PM, Maura Dailey wrote:
- <unix:file_object comment="/boot/efi/EFI/redhat/grub.conf"
id="object_file_group_owner_efi_grub_conf" version="1">
- unix:path/boot/efi/EFI/redhat</unix:path>
- unix:filenamegrub.conf</unix:filename>
- </unix:file_object>
Please convert to filepath
+++ b/RHEL6/input/checks/file_user_owner_grub_conf.xml @@ -1,14 +1,16 @@
<def-group> <definition class="compliance" id="file_user_owner_grub_conf" version="1"> <metadata> - <title>File /boot/grub/grub.conf Owned By root User</title> + <title>File grub.conf Owned By root User</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>The /boot/grub/grub.conf file should be owned by the root user.</description> + <description>The grub.conf file should be owned by the root user.</description>
This may sound silly, but we shouldn't assume ISSE/ISSMs know where grub.conf is. This should be modified akin to "While the standard location for grub.conf is /boot/grub.conf, on EFI systems, check /boot/efi/EFI/redhat/grub.conf"
Hmm... Maybe something like "The grub.conf file should be owned by the root user. By default, this file is located at /boot/grub.conf or, for EFI systems, at /boot/efi/EFI/redhat/grub.conf"?
<reference source="MED" ref_id="20130830"ref_url="test_attestation" />
- <unix:file_object comment="/boot/efi/EFI/redhat/grub.conf"
id="object_file_user_owner_efi_grub_conf" version="1">
- unix:path/boot/efi/EFI/redhat</unix:path>
- unix:filenamegrub.conf</unix:filename>
- </unix:file_object>
filepath vs filename _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On 09/10/2013 02:09 PM, Maura Dailey wrote:
On 09/10/2013 01:51 PM, Shawn Wells wrote:
On 8/30/13 2:54 PM, Maura Dailey wrote:
- <unix:file_object comment="/boot/efi/EFI/redhat/grub.conf"
id="object_file_group_owner_efi_grub_conf" version="1">
- unix:path/boot/efi/EFI/redhat</unix:path>
- unix:filenamegrub.conf</unix:filename>
- </unix:file_object>
Please convert to filepath
+++ b/RHEL6/input/checks/file_user_owner_grub_conf.xml @@ -1,14 +1,16 @@
<def-group> <definition class="compliance" id="file_user_owner_grub_conf" version="1"> <metadata> - <title>File /boot/grub/grub.conf Owned By root User</title> + <title>File grub.conf Owned By root User</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>The /boot/grub/grub.conf file should be owned by the root user.</description> + <description>The grub.conf file should be owned by the root user.</description>
This may sound silly, but we shouldn't assume ISSE/ISSMs know where grub.conf is. This should be modified akin to "While the standard location for grub.conf is /boot/grub.conf, on EFI systems, check /boot/efi/EFI/redhat/grub.conf"
Hmm... Maybe something like "The grub.conf file should be owned by the root user. By default, this file is located at /boot/grub.conf or, for EFI systems, at /boot/efi/EFI/redhat/grub.conf"?
Sorry, /boot/grub/grub.conf.
<reference source="MED" ref_id="20130830"ref_url="test_attestation" />
- <unix:file_object comment="/boot/efi/EFI/redhat/grub.conf"
id="object_file_user_owner_efi_grub_conf" version="1">
- unix:path/boot/efi/EFI/redhat</unix:path>
- unix:filenamegrub.conf</unix:filename>
- </unix:file_object>
filepath vs filename _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On 9/10/13 2:10 PM, Maura Dailey wrote:
On 09/10/2013 02:09 PM, Maura Dailey wrote:
On 09/10/2013 01:51 PM, Shawn Wells wrote:
On 8/30/13 2:54 PM, Maura Dailey wrote:
- <unix:file_object comment="/boot/efi/EFI/redhat/grub.conf"
id="object_file_group_owner_efi_grub_conf" version="1">
- unix:path/boot/efi/EFI/redhat</unix:path>
- unix:filenamegrub.conf</unix:filename>
- </unix:file_object>
Please convert to filepath
+++ b/RHEL6/input/checks/file_user_owner_grub_conf.xml @@ -1,14 +1,16 @@
<def-group> <definition class="compliance" id="file_user_owner_grub_conf" version="1"> <metadata> - <title>File /boot/grub/grub.conf Owned By root User</title> + <title>File grub.conf Owned By root User</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>The /boot/grub/grub.conf file should be owned by the root user.</description> + <description>The grub.conf file should be owned by the root user.</description>
This may sound silly, but we shouldn't assume ISSE/ISSMs know where grub.conf is. This should be modified akin to "While the standard location for grub.conf is /boot/grub.conf, on EFI systems, check /boot/efi/EFI/redhat/grub.conf"
Hmm... Maybe something like "The grub.conf file should be owned by the root user. By default, this file is located at /boot/grub.conf or, for EFI systems, at /boot/efi/EFI/redhat/grub.conf"?
Sorry, /boot/grub/grub.conf.
Much better. Could you make the changes & resubmit for an ack?
#
<reference source="MED" ref_id="20130830"ref_url="test_attestation" />
- <unix:file_object comment="/boot/efi/EFI/redhat/grub.conf"
id="object_file_user_owner_efi_grub_conf" version="1">
- unix:path/boot/efi/EFI/redhat</unix:path>
- unix:filenamegrub.conf</unix:filename>
- </unix:file_object>
filepath vs filename _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
|How's this?
I haven't submitted a check for the file permissions check yet, because I need to discuss the fact that EFI's grub.conf is going to be 700, not 600. A side effect of VFAT, I suppose. || - Maura Dailey
||Signed-off-by: Maura Dailey maura@eclipse.ncsc.mil|| ||---|| || RHEL6/input/checks/file_group_owner_grub_conf.xml | 20 +++++++++++++++-----|| || RHEL6/input/checks/file_user_owner_grub_conf.xml | 20 +++++++++++++++-----|| || 2 files changed, 30 insertions(+), 10 deletions(-)|| || ||diff --git a/RHEL6/input/checks/file_group_owner_grub_conf.xml b/RHEL6/input/checks/file_group_owner_grub_conf.xml|| ||index 3fc076a..6d54f69 100644|| ||--- a/RHEL6/input/checks/file_group_owner_grub_conf.xml|| ||+++ b/RHEL6/input/checks/file_group_owner_grub_conf.xml|| ||@@ -1,14 +1,16 @@|| || <def-group>|| || <definition class="compliance" id="file_group_owner_grub_conf" version="1">|| || <metadata>|| ||- <title>File /boot/grub/grub.conf Owned By root Group </title>|| ||+ <title>File grub.conf Owned By root Group </title>|| || <affected family="unix">|| || <platform>Red Hat Enterprise Linux 6</platform>|| || </affected>|| ||- <description>The /boot/grub/grub.conf file should be owned by the root group.</description>|| ||+ <description>The grub.conf file should be owned by the root group. By default, this file is located at /boot/grub/grub.conf or, for EFI systems, at /boot/efi/EFI/redhat/grub.conf</description>|| ||+ <reference source="MED" ref_id="20130830" ref_url="test_attestation" />|| || </metadata>|| ||- <criteria>|| ||+ <criteria operator="OR">|| || <criterion test_ref="test_file_group_owner_grub_conf" />|| ||+ <criterion test_ref="test_file_group_owner_efi_grub_conf" />|| || </criteria>|| || </definition>|| |||| ||@@ -17,9 +19,17 @@|| || <unix:state state_ref="state_file_group_owner_grub_conf" />|| || </unix:file_test>|| |||| ||+ <unix:file_test check="all" check_existence="all_exist" comment="/boot/efi/EFI/redhat/grub.conf owned by root" id="test_file_group_owner_efi_grub_conf" version="1">|| ||+ <unix:object object_ref="object_file_group_owner_efi_grub_conf" />|| ||+ <unix:state state_ref="state_file_group_owner_grub_conf" />|| ||+ </unix:file_test>|| ||+|| || <unix:file_object comment="/boot/grub/grub.conf" id="object_file_group_owner_grub_conf" version="1">|| ||- unix:path/boot/grub</unix:path>|| ||- unix:filenamegrub.conf</unix:filename>|| ||+ unix:filepath/boot/grub/grub.conf</unix:filepath>|| ||+ </unix:file_object>|| ||+|| ||+ <unix:file_object comment="/boot/efi/EFI/redhat/grub.conf" id="object_file_group_owner_efi_grub_conf" version="1">|| ||+ unix:filepath/boot/efi/EFI/redhat/grub.conf</unix:filepath>|| || </unix:file_object>|| |||| || <unix:file_state id="state_file_group_owner_grub_conf" version="1">|| ||diff --git a/RHEL6/input/checks/file_user_owner_grub_conf.xml b/RHEL6/input/checks/file_user_owner_grub_conf.xml|| ||index 53d5e2f..0a3df12 100644|| ||--- a/RHEL6/input/checks/file_user_owner_grub_conf.xml|| ||+++ b/RHEL6/input/checks/file_user_owner_grub_conf.xml|| ||@@ -1,14 +1,16 @@|| || <def-group>|| || <definition class="compliance" id="file_user_owner_grub_conf" version="1">|| || <metadata>|| ||- <title>File /boot/grub/grub.conf Owned By root User</title>|| ||+ <title>File grub.conf Owned By root User</title>|| || <affected family="unix">|| || <platform>Red Hat Enterprise Linux 6</platform>|| || </affected>|| ||- <description>The /boot/grub/grub.conf file should be owned by the root user.</description>|| ||+ <description>The grub.conf file should be owned by the root user. By default, this file is located at /boot/grub/grub.conf or, for EFI systems, at /boot/efi/EFI/redhat/grub.conf</description>|| ||+ <reference source="MED" ref_id="20130830" ref_url="test_attestation" />|| || </metadata>|| ||- <criteria>|| ||+ <criteria operator="OR">|| || <criterion test_ref="test_file_user_owner_grub_conf" />|| ||+ <criterion test_ref="test_file_user_owner_efi_grub_conf" />|| || </criteria>|| || </definition>|| |||| ||@@ -17,9 +19,17 @@|| || <unix:state state_ref="state_file_user_owner_grub_conf" />|| || </unix:file_test>|| |||| ||+ <unix:file_test check="all" check_existence="all_exist" comment="/boot/efi/EFI/redhat/grub.conf owned by root" id="test_file_user_owner_efi_grub_conf" version="1">|| ||+ <unix:object object_ref="object_file_user_owner_efi_grub_conf" />|| ||+ <unix:state state_ref="state_file_user_owner_grub_conf" />|| ||+ </unix:file_test>|| ||+|| || <unix:file_object comment="/boot/grub/grub.conf" id="object_file_user_owner_grub_conf" version="1">|| ||- unix:path/boot/grub</unix:path>|| ||- unix:filenamegrub.conf</unix:filename>|| ||+ unix:filepath/boot/grub/grub.conf</unix:filepath>|| ||+ </unix:file_object>|| ||+|| ||+ <unix:file_object comment="/boot/efi/EFI/redhat/grub.conf" id="object_file_user_owner_efi_grub_conf" version="1">|| ||+ unix:filepath/boot/efi/EFI/redhat/grub.conf</unix:filepath>|| || </unix:file_object>|| |||| || <unix:file_state id="state_file_user_owner_grub_conf" version="1">|| ||-- || ||1.7.1|| |
scap-security-guide@lists.fedorahosted.org
-
Maura Dailey -
Shawn Wells