From: Frank Caviggia fcaviggi@ra.iad.redhat.com
*** BLURB HERE ***
Frank Caviggia (1): Added checks for 'hard' or '-' for checks in /etc/security/limits.conf
RHEL6/input/checks/accounts_max_concurrent_login_sessions.xml | 2 +- RHEL6/input/checks/disable_users_coredumps.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
From: Frank Caviggia fcaviggi@ra.iad.redhat.com
Signed-off-by: Frank Caviggia fcaviggi@ra.iad.redhat.com --- RHEL6/input/checks/accounts_max_concurrent_login_sessions.xml | 2 +- RHEL6/input/checks/disable_users_coredumps.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/checks/accounts_max_concurrent_login_sessions.xml b/RHEL6/input/checks/accounts_max_concurrent_login_sessions.xml index cb2e859..a3658ff 100644 --- a/RHEL6/input/checks/accounts_max_concurrent_login_sessions.xml +++ b/RHEL6/input/checks/accounts_max_concurrent_login_sessions.xml @@ -21,7 +21,7 @@
<ind:textfilecontent54_object id="object_etc_security_limits_conf_maxlogins" version="1"> ind:filepath/etc/security/limits.conf</ind:filepath> - <ind:pattern operation="pattern match">^[\s]**[\s]+hard[\s]+maxlogins[\s]+(\d+)\s*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]**[\s]+(hard|-)[\s]+maxlogins[\s]+(\d+)\s*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL6/input/checks/disable_users_coredumps.xml b/RHEL6/input/checks/disable_users_coredumps.xml index d8491cd..ad217a7 100644 --- a/RHEL6/input/checks/disable_users_coredumps.xml +++ b/RHEL6/input/checks/disable_users_coredumps.xml @@ -14,7 +14,7 @@ </criteria> </definition> <ind:textfilecontent54_test check="all" - comment="Tests the value of the ^[\s]**[\s]+hard[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.conf file" + comment="Tests the value of the ^[\s]**[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.conf file" id="test_core_dumps_limitsconf" version="1"> <ind:object object_ref="object_core_dumps_limitsconf" /> <ind:state state_ref="state_core_dumps_limitsconf" />
On 9/30/13 1:09 PM, Frank Caviggia wrote:
From: Frank Caviggiafcaviggi@ra.iad.redhat.com
Signed-off-by: Frank Caviggiafcaviggi@ra.iad.redhat.com
RHEL6/input/checks/accounts_max_concurrent_login_sessions.xml | 2 +- RHEL6/input/checks/disable_users_coredumps.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/checks/accounts_max_concurrent_login_sessions.xml b/RHEL6/input/checks/accounts_max_concurrent_login_sessions.xml index cb2e859..a3658ff 100644 --- a/RHEL6/input/checks/accounts_max_concurrent_login_sessions.xml +++ b/RHEL6/input/checks/accounts_max_concurrent_login_sessions.xml @@ -21,7 +21,7 @@
<ind:textfilecontent54_object id="object_etc_security_limits_conf_maxlogins" version="1"> <ind:filepath>/etc/security/limits.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]**[\s]+hard[\s]+maxlogins[\s]+(\d+)\s*$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]**[\s]+(hard|-)[\s]+maxlogins[\s]+(\d+)\s*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL6/input/checks/disable_users_coredumps.xml b/RHEL6/input/checks/disable_users_coredumps.xml index d8491cd..ad217a7 100644 --- a/RHEL6/input/checks/disable_users_coredumps.xml +++ b/RHEL6/input/checks/disable_users_coredumps.xml @@ -14,7 +14,7 @@ </criteria> </definition> <ind:textfilecontent54_test check="all"
- comment="Tests the value of the ^[\s]**[\s]+hard[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.conf file"
- comment="Tests the value of the ^[\s]**[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.conf file" id="test_core_dumps_limitsconf" version="1"> <ind:object object_ref="object_core_dumps_limitsconf" /> <ind:state state_ref="state_core_dumps_limitsconf" />
-- 1.8.3.1
Ack! Tested locally w/testcheck -- good call w/ensuring we support both methods!
Is this object being used in a test that does a comparison on the numerical value? The parentheses around the \d+ in the previous version suggests that it is. Since the new parentheses create a second subexpression, that could interfere with the evaluation of the intended subexpression. There are a few ways around this, but unless the value of hard|- is needed somewhere, the cleanest way would be to make that a non-capturing group.
Shane Shaffer G2, Inc. shane.shaffer@g2-inc.com
On Mon, Sep 30, 2013 at 1:14 PM, Shawn Wells shawn@redhat.com wrote:
On 9/30/13 1:09 PM, Frank Caviggia wrote:
From: Frank Caviggia<fcaviggi@ra.iad.**redhat.comfcaviggi@ra.iad.redhat.com
Signed-off-by: Frank Caviggia<fcaviggi@ra.iad.**redhat.comfcaviggi@ra.iad.redhat.com
RHEL6/input/checks/accounts_**max_concurrent_login_sessions.**xml | 2 +- RHEL6/input/checks/disable_**users_coredumps.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/checks/accounts_**max_concurrent_login_sessions. **xml b/RHEL6/input/checks/accounts_**max_concurrent_login_sessions.**xml index cb2e859..a3658ff 100644 --- a/RHEL6/input/checks/accounts_**max_concurrent_login_sessions.**xml +++ b/RHEL6/input/checks/accounts_**max_concurrent_login_sessions.**xml @@ -21,7 +21,7 @@ <ind:textfilecontent54_object id="object_etc_security_**limits_conf_maxlogins" version="1"> ind:filepath/etc/security/**limits.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]**[\s]+hard[\s]+**
maxlogins[\s]+(\d+)\s*$</ind:**pattern>
- <ind:pattern operation="pattern match">^[\s]**[\s]+(hard|-)[**
s]+maxlogins[\s]+(\d+)\s*$</**ind:pattern> <ind:instance datatype="int">1</ind:**instance> </ind:textfilecontent54_**object> diff --git a/RHEL6/input/checks/disable_**users_coredumps.xml b/RHEL6/input/checks/disable_**users_coredumps.xml index d8491cd..ad217a7 100644 --- a/RHEL6/input/checks/disable_**users_coredumps.xml +++ b/RHEL6/input/checks/disable_**users_coredumps.xml @@ -14,7 +14,7 @@ </criteria> </definition> <ind:textfilecontent54_test check="all"
- comment="Tests the value of the ^[\s]**[\s]+hard[\s]+core[\s]**+([\d]+)
setting in the /etc/security/limits.conf file"
- comment="Tests the value of the ^[\s]**[\s]+(hard|-)[\s]+**core[\s]+([\d]+)
setting in the /etc/security/limits.conf file" id="test_core_dumps_**limitsconf" version="1"> <ind:object object_ref="object_core_dumps_**limitsconf" /> <ind:state state_ref="state_core_dumps_**limitsconf" /> -- 1.8.3.1
Ack! Tested locally w/testcheck -- good call w/ensuring we support both methods!
______________________________**_________________ scap-security-guide mailing list scap-security-guide@lists.**fedorahosted.orgscap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.**org/mailman/listinfo/scap-**security-guidehttps://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On 9/30/13 2:16 PM, Shane Shaffer wrote:
Is this object being used in a test that does a comparison on the numerical value? The parentheses around the \d+ in the previous version suggests that it is. Since the new parentheses create a second subexpression, that could interfere with the evaluation of the intended subexpression. There are a few ways around this, but unless the value of hard|- is needed somewhere, the cleanest way would be to make that a non-capturing group.
The full OVAL is here: https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/c...
The important bits:
| <ind:textfilecontent54_object id="object_etc_security_limits_conf_maxlogins" version="1"> ind:filepath/etc/security/limits.conf</ind:filepath> <ind:pattern operation="pattern match">^[\s]**[\s]+(hard|-)[\s]+maxlogins[\s]+(\d+)\s*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
<ind:textfilecontent54_state id="state_maxlogins" version="1"> <ind:subexpression operation="less than or equal" var_ref="max_concurrent_login_sessions_value" datatype="int" /> </ind:textfilecontent54_state>|
So then, you're right. The new parenthesis act as a capture group. Oddly, things still check out when doing a testcheck!
I can't find the OVAL 5.10 spec with this info, however reference the (now antiquated) 5.6 spec. Specifically the "extensions": http://oval.mitre.org/language/about/re_support_5.6.html
I believe the pattern match should be updated to:
|^[\s]**[\s]+(*?:*hard|-)[\s]+maxlogins[\s]+(\d+)\s*$|
(note the "?:")
Frank, could you bugfix this?
scap-security-guide@lists.fedorahosted.org
-
Frank Caviggia -
Shane Shaffer -
Shawn Wells