Hi,
I am having an issue with OVAL test file_permissions_ungroupowned in CentOS 5. I believe it is a bug in the oscap version that it is available in CentOS 5 (kind of old, v1.0.8).
Here is the procedure I am doing:
1. Download and build scap-security-guide for RHEL5 in my Fedora 23 machine; then copy the output to my CentOS 5 testing server:
wget https://github.com/OpenSCAP/scap-security-guide/archive/v0.1.29.tar.gz -O scap-security-guide-0.1.29.tar.gz
tar -zxf scap-security-guide-0.1.29.tar.gz
make -C scap-security-guide-0.1.29/RHEL/5 dist
scp -r scap-security-guide-0.1.29/RHEL/5/dist/content centos5-test:
Now in the CentOS 5 testing server, create a tailoring file to run file_permissions_ungroupowned test alone:
cat >ssg-centos5-xccdf-tailoring.xml <<"EOF" <?xml version="1.0" encoding="UTF-8"?> <Tailoring xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_ssg-centos5_tailoring_xccdf"> <version time="2016-06-14T19:50:57">1</version> <Profile id="xccdf_my_profile_stig-centos5-upstream_tailored"> <title>CentOS 5 [TAILORED]</title> <select idref="file_permissions_ungroupowned" selected="true"/> </Profile> </Tailoring> EOF
Create a file without corresponding group in /etc/group:
touch /an_unowned_group_file
chgrp 4567 /an_unowned_group_file
find / -nogroup 2>/dev/null /an_unowned_group_file <-- Check that it is found
Finally run oscap:
oscap xccdf eval \ --tailoring-file ssg-centos5-xccdf-tailoring.xml \ --profile xccdf_my_profile_stig-centos5-upstream_tailored \ --cpe content/ssg-rhel5-cpe-dictionary.xml \ content/ssg-centos5-xccdf.xml
... and output is:
Title Ensure All Files Are Owned by a Group Rule file_permissions_ungroupowned Ident GEN001170 Result pass
I would expect that the test fails since there is at least one file without existing group.
I took a look at the OVAL definition scap-security-guide-0.1.29/RHEL/5/input/oval/file_permissions_ungroupowned.xml but I do not see anything wrong.
Do you have any idea why this test is passing when it should fail?
Regards
-- Rodolfo Martínez
Here is the relevant part of the file_permissions_ungroupowned OVAL test:
<unix:file_object comment="all local files" id="file_permissions_ungroupowned_object" version="1"> <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" /> <unix:path operation="equals">/</unix:path> <unix:filename operation="pattern match">.*</unix:filename> <filter action="exclude">file_permissions_ungroupowned_list_match</filter> </unix:file_object>
If I create 'aaa' file in /tmp and chage the GID to a non-existing group in /etc/group, the test should fail, but it passes.
If I change the file name pattern match from '.*' to 'a.*' or change the path to /tmp, the test fails correctly.
Is there any limitation in the amount of files that oscap can process?
Thanks
-- Rodolfo Martínez
On Tue, Jun 14, 2016 at 11:55 PM, Rodolfo Martínez rmtzcx@gmail.com wrote:
Hi,
I am having an issue with OVAL test file_permissions_ungroupowned in CentOS 5. I believe it is a bug in the oscap version that it is available in CentOS 5 (kind of old, v1.0.8).
Here is the procedure I am doing:
- Download and build scap-security-guide for RHEL5 in my Fedora 23
machine; then copy the output to my CentOS 5 testing server:
wget https://github.com/OpenSCAP/scap-security-guide/archive/v0.1.29.tar.gz -O scap-security-guide-0.1.29.tar.gz
tar -zxf scap-security-guide-0.1.29.tar.gz
make -C scap-security-guide-0.1.29/RHEL/5 dist
scp -r scap-security-guide-0.1.29/RHEL/5/dist/content centos5-test:
Now in the CentOS 5 testing server, create a tailoring file to run file_permissions_ungroupowned test alone:
cat >ssg-centos5-xccdf-tailoring.xml <<"EOF"
<?xml version="1.0" encoding="UTF-8"?>
<Tailoring xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_ssg-centos5_tailoring_xccdf"> <version time="2016-06-14T19:50:57">1</version> <Profile id="xccdf_my_profile_stig-centos5-upstream_tailored"> <title>CentOS 5 [TAILORED]</title> <select idref="file_permissions_ungroupowned" selected="true"/> </Profile>
</Tailoring> EOF
Create a file without corresponding group in /etc/group:
touch /an_unowned_group_file
chgrp 4567 /an_unowned_group_file
find / -nogroup 2>/dev/null /an_unowned_group_file <-- Check that it is found
Finally run oscap:
oscap xccdf eval \ --tailoring-file ssg-centos5-xccdf-tailoring.xml \ --profile xccdf_my_profile_stig-centos5-upstream_tailored \ --cpe content/ssg-rhel5-cpe-dictionary.xml \ content/ssg-centos5-xccdf.xml
... and output is:
Title Ensure All Files Are Owned by a Group Rule file_permissions_ungroupowned Ident GEN001170 Result pass
I would expect that the test fails since there is at least one file without existing group.
I took a look at the OVAL definition scap-security-guide-0.1.29/RHEL/5/input/oval/file_permissions_ungroupowned.xml but I do not see anything wrong.
Do you have any idea why this test is passing when it should fail?
Regards
-- Rodolfo Martínez
On 6/15/16 2:09 PM, Rodolfo Martínez wrote:
Here is the relevant part of the file_permissions_ungroupowned OVAL test:
<unix:file_object comment="all local files" id="file_permissions_ungroupowned_object" version="1"> <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" /> <unix:path operation="equals">/</unix:path> <unix:filename operation="pattern match">.*</unix:filename> <filter action="exclude">file_permissions_ungroupowned_list_match</filter> </unix:file_object>
If I create 'aaa' file in /tmp and chage the GID to a non-existing group in /etc/group, the test should fail, but it passes.
If I change the file name pattern match from '.*' to 'a.*' or change the path to /tmp, the test fails correctly.
Is there any limitation in the amount of files that oscap can process?
Thanks
-- Rodolfo Martínez
On Tue, Jun 14, 2016 at 11:55 PM, Rodolfo Martínez <rmtzcx@gmail.com mailto:rmtzcx@gmail.com> wrote:
Hi, I am having an issue with OVAL test file_permissions_ungroupowned in CentOS 5. I believe it is a bug in the oscap version that it is available in CentOS 5 (kind of old, v1.0.8). Here is the procedure I am doing: 1. Download and build scap-security-guide for RHEL5 in my Fedora 23 machine; then copy the output to my CentOS 5 testing server: wget https://github.com/OpenSCAP/scap-security-guide/archive/v0.1.29.tar.gz -O scap-security-guide-0.1.29.tar.gz tar -zxf scap-security-guide-0.1.29.tar.gz make -C scap-security-guide-0.1.29/RHEL/5 dist scp -r scap-security-guide-0.1.29/RHEL/5/dist/content centos5-test: Now in the CentOS 5 testing server, create a tailoring file to run file_permissions_ungroupowned test alone: cat >ssg-centos5-xccdf-tailoring.xml <<"EOF" <?xml version="1.0" encoding="UTF-8"?> <Tailoring xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_ssg-centos5_tailoring_xccdf"> <version time="2016-06-14T19:50:57">1</version> <Profile id="xccdf_my_profile_stig-centos5-upstream_tailored"> <title>CentOS 5 [TAILORED]</title> <select idref="file_permissions_ungroupowned" selected="true"/> </Profile> </Tailoring> EOF Create a file without corresponding group in /etc/group: touch /an_unowned_group_file chgrp 4567 /an_unowned_group_file find / -nogroup 2>/dev/null /an_unowned_group_file <-- Check that it is found Finally run oscap: oscap xccdf eval \ --tailoring-file ssg-centos5-xccdf-tailoring.xml \ --profile xccdf_my_profile_stig-centos5-upstream_tailored \ --cpe content/ssg-rhel5-cpe-dictionary.xml \ content/ssg-centos5-xccdf.xml ... and output is: Title Ensure All Files Are Owned by a Group Rule file_permissions_ungroupowned Ident GEN001170 Result pass I would expect that the test fails since there is at least one file without existing group. I took a look at the OVAL definition scap-security-guide-0.1.29/RHEL/5/input/oval/file_permissions_ungroupowned.xml but I do not see anything wrong. Do you have any idea why this test is passing when it should fail? Regards
Hi Rodolfo,
Thanks for reporting this! I've updated the RHEL5 content to use the updated file_permissions_ungroupowned check: https://github.com/OpenSCAP/scap-security-guide/pull/1296
That should get merged in the next few days pending peer review. If you could test the PR and verify this works for you, that'd be great!
Shawn
On Fri, Jun 17, 2016 at 12:47 PM, Shawn Wells shawn@redhat.com wrote:
On 6/15/16 2:09 PM, Rodolfo Martínez wrote:
Here is the relevant part of the file_permissions_ungroupowned OVAL test:
<unix:file_object comment="all local files" id="file_permissions_ungroupowned_object" version="1"> <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" /> <unix:path operation="equals">/</unix:path> <unix:filename operation="pattern match">.*</unix:filename> <filter action="exclude">file_permissions_ungroupowned_list_match</filter> </unix:file_object>
If I create 'aaa' file in /tmp and chage the GID to a non-existing group in /etc/group, the test should fail, but it passes.
If I change the file name pattern match from '.*' to 'a.*' or change the path to /tmp, the test fails correctly.
Is there any limitation in the amount of files that oscap can process?
Thanks
-- Rodolfo Martínez
On Tue, Jun 14, 2016 at 11:55 PM, Rodolfo Martínez < rmtzcx@gmail.com rmtzcx@gmail.com> wrote:
Hi,
I am having an issue with OVAL test file_permissions_ungroupowned in CentOS 5. I believe it is a bug in the oscap version that it is available in CentOS 5 (kind of old, v1.0.8).
Here is the procedure I am doing:
- Download and build scap-security-guide for RHEL5 in my Fedora 23
machine; then copy the output to my CentOS 5 testing server:
wget https://github.com/OpenSCAP/scap-security-guide/archive/v0.1.29.tar.gz -O scap-security-guide-0.1.29.tar.gz
tar -zxf scap-security-guide-0.1.29.tar.gz
make -C scap-security-guide-0.1.29/RHEL/5 dist
scp -r scap-security-guide-0.1.29/RHEL/5/dist/content centos5-test:
Now in the CentOS 5 testing server, create a tailoring file to run file_permissions_ungroupowned test alone:
cat >ssg-centos5-xccdf-tailoring.xml <<"EOF"
<?xml version="1.0" encoding="UTF-8"?>
<Tailoring xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_ssg-centos5_tailoring_xccdf"> <version time="2016-06-14T19:50:57">1</version> <Profile id="xccdf_my_profile_stig-centos5-upstream_tailored"> <title>CentOS 5 [TAILORED]</title> <select idref="file_permissions_ungroupowned" selected="true"/> </Profile>
</Tailoring> EOF
Create a file without corresponding group in /etc/group:
touch /an_unowned_group_file
chgrp 4567 /an_unowned_group_file
find / -nogroup 2>/dev/null /an_unowned_group_file <-- Check that it is found
Finally run oscap:
oscap xccdf eval \ --tailoring-file ssg-centos5-xccdf-tailoring.xml \ --profile xccdf_my_profile_stig-centos5-upstream_tailored \ --cpe content/ssg-rhel5-cpe-dictionary.xml \ content/ssg-centos5-xccdf.xml
... and output is:
Title Ensure All Files Are Owned by a Group Rule file_permissions_ungroupowned Ident GEN001170 Result pass
I would expect that the test fails since there is at least one file without existing group.
I took a look at the OVAL definition scap-security-guide-0.1.29/RHEL/5/input/oval/file_permissions_ungroupowned.xml but I do not see anything wrong.
Do you have any idea why this test is passing when it should fail?
Regards
Hi Rodolfo,
Thanks for reporting this! I've updated the RHEL5 content to use the
updated file_permissions_ungroupowned check: https://github.com/OpenSCAP/scap-security-guide/pull/1296
That should get merged in the next few days pending peer review. If
you could test the PR and verify this works for you, that'd be great!
Shawn
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/scap-security-guide@lists.fedorah... https://github.com/OpenSCAP/scap-security-guide/
Hi Shawn,
I think the problem is not with the OVAL definition, the shared and RHEL5 versions are practically the same. I think the issue is in oscap. Below is the test of the PR. It is still not working correctly.
# touch /tmp/ungroupedowned_file # chgrp 4567 /tmp/ungroupedowned_file # find / -nogroup 2>/dev/null /tmp/ungroupedowned_file <== Confirmation that it is an ungrouped owned file
# oscap xccdf eval \ --tailoring-file ssg-centos5-xccdf-tailoring.xml \ --profile xccdf_my_profile_stig-centos5-upstream_tailored \ --cpe content/ssg-rhel5-cpe-dictionary.xml \ content/ssg-centos5-xccdf.xml
Title Ensure All Files Are Owned by a Group Rule file_permissions_ungroupowned Ident GEN001170 Result pass <== It should fail
Same OVAL definition is working fine in RHEL/CentOS 6 and 7 with openscap-1.2.x
-- Rodolfo Martínez
scap-security-guide@lists.fedorahosted.org