-
Notifications
You must be signed in to change notification settings - Fork 686
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add new rule dir_perms_world_writable_system_owned_group.
Change old STIG reference ID from dir_perms_world_writable_system_owned because this rule actually checks for UID and not the GID as it was expected.
- Loading branch information
Showing
5 changed files
with
77 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
22 changes: 22 additions & 0 deletions
22
...uide/system/permissions/files/dir_perms_world_writable_system_owned_group/oval/shared.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| <def-group> | ||
| <definition class="compliance" id="dir_perms_world_writable_system_owned_group" version="1"> | ||
| {{{ oval_metadata("All world writable directories should be group owned by a system user.") }}} | ||
| <criteria comment="check for local directories that are world writable and have gid greater than or equal to {{{ auid }}}" negate="true"> | ||
| <criterion comment="check for local directories that are world writable and have gid greater than or equal to {{{ auid }}}" test_ref="test_dir_world_writable_gid_gt_value" /> | ||
| </criteria> | ||
| </definition> | ||
| <unix:file_test check="all" comment="check for local directories that are world writable and have gid greater than or equal to {{{ auid }}}" id="test_dir_world_writable_gid_gt_value" version="1"> | ||
| <unix:object object_ref="all_local_directories_gid" /> | ||
| <unix:state state_ref="state_gid_is_user_and_world_writable" /> | ||
| </unix:file_test> | ||
| <unix:file_object comment="all local directories" id="all_local_directories_gid" version="1"> | ||
| <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" /> | ||
| <unix:path operation="equals">/</unix:path> | ||
| <unix:filename xsi:nil="true" /> | ||
| <filter action="include">state_gid_is_user_and_world_writable</filter> | ||
| </unix:file_object> | ||
| <unix:file_state comment="gid greater than or equal to {{{ auid }}} and world writable" id="state_gid_is_user_and_world_writable" version="1"> | ||
| <unix:group_id datatype="int" operation="greater than or equal">{{{ auid }}}</unix:group_id> | ||
| <unix:owrite datatype="boolean">true</unix:owrite> | ||
| </unix:file_state> | ||
| </def-group> |
45 changes: 45 additions & 0 deletions
45
linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| documentation_complete: true | ||
|
|
||
| prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 | ||
|
|
||
| title: 'Ensure All World-Writable Directories Are Group Owned by a System Account' | ||
|
|
||
| description: |- | ||
| All directories in local partitions which are | ||
| world-writable should be group owned by root or another | ||
| system account. If any world-writable directories are not | ||
| group owned by a system account, this should be investigated. | ||
| Following this, the files should be deleted or assigned to an | ||
| appropriate group. | ||
| rationale: |- | ||
| Allowing a user account to group own a world-writable directory is | ||
| undesirable because it allows the owner of that directory to remove | ||
| or replace any files that may be placed in the directory by other | ||
| users. | ||
| severity: medium | ||
|
|
||
| identifiers: | ||
| cce@rhel7: CCE-80136-5 | ||
|
|
||
| references: | ||
| stigid@ol7: OL07-00-021030 | ||
| disa: CCI-000366 | ||
| nist: CM-6(a),AC-6(1) | ||
| nist-csf: PR.AC-4,PR.DS-5 | ||
| srg: SRG-OS-000480-GPOS-00227 | ||
| stigid@rhel7: RHEL-07-021030 | ||
| isa-62443-2013: 'SR 2.1,SR 5.2' | ||
| isa-62443-2009: 4.3.3.7.3 | ||
| cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 | ||
| iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 | ||
| cis-csc: 12,13,14,15,16,18,3,5 | ||
|
|
||
| ocil_clause: 'there is output' | ||
|
|
||
| ocil: |- | ||
| The following command will discover and print world-writable directories that | ||
| are not group owned by a system account, given the assumption that only system | ||
| accounts have a gid lower than 500. Run it once for each local partition <i>PART</i>: | ||
| <pre>$ sudo find <i>PART</i> -xdev -type d -perm -0002 -gid +499 -print</pre> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters