-
-
Save lichnak/f50c2a6144b81666d5994258e995f003 to your computer and use it in GitHub Desktop.
Comparison of SCAP-Security-Guide XCCDF and OVAL XML to EasySCAP YAML version
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<definition class="compliance" id="oval:ssg:def:671" version="1"> | |
<metadata> | |
<title>Verify /etc/passwd Permissions</title> | |
<affected family="unix"> | |
<platform>Red Hat Enterprise Linux 6</platform> | |
</affected> | |
<description>This test makes sure that /etc/passwd is owned by 0, group owned by 0, and has mode 0644. If | |
the target file or directory has an extended ACL then it will fail the mode check.</description> | |
<reference source="swells" ref_id="20130831" ref_url="test_attestation"/> | |
<reference source="ssg" ref_id="file_permissions_etc_passwd"/></metadata> | |
<criteria> | |
<criterion test_ref="oval:ssg:tst:672"/> | |
</criteria> | |
</definition> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Rule id="file_permissions_etc_passwd" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify Permissions on passwd File</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To properly set the permissions of <xhtml:code>/etc/passwd</xhtml:code>, run the command: | |
<xhtml:pre xml:space="preserve"># chmod 0644 /etc/passwd</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">225</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If the <xhtml:code>/etc/passwd</xhtml:code> file is writable by a group-owner or the | |
world the risk of its compromise is increased. The file contains the list of | |
accounts on the system and associated information, and protection of this file | |
is critical for system security.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26868-0</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:671" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the permissions of <xhtml:code>/etc/passwd</xhtml:code>, run the command: | |
<xhtml:pre>$ ls -l /etc/passwd</xhtml:pre> | |
If properly configured, the output should indicate the following permissions: | |
<xhtml:code>-rw-r--r--</xhtml:code> | |
</check-content> | |
</check> | |
</Rule> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
id: xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd | |
severity: medium | |
title: Verify Permissions on passwd File | |
description: | | |
`/etc/passwd`, run the command: | |
~~~~ {xml:space="preserve"} | |
# chmod 0644/etc/passwd | |
~~~~ | |
rationale: | | |
`/etc/passwd` file is writable by a group-owner or the world the risk of | |
its compromise is increased. The file contains the list of accounts on | |
the system and associated information, and protection of this file is | |
critical for system security. | |
references: | |
- href: http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf | |
value: AC-6 | |
- href: http://iase.disa.mil/cci/index.html | |
value: '225' | |
- href: test_attestation | |
dc:contributor: DS | |
dc:date: '20121026' | |
crosswalk: | |
- system: http://cce.mitre.org | |
value: CCE-26868-0 | |
tests: | |
- type: '{http://oval.mitre.org/XMLSchema/oval-definitions-5#unix}file_test' | |
check: all | |
check_existence: all_exist | |
object: | |
'{http://oval.mitre.org/XMLSchema/oval-definitions-5#unix}filepath': /etc/passwd | |
state: | |
'{http://oval.mitre.org/XMLSchema/oval-definitions-5#unix}suid': | |
datatype: boolean | |
value: 'false' | |
'{http://oval.mitre.org/XMLSchema/oval-definitions-5#unix}sgid': | |
datatype: boolean | |
value: 'false' | |
'{http://oval.mitre.org/XMLSchema/oval-definitions-5#unix}sticky': | |
datatype: boolean | |
value: 'false' | |
'{http://oval.mitre.org/XMLSchema/oval-definitions-5#unix}uexec': | |
datatype: boolean | |
value: 'false' | |
'{http://oval.mitre.org/XMLSchema/oval-definitions-5#unix}gwrite': | |
datatype: boolean | |
value: 'false' | |
'{http://oval.mitre.org/XMLSchema/oval-definitions-5#unix}gexec': | |
datatype: boolean | |
value: 'false' | |
'{http://oval.mitre.org/XMLSchema/oval-definitions-5#unix}owrite': | |
datatype: boolean | |
value: 'false' | |
'{http://oval.mitre.org/XMLSchema/oval-definitions-5#unix}oexec': | |
datatype: boolean | |
value: 'false' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment