From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-681970-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 516FB1387FD
	for <garchives@archives.gentoo.org>; Sun, 30 Mar 2014 20:08:45 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 3C3EDE09F0;
	Sun, 30 Mar 2014 20:08:40 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 9F862E09F0
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Mar 2014 20:08:39 +0000 (UTC)
Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 726C533FC0C
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Mar 2014 20:08:38 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by spoonbill.gentoo.org (Postfix) with ESMTP id B66A1188F3
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Mar 2014 20:08:36 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1396209991.15f31c8d487f24d0d6971801531ebfc9e06161ec.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
X-VCS-Repository: proj/hardened-docs
X-VCS-Files: xml/SCAP/gentoo-oval.xml xml/SCAP/gentoo-xccdf.xml
X-VCS-Directories: xml/SCAP/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 15f31c8d487f24d0d6971801531ebfc9e06161ec
X-VCS-Branch: master
Date: Sun, 30 Mar 2014 20:08:36 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 26f75d9c-6949-474f-947a-dd31aef7684f
X-Archives-Hash: a951f5c0434a80e37c00b4a1256abcef

commit:     15f31c8d487f24d0d6971801531ebfc9e06161ec
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 30 20:06:31 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 30 20:06:31 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=15f31c8d

Add test for world writable directories

---
 xml/SCAP/gentoo-oval.xml  | 101 ++++++++++++++++++++++++++++++++++++++++++++++
 xml/SCAP/gentoo-xccdf.xml |  29 ++++++++++++-
 2 files changed, 128 insertions(+), 2 deletions(-)

diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index f873701..427e5c1 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -581,6 +581,37 @@
     </criteria>
   </definition>
 
+  <definition id="oval:org.gentoo.dev.swift:def:35" version="1" class="compliance">
+    <metadata>
+      <title>/etc/lilo.conf has a password set</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <description>
+        If /etc/lilo.conf exists, then it must have a password set.
+      </description>
+    </metadata>
+    <criteria operator="OR">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:38" comment="/etc/lilo.conf does not exist" />
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:39" comment="/etc/lilo.conf has a password set" />
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:36" version="1" class="compliance">
+    <metadata>
+      <title>All world writable directories have the sticky bit set</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <description>
+        All world writable directories must have the sticky bit set.
+      </description>
+    </metadata>
+    <criteria>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:40" comment="All world writable directories have the sticky bit set" />
+    </criteria>
+  </definition>
+
 </definitions>
 
 <tests>
@@ -879,6 +910,7 @@
     version="1" check="at least one" check_existence="at_least_one_exists">
     <!-- The /boot/grub/grub.conf file content -->
     <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:23" />
+    <!-- A "password - -md5 somevalue" match -->
     <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:15" />
   </ind-def:textfilecontent54_test>
 
@@ -889,6 +921,31 @@
     <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:24" />
   </unix-def:file_test>
 
+  <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:38"
+    version="1" check="all" check_existence="none_exist"
+    comment="/etc/lilo.conf does not exist">
+    <!-- The /etc/lilo.conf file -->
+    <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:25" />
+  </unix-def:file_test>
+
+  <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:39"
+    comment="lilo.conf has a password set"
+    version="1" check="at least one" check_existence="at_least_one_exists">
+    <!-- The /etc/lilo.conf content -->
+    <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:26" />
+    <!-- A password=somevalue match -->
+    <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:16" />
+  </ind-def:textfilecontent54_test>
+
+  <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:40"
+    comment="All world writable directories have the sticky bit set"
+    version="1" check="all" check_existence="all_exist">
+    <!-- All world writable directories -->
+    <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:27" />
+    <!-- sticky bit is set -->
+    <unix-def:state state_ref="oval:org.gentoo.dev.swift:ste:17" />
+  </unix-def:file_test>
+
 </tests>
 
 <objects>
@@ -1031,6 +1088,35 @@
     <unix-def:filepath>/boot/grub</unix-def:filepath>
   </unix-def:file_object>
 
+  <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:25"
+    version="1" comment="The /etc/lilo.conf file">
+    <unix-def:filepath>/etc/lilo.conf</unix-def:filepath>
+  </unix-def:file_object>
+
+  <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:26"
+    version="1" comment="The /etc/lilo.conf content">
+    <ind-def:filepath>/etc/lilo.conf</ind-def:filepath>
+    <ind-def:pattern operation="pattern match">^([^#\n]*)(?#.*)?$</ind-def:pattern>
+    <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
+  </ind-def:textfilecontent54_object>
+
+  <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:27"
+    version="1" comment="All world writable directories">
+    <set set_operator="UNION" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+      <!-- All local directories -->
+      <object_reference>oval:org.gentoo.dev.swift:obj:28</object_reference>
+      <!-- filter out just those with the world-writable bit set -->
+      <filter action="exclude">oval:org.gentoo.dev.swift:ste:18</filter> <!-- exclude is default but this is more readable -->
+    </set>
+  </unix-def:file_object>
+
+  <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:28"
+    version="1" comment="All local directories">
+    <unix-def:behaviors recurse_direction="down" recurse_file_system="local" recurse="directories"/>
+    <unix-def:path>/</unix-def:path>
+    <unix-def:filename xsi:nil="true"/>
+  </unix-def:file_object>
+
 </objects>
 
 <states>
@@ -1110,6 +1196,21 @@
     <ind-def:subexpression datatype="string" operation="pattern match" entity_check="all">[\s]*password --md5 [\S]+</ind-def:subexpression>
   </ind-def:textfilecontent54_state>
 
+  <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:16"
+    version="1" comment="Has a password=... entry">
+    <ind-def:subexpression datatype="string" operation="pattern match" entity_check="all">[\s]*password=[\S]+</ind-def:subexpression>
+  </ind-def:textfilecontent54_state>
+
+  <unix-def:file_state id="oval:org.gentoo.dev.swift:ste:17"
+    version="1" comment="The sticky bit is set">
+    <unix-def:sticky datatype="boolean">1</unix-def:sticky>
+  </unix-def:file_state>
+
+  <unix-def:file_state id="oval:org.gentoo.dev.swift:ste:18"
+    version="1" comment="Not world writable">
+    <unix-def:owrite datatype="boolean">0</unix-def:owrite>
+  </unix-def:file_state>
+
 </states>
 
 <variables>

diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index 732bde3..aa85c1e 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -20,6 +20,8 @@
       large impact on the performance of a server. Tests include scripted
       validationn.
     </description>
+    <!-- Make sure all world-writable directories have the sticky bit set -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_worldwritedir-stickybit" selected="true" />
   </Profile>
   <Profile id="xccdf_org.gentoo.dev.swift_profile_intensive-oval" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
     <title>Intensive validation profile (non-scripted)</title>
@@ -30,6 +32,8 @@
       large impact on the performance of a server. Tests do not include
       scripted validation.
     </description>
+    <!-- Make sure all world-writable directories have the sticky bit set -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_worldwritedir-stickybit" selected="true" />
   </Profile>
   <Profile id="xccdf_org.gentoo.dev.swift_profile_default-oval">
     <title>Default server setup settings (non-scripted)</title>
@@ -103,8 +107,10 @@
     <select idref="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="true" />
     <!-- Make sure /proc is mounted with hidepid=1 or hidepid=2 -->
     <select idref="xccdf_org.gentoo.dev.swift_rule_proc-hidepid" selected="true" />
-    <!-- Make sure /boot/grub/grub.conf has a password entry with md5 hash -->
+    <!-- Make sure /boot/grub/grub.conf (if it exists) has a password entry with md5 hash -->
     <select idref="xccdf_org.gentoo.dev.swift_rule_grubconf-password-md5" selected="true" />
+    <!-- Make sure /etc/lilo.conf (if it exists) has a password entry -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_liloconf-password" selected="true" />
   </Profile>
   <Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
     <title>Default server setup settings</title>
@@ -1516,7 +1522,7 @@ grub&gt; <h:b>quit</h:b></h:pre>
 	  </h:p>
         </description>
         <Rule id="xccdf_org.gentoo.dev.swift_rule_grubconf-password-md5" selected="false" severity="low" weight="6.9">
-	  <title>Grub legacy has a password entry with md5 hash</title>
+	  <title>Grub legacy (if it exists) has a password entry with md5 hash</title>
 	  <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_grubconf-password-md5">
 	    Edit /boot/grub/grub.conf and set a password entry with md5 hash
 	  </fixtext>
@@ -1557,6 +1563,15 @@ image=/boot/bzImage
            Rerun <h:code>lilo</h:code> after updating the configuration file.
 	   </h:p>
         </description>
+        <Rule id="xccdf_org.gentoo.dev.swift_rule_liloconf-password" selected="false" severity="low" weight="6.9">
+	  <title>LILO (if it exists) has a password entry</title>
+	  <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_liloconf-password">
+	    Edit /etc/lilo.conf and set a password entry
+	  </fixtext>
+	  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+	    <check-content-ref name="oval:org.gentoo.dev.swift:def:35" href="gentoo-oval.xml" />
+	  </check>
+	</Rule>
       </Group>
     </Group>
     <Group id="xccdf_org.gentoo.dev.swift_group_system-auth">
@@ -1782,6 +1797,16 @@ session  required pam_unix.so</h:pre>
           world writable privilege is not accessible anyhow).
 	  </h:p>
         </description>
+        <Rule id="xccdf_org.gentoo.dev.swift_rule_worldwritedir-stickybit" selected="false" severity="medium" weight="4.3">
+	  <title>All world writable directories have the sticky bit set</title>
+	  <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_worldwritedirs-stickybit">
+	    Make sure all world-writable directories have the sticky bit set
+	  </fixtext>
+	  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+	    <check-content-ref name="oval:org.gentoo.dev.swift:def:36" href="gentoo-oval.xml" />
+	  </check>
+	</Rule>
+
       </Group>
       <Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-suidsgid">
         <title>Limit setuid and setgid file and directory usage</title>