[Open-scap] Need help understanding RHEL STIG findings

Snyder, Chris Chris_Snyder at sra.com
Wed Jan 30 21:57:40 UTC 2013 

In V1R2 def:70 does point at tst:7000, but the test doesn't point to obj:7701, it points to obj:7001.  

As I said before, I'm just getting started with all of this, but if I'm reading this right, it sure looks like it's finding all non-0 UID users and then comparing that list to 'root' (control state).  If that's the case then the operation in ste:7001 should probably be "equal" rather than "not equal".  

Anybody disagree with this assessment?  Should I file a bug on this?

 <unix-def:password_test id="oval:mil.disa.fso.rhel:tst:7000" version="1" check="all" check_existence="any_exist" comment="all UID 0s are root">
      <unix-def:object object_ref="oval:mil.disa.fso.rhel:obj:7001" />
      <unix-def:state state_ref="oval:mil.disa.fso.rhel:ste:7000" />
 </unix-def:password_test>

    <unix-def:password_state id="oval:mil.disa.fso.rhel:ste:7000" version="1" comment="root">
      <unix-def:username>root</unix-def:username>
    </unix-def:password_state>

    <unix-def:password_object id="oval:mil.disa.fso.rhel:obj:7001" version="1" comment="uid 0 and not root">
      <set>
        <object_reference>oval:mil.disa.fso.rhel:obj:7000</object_reference>
        <filter>oval:mil.disa.fso.rhel:ste:7001</filter>
      </set>
    </unix-def:password_object>

    <unix-def:password_object id="oval:mil.disa.fso.rhel:obj:7000" version="1" comment="all users">
      <unix-def:username operation="pattern match" datatype="string">.*</unix-def:username>
    </unix-def:password_object>

    <unix-def:password_state id="oval:mil.disa.fso.rhel:ste:7001" version="1" comment="uid not 0">
      <unix-def:user_id operation="not equal">0</unix-def:user_id>
    </unix-def:password_state>

-----Original Message-----
From: open-scap-list-bounces at redhat.com [mailto:open-scap-list-bounces at redhat.com] On Behalf Of Brian Millett
Sent: Wednesday, January 30, 2013 12:28 PM
To: open-scap-list at redhat.com
Subject: Re: [Open-scap] Need help understanding RHEL STIG findings


The check is being done by def:70 in the STIG_Benchmark-oval.xml, so that following the references in the 
xml file,

def:70->tst:7000->obj:7701

    <unix-def:file_object id="oval:mil.disa.fso.rhel:obj:7701" version="1" comment="root exec search path directories">
      <unix-def:path var_check="at least one" var_ref="oval:mil.disa.fso.rhel:var:7700" datatype="string" />
      <unix-def:filename datatype="string" xsi:nil="true" />
    </unix-def:file_object>

Which leads you off into root path directories, or into a big WHAT??

So yeah, the oval is messed up.

But that is my observation, and I'm no expert.

Looking forward to the answer to the problem.
-- 
Brian Millett
"Oh, that's cute. A zombie with a gas attack."
           -- [ Garibaldi, "Knives"]

_______________________________________________
Open-scap-list mailing list
Open-scap-list at redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

More information about the Open-scap-list mailing list