1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
#######################################################
#
# Create a file, check defaults
#
#######################################################
body common control
{
inputs => { "../../default.cf.sub" };
bundlesequence => { default("$(this.promise_filename)") };
version => "1.0";
}
bundle common g
{
vars:
# This extracts the octal mode, and decimal nlink, uid, gid, size
"policy_file" string => '
body common control
{
bundlesequence => { "test" };
}
bundle agent test
{
reports:
"Dorothy: How do you talk if you don\'t have a brain?";
"Scarecrow: Well, some people without brains do an awful lot of talking don\'t they?";
}';
}
#######################################################
bundle agent init
{
files:
"$(G.testfile)"
create => "true",
edit_defaults => empty,
edit_line => insert_lines("$(g.policy_file)"),
perms => m("620");
}
#######################################################
bundle agent test
{
vars:
"agent_output" string => execresult("$(sys.cf_agent) -f $(G.testfile)", "noshell"),
if => fileexists("$(G.testfile)");
classes:
"security_exception"
expression => regcmp(".*is writable by others (security exception).*", "$(agent_output)"),
comment => "It's a security risk to evaluate policy that is writeable by users other than the owner";
}
#######################################################
bundle agent check
{
classes:
"ok" expression => "!security_exception";
reports:
ok::
"$(this.promise_filename) Pass";
!ok::
"$(this.promise_filename) FAIL";
}
|
