File: template_OVAL_mount_option_removable_partitions

package info (click to toggle)
scap-security-guide 0.1.39-2
  • links: PTS, VCS
  • area: main
  • in suites: buster, sid
  • size: 31,836 kB
  • sloc: xml: 129,736; python: 7,462; sh: 3,796; makefile: 27
file content (149 lines) | stat: -rw-r--r-- 9,872 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
<def-group>
  <definition class="compliance" id="mount_option_%MOUNTOPTION%_removable_partitions" version="4">
    <metadata>
      <title>Add %MOUNTOPTION% Option to Removable Media Partitions</title>
      <affected family="unix">
        <platform>multi_platform_rhel</platform>
        <platform>multi_platform_fedora</platform>
        <platform>multi_platform_wrlinux</platform>
      </affected>
      <description>The %MOUNTOPTION% option should be enabled for all removable devices mounts in /etc/fstab.</description>
    </metadata>
    <criteria operator="OR">
      <!-- First check if specified removable partition truly exists on the system. If not, don't check /etc/fstab & runtime configuration
           since there's no device to check against -->
      <extend_definition comment="Check if removable partition really exists on the system"
      definition_ref="removable_partition_doesnt_exist" />
      <!-- Removable device exists. Check if it's CD/DVD drive. If so, verify that at least one from all of the possible its alternative
           names in /etc/fstab & runtime configuration are configured with '%MOUNTOPTION%' option -->
      <criteria operator="AND">
        <extend_definition comment="Check if removable partition value represents CD/DVD drive"
        definition_ref="var_removable_partition_is_cd_dvd_drive" />
        <criteria operator="OR">
          <criteria operator="AND">
            <criterion test_ref="test_%MOUNTOPTION%_etc_fstab_cd_dvd_drive"
            comment="Check if at least one from CD/DVD drive alternative names is using '%MOUNTOPTION%' mount option in /etc/fstab" />
            <criterion test_ref="test_%MOUNTOPTION%_runtime_cd_dvd_drive"
            comment="Check if at least one from CD/DVD drive alternative names is using '%MOUNTOPTION%' mount option in runtime configuration" />
          </criteria>
          <extend_definition definition_ref="no_cd_dvd_drive_in_etc_fstab"
          comment="Check if CD/DVD drive is not configured to automount in /etc/fstab" />
        </criteria>
      </criteria>
      <!-- Removable device exists & isn't CD/DVD drive. Check the particular devices is configured with '%MOUNTOPTION%' mount option in both
           /etc/fstab & runtime configuration -->
      <criteria operator="AND">
        <criterion test_ref="test_%MOUNTOPTION%_etc_fstab_not_cd_dvd_drive"
        comment="Check if removable partition is using '%MOUNTOPTION%' mount option in /etc/fstab" />
        <criterion test_ref="test_%MOUNTOPTION%_runtime_not_cd_dvd_drive"
        comment="Check if removable partition is using '%MOUNTOPTION%' mount option in runtime configuration" />
      </criteria>
    </criteria>
  </definition>

  <!-- If specified removable partition represents CD / DVD drive, create a variable
       holding also alternative names for CD / DVD block special device as used by udev -->
  <constant_variable id="variable_cd_dvd_drive_alternative_names_%MOUNTOPTION%" datatype="string" comment="CD/DVD drive alternative names whitelist" version="1">
    <value>/dev/cdrom</value>
    <value>/dev/dvd</value>
    <value>/dev/scd0</value>
    <value>/dev/sr0</value>
  </constant_variable>

  <!-- For each of the CD / DVD drive alternative names create regular expression pattern
       to be used in textfilecontent54_object below -->
  <local_variable id="variable_cd_dvd_drive_regex_pattern_%MOUNTOPTION%" datatype="string" comment="Regular expression pattern for CD / DVD drive alternative names" version="1">
    <concat>
      <literal_component>^[\s]*</literal_component>
      <variable_component var_ref="variable_cd_dvd_drive_alternative_names_%MOUNTOPTION%" />
      <!-- Capture the mount options field (4-th column of /etc/fstab) -->
      <literal_component>[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$</literal_component>
    </concat>
  </local_variable>

  <!-- If specified removable partition represents CD / DVD drive, use all alternative
       names to check /etc/fstab & runtime settings -->
  <ind:textfilecontent54_test id="test_%MOUNTOPTION%_etc_fstab_cd_dvd_drive" check_existence="any_exist" check="all" comment="'%MOUNTOPTION%' mount option used for at least one CD / DVD drive alternative names in /etc/fstab" version="1">
    <ind:object object_ref="object_%MOUNTOPTION%_etc_fstab_cd_dvd_drive" />
    <ind:state state_ref="state_%MOUNTOPTION%_etc_fstab_cd_dvd_drive" />
  </ind:textfilecontent54_test>

  <ind:textfilecontent54_object id="object_%MOUNTOPTION%_etc_fstab_cd_dvd_drive" version="1">
    <ind:filepath>/etc/fstab</ind:filepath>
    <ind:pattern operation="pattern match" datatype="string" var_ref="variable_cd_dvd_drive_regex_pattern_%MOUNTOPTION%" var_check="at least one" />
    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
  </ind:textfilecontent54_object>

  <ind:textfilecontent54_state id="state_%MOUNTOPTION%_etc_fstab_cd_dvd_drive" version="1">
    <ind:subexpression operation="pattern match" datatype="string">^.*,?%MOUNTOPTION%,?.*$</ind:subexpression>
  </ind:textfilecontent54_state>

  <linux:partition_test id="test_%MOUNTOPTION%_runtime_cd_dvd_drive" check="all" comment="'%MOUNTOPTION%' mount option used for at least one CD / DVD drive alternative names in runtime configuration" version="1">
    <linux:object object_ref="object_%MOUNTOPTION%_runtime_cd_dvd_drive" />
  </linux:partition_test>

  <linux:partition_object id="object_%MOUNTOPTION%_runtime_cd_dvd_drive" version="1">
    <!-- CD / DVD drive can be mounted under any mount_point. We don't know ahead its exact name.
         => Capture all & filter out only the relevant ones via the corresponding state -->
    <linux:mount_point operation="pattern match">^.*$</linux:mount_point>
    <!-- Therefore from all the captured mount points select only those having
         device set to some CD / DVD drive alternative name and simultaneously
         having '%MOUNTOPTION%' mount option used -->
    <filter action="include">state_%MOUNTOPTION%_runtime_cd_dvd_drive</filter>
  </linux:partition_object>

  <linux:partition_state id="state_%MOUNTOPTION%_runtime_cd_dvd_drive" version="1">
    <linux:device datatype="string" operation="equals" var_ref="variable_cd_dvd_drive_alternative_names_%MOUNTOPTION%" var_check="at least one" />
    <linux:mount_options datatype="string" entity_check="at least one" operation="equals">%MOUNTOPTION%</linux:mount_options>
  </linux:partition_state>

  <!-- Specified removable partition exists & doesn't represent a CD/DVD drive.
       Check if configured with '%MOUNTOPTION%' mount option in both /etc/fstab & runtime configuration -->
  <ind:textfilecontent54_test id="test_%MOUNTOPTION%_etc_fstab_not_cd_dvd_drive" check="at least one" check_existence="all_exist" comment="Check if removable partition is configured with '%MOUNTOPTION%' mount option in /etc/fstab" version="1">
    <ind:object object_ref="object_%MOUNTOPTION%_etc_fstab_not_cd_dvd_drive" />
    <ind:state state_ref="state_%MOUNTOPTION%_etc_fstab_not_cd_dvd_drive" />
  </ind:textfilecontent54_test>

  <!-- Create regular expression pattern for the device to be used in the
       textfilecontent54_object below -->
  <local_variable id="variable_not_cd_dvd_drive_regex_pattern_%MOUNTOPTION%" datatype="string" comment="Regular expression pattern for removable block special device other than CD / DVD drive" version="1">
    <concat>
      <literal_component>^[\s]*</literal_component>
      <variable_component var_ref="var_removable_partition" />
      <!-- Capture the mount options field (4-th column of /etc/fstab) -->
      <literal_component>[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$</literal_component>
    </concat>
  </local_variable>

  <ind:textfilecontent54_object id="object_%MOUNTOPTION%_etc_fstab_not_cd_dvd_drive" version="1">
    <ind:filepath>/etc/fstab</ind:filepath>
    <ind:pattern operation="pattern match" datatype="string" var_ref="variable_not_cd_dvd_drive_regex_pattern_%MOUNTOPTION%" var_check="at least one" />
    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
  </ind:textfilecontent54_object>

  <ind:textfilecontent54_state id="state_%MOUNTOPTION%_etc_fstab_not_cd_dvd_drive" version="1">
    <ind:subexpression operation="pattern match" datatype="string">^.*,?%MOUNTOPTION%,?.*</ind:subexpression>
  </ind:textfilecontent54_state>

  <linux:partition_test id="test_%MOUNTOPTION%_runtime_not_cd_dvd_drive" check="all" check_existence="all_exist" comment="'%MOUNTOPTION%' mount option used for removable partition in runtime configuration" version="1">
    <linux:object object_ref="object_%MOUNTOPTION%_runtime_not_cd_dvd_drive" />
  </linux:partition_test>

  <linux:partition_object id="object_%MOUNTOPTION%_runtime_not_cd_dvd_drive" version="1">
    <!-- Removable partition can be mounted under any mount point. We don't know it's
         exact name ahead => Capture all & filter out only those relevant later via state -->
    <linux:mount_point operation="pattern match">^.*$</linux:mount_point>
    <!-- From all the captured mount points select only those having device equal
         to 'var_removable_partition' variable value and simultaneously having
         '%MOUNTOPTION%' mount option set -->
    <filter action="include">state_%MOUNTOPTION%_runtime_not_cd_dvd_drive</filter>
  </linux:partition_object>

  <linux:partition_state id="state_%MOUNTOPTION%_runtime_not_cd_dvd_drive" version="1">
    <linux:device datatype="string" operation="equals" var_ref="var_removable_partition" var_check="at least one" />
    <linux:mount_options datatype="string" entity_check="at least one" operation="equals">%MOUNTOPTION%</linux:mount_options>
  </linux:partition_state>

  <external_variable comment="removable partition" datatype="string" id="var_removable_partition" version="1" />

</def-group>