File: oval.template

package info (click to toggle)
scap-security-guide 0.1.76-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 110,644 kB
  • sloc: xml: 241,883; sh: 73,777; python: 32,527; makefile: 27
file content (64 lines) | stat: -rw-r--r-- 3,193 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
<def-group>
  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
  {{% if FILEPATH is not string %}}
    {{{ oval_metadata("This test makes sure that " + FILEPATH|join(", ") + " has mode " + FILEMODE + ".
      If the target file or directory has an extended ACL, then it will fail the mode check.
      ") }}}
    <criteria>
  {{% for filepath in FILEPATH %}}
      <criterion comment="Check file mode of {{{ filepath }}}" test_ref="test_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}"/>
  {{% endfor %}}
  {{% else %}}
    {{{ oval_metadata("This test makes sure that " +  FILEPATH + " has mode " + FILEMODE + ".
      If the target file or directory has an extended ACL, then it will fail the mode check.
      ") }}}
    <criteria>
      <criterion comment="Check file mode of {{{ FILEPATH }}}" test_ref="test_file_permissions{{{ FILEID }}}"/>
  {{% endif %}}
    </criteria>
  </definition>

  {{% for filepath in FILEPATH %}}
  <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of {{{ filepath }}}" id="test_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}" version="3">
    <unix:object object_ref="object_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}" />
  </unix:file_test>

  <unix:file_object comment="{{{ filepath }}}" id="object_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}" version="1">
    {{%- if IS_DIRECTORY %}}
      {{%- if RECURSIVE %}}
      <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
      {{%- endif %}}
      <unix:path>{{{ filepath[:-1] }}}</unix:path>
      {{%- if FILE_REGEX %}}
      <unix:filename operation="pattern match">{{{ FILE_REGEX[loop.index0] }}}</unix:filename>
      {{%- if EXCLUDED_FILES %}}
      {{%- for excluded_file in EXCLUDED_FILES %}}
      <filter action="exclude">exclude_files_{{{ FILEID }}}_{{{ loop.index0 }}}</filter>
      {{%- endfor %}}
      {{%- endif %}}
      {{%- else %}}
      <unix:filename xsi:nil="true" />
      {{%- endif %}}
    {{%- else %}}
      <unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ filepath }}}</unix:filepath>
    {{%- endif %}}
      <filter action="exclude">exclude_symlinks_{{{ FILEID }}}</filter>
      <filter action="exclude">state_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}_mode_{{{ FILEMODE }}}{{{ 'or_stricter_' if ALLOW_STRICTER_PERMISSIONS }}}</filter>
  </unix:file_object>

  <unix:file_state id="state_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}_mode_{{{ FILEMODE }}}{{{ 'or_stricter_' if ALLOW_STRICTER_PERMISSIONS }}}" operator="AND" version="3">
      {{{ STATEMODE | indent(6) }}}
  </unix:file_state>
  {{% endfor %}}

  <unix:file_state id="exclude_symlinks_{{{ FILEID }}}" version="1">
    <unix:type operation="equals">symbolic link</unix:type>
  </unix:file_state>
  {{%- if EXCLUDED_FILES %}}
  {{%- for excluded_file in EXCLUDED_FILES %}}
  <unix:file_state id="exclude_files_{{{ FILEID }}}_{{{ loop.index0 }}}" version="1">
    <unix:filename operation="pattern match">^{{{ excluded_file|replace("*", ".*") }}}$</unix:filename>
  </unix:file_state>
  {{%- endfor %}}
  {{%- endif %}}
</def-group>