1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
{{% set system_configuration_using_etc_bashrc_expected = false -%}}
{{% if product in ["ol7"] -%}}
{{% set system_configuration_using_etc_bashrc_expected = true %}}
{{%- endif -%}}
<def-group>
<definition class="compliance" id="accounts_tmout" version="4">
{{{ oval_metadata("Checks interactive shell timeout", rule_title=rule_title) }}}
<criteria operator="AND">
{{% if "ubuntu" in product %}}
<criterion comment="TMOUT value in /etc/bash.bashrc <= var_accounts_tmout" test_ref="test_etc_bashrc_tmout" />
{{% endif %}}
<criterion comment="TMOUT value in /etc/profile <= var_accounts_tmout" test_ref="test_etc_profile_tmout" />
<criterion comment="TMOUT value in /etc/profile.d/*.sh <= var_accounts_tmout" test_ref="test_etc_profiled_tmout" />
<criterion comment="At least one config file has TMOUT defined" test_ref="test_accounts_tmout_defined" />
{{% if system_configuration_using_etc_bashrc_expected %}}
<criterion comment="TMOUT value in /etc/bashrc <= var_accounts_tmout" test_ref="test_etc_bashrc_tmout" />
{{% endif %}}
<criterion comment="All configured TMOUT values must be >= 1" test_ref="test_accounts_tmout_lower_bound" />
</criteria>
</definition>
{{% macro test_tmout(test_stem, files) %}}
<ind:textfilecontent54_test check="all" check_existence="any_exist" comment="TMOUT in {{{ files }}}" id="test_{{{ test_stem }}}" version="2">
<ind:object object_ref="object_{{{ test_stem }}}" />
<ind:state state_ref="state_etc_profile_tmout" />
</ind:textfilecontent54_test>
{{% endmacro %}}
{{% macro object_tmout(test_stem, path, filename, filepath) %}}
<ind:textfilecontent54_object id="object_{{{ test_stem }}}" version="3">
{{% if path %}}
<ind:path>{{{ path }}}</ind:path>
{{% endif %}}
{{% if filename %}}
<ind:filename operation="pattern match">{{{ filename }}}</ind:filename>
{{% endif %}}
{{% if filepath %}}
<ind:filepath>{{{ filepath }}}</ind:filepath>
{{% endif %}}
{{% if product in ["sle12", "sle15", "slmicro5", "slmicro6"] or "ubuntu" in product %}}
<ind:pattern operation="pattern match">^[\s]*TMOUT=([\w$]+)[\s]*readonly TMOUT[\s]*export TMOUT$</ind:pattern>
{{% else %}}
<ind:pattern operation="pattern match">^[\s]*(?:typeset|declare)[\s]+-xr[\s]+TMOUT=([\w$]+).*$</ind:pattern>
{{% endif %}}
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
{{% endmacro %}}
{{% if 'ubuntu' in product %}}
{{{ test_tmout( test_stem="etc_bashrc_tmout", files="/etc/bash.bashrc") }}}
{{{ object_tmout(test_stem="etc_bashrc_tmout", filepath="/etc/bash.bashrc") }}}
{{% endif %}}
{{{ test_tmout( test_stem="etc_profile_tmout", files="/etc/profile") }}}
{{{ object_tmout(test_stem="etc_profile_tmout", filepath="/etc/profile") }}}
{{{ test_tmout( test_stem="etc_profiled_tmout", files="/etc/profile.d/*.sh") }}}
{{{ object_tmout(test_stem="etc_profiled_tmout", path="/etc/profile.d", filename="^.*\.sh$") }}}
{{% if system_configuration_using_etc_bashrc_expected %}}
{{{ test_tmout( test_stem="etc_bashrc_tmout", files="/etc/bashrc") }}}
{{{ object_tmout(test_stem="etc_bashrc_tmout", filepath="/etc/bashrc") }}}
{{% endif %}}
{{% if system_configuration_using_etc_bashrc_expected %}}
<ind:textfilecontent54_object id="object_accounts_tmout_all_tmout_instances" version="1">
<set>
<object_reference>object_etc_bashrc_tmout</object_reference>
<object_reference>object_accounts_tmout_partial_tmout_instances</object_reference>
</set>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="object_accounts_tmout_partial_tmout_instances" version="1">
<set>
<object_reference>object_etc_profile_tmout</object_reference>
<object_reference>object_etc_profiled_tmout</object_reference>
</set>
</ind:textfilecontent54_object>
{{% else %}}
<ind:textfilecontent54_object id="object_accounts_tmout_all_tmout_instances" version="1">
<set>
<object_reference>object_etc_profile_tmout</object_reference>
<object_reference>object_etc_profiled_tmout</object_reference>
</set>
</ind:textfilecontent54_object>
{{% endif %}}
<local_variable id="variable_count_of_tmout_instances" comment="Count of TMOUT instances" datatype="int" version="1">
<count>
<object_component object_ref="object_accounts_tmout_all_tmout_instances" item_field="text" />
</count>
</local_variable>
<ind:variable_test check="all" check_existence="all_exist" id="test_accounts_tmout_defined" comment="Check that at least one TMOUT is defined" version="1">
<ind:object object_ref="object_accounts_tmout_defined" />
<ind:state state_ref="state_accounts_tmout_defined" />
</ind:variable_test>
<ind:variable_object id="object_accounts_tmout_defined" version="1">
<ind:var_ref>variable_count_of_tmout_instances</ind:var_ref>
</ind:variable_object>
<ind:variable_state id="state_accounts_tmout_defined" version="1">
<ind:value operation="greater than or equal" datatype="int">1</ind:value>
</ind:variable_state>
<ind:textfilecontent54_state id="state_etc_profile_tmout" version="2">
<ind:subexpression datatype="int" operation="less than or equal" var_check="all" var_ref="var_accounts_tmout" />
</ind:textfilecontent54_state>
<ind:textfilecontent54_state id="state_etc_profile_tmout_lower_bound" version="1">
<ind:subexpression datatype="int" operation="greater than or equal">1</ind:subexpression>
</ind:textfilecontent54_state>
<ind:textfilecontent54_test check="all" check_existence="any_exist" comment="All TMOUT values must be greater than or equal to 1" id="test_accounts_tmout_lower_bound" version="1">
<ind:object object_ref="object_accounts_tmout_all_tmout_instances" />
<ind:state state_ref="state_etc_profile_tmout_lower_bound" />
</ind:textfilecontent54_test>
<external_variable comment="external variable for TMOUT" datatype="int" id="var_accounts_tmout" version="1" />
</def-group>
|
