File: shared.xml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (47 lines) | stat: -rw-r--r-- 2,465 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
 
<def-group>
  <definition class="compliance" id="{{{ rule_id }}}" version="1">
    {{{- oval_metadata("This test makes sure that /usr/bin/sudo is owned by the group set in var_sudo_dedicated_group", rule_title=rule_title) }}}
    <criteria operator="AND">
      <criterion comment="Check if dedicated group exists" test_ref="test_dedicated_group_exists" />
      <criterion comment="Check file group ownership of /usr/bin/sudo" test_ref="test_sudo_owned_by_dedicated_group" />
    </criteria>
  </definition>

  <unix:file_test check="all" check_existence="all_exist" comment="Check /usr/bin/sudo is owned by group defined in var_sudo_dedicated_group " id="test_sudo_owned_by_dedicated_group" version="1">
    <unix:object object_ref="object_sudo_file" />
    <unix:state state_ref="state_sudo_file_gid_is_dedicated_group_gid" />
  </unix:file_test>
  <unix:file_object comment="Fetch /usr/bin/sudo" id="object_sudo_file" version="1">
      <unix:filepath>/usr/bin/sudo</unix:filepath>
  </unix:file_object>

  <unix:file_state id="state_sudo_file_gid_is_dedicated_group_gid" version="1">
    <unix:group_id datatype="int" operation="not equal">0</unix:group_id>
  </unix:file_state>

  <ind:textfilecontent54_test id="test_dedicated_group_exists"
      comment="Check if dedicated group is listed in /etc/group" check="all"
      check_existence="only_one_exists" version="1">
    <ind:object object_ref="sudo_dedicated_group_gid" />
  </ind:textfilecontent54_test>

  <ind:textfilecontent54_object id="sudo_dedicated_group_gid"
      comment="Grab GID of group set in var_sudo_dedicated_group" version="1">
    <ind:filepath operation="equals">/etc/group</ind:filepath>
    <ind:pattern operation="pattern match" var_ref="sudo_dedicated_group_regex_for_gid" />
    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
  </ind:textfilecontent54_object>

  <local_variable id="sudo_dedicated_group_regex_for_gid" datatype="string"
      comment="Build the regex for the group ID based on the variable" version="1">
    <concat>
      <literal_component>^</literal_component>
      <variable_component var_ref="var_sudo_dedicated_group"/>
      <!-- This assumes that the group uses gshadow for passwords -->
      <literal_component>:x:(\d+):.*$</literal_component>
    </concat>
  </local_variable>

  <external_variable comment="Name of sudo dedicated group" datatype="string" id="var_sudo_dedicated_group" version="1" />

</def-group>