-
Notifications
You must be signed in to change notification settings - Fork 696
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Refactor OVAL in no_files_unowned_by_user
Adopted the create_local_mount_points_list macro. Improved the OVAL readability.
- Loading branch information
1 parent
57c541e
commit 1269df0
Showing
1 changed file
with
35 additions
and
20 deletions.
There are no files selected for viewing
55 changes: 35 additions & 20 deletions
55
linux_os/guide/system/permissions/files/no_files_unowned_by_user/oval/shared.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,34 +1,49 @@ | ||
| <def-group> | ||
| <definition class="compliance" id="no_files_unowned_by_user" version="1"> | ||
| <definition class="compliance" id="{{{ rule_id }}}" version="1"> | ||
| {{{ oval_metadata("All files should be owned by a user") }}} | ||
| <criteria> | ||
| <criterion comment="Check all files and make sure they are owned by a user" test_ref="no_files_unowned_by_user_test" /> | ||
| <criterion test_ref="test_no_files_unowned_by_user" | ||
| comment="Check all files and make sure they are owned by a user"/> | ||
| </criteria> | ||
| </definition> | ||
|
|
||
| <unix:file_state id="file_permissions_unowned_userid_list_match" version="1"> | ||
| <unix:user_id var_check="at least one" var_ref="file_permissions_unowned_userid_list" datatype="int" /> | ||
| </unix:file_state> | ||
| <!-- Create a file_state to filter out files owned by known users. --> | ||
| <unix:password_object id="object_no_files_unowned_by_user_all_users" version="2"> | ||
| <unix:username datatype="string" operation="pattern match">.*</unix:username> | ||
| </unix:password_object> | ||
|
|
||
| <local_variable id="file_permissions_unowned_userid_list" comment="List of valid user ids" datatype="int" version="1"> | ||
| <object_component item_field="user_id" object_ref="file_permissions_unowned_userid_list_object" /> | ||
| <local_variable id="var_no_files_unowned_by_user_uids_list" version="1" | ||
| datatype="int" comment="List of valid user ids"> | ||
| <object_component item_field="user_id" | ||
| object_ref="object_no_files_unowned_by_user_all_users"/> | ||
| </local_variable> | ||
|
|
||
| <unix:password_object id="file_permissions_unowned_userid_list_object" version="1"> | ||
| <unix:username datatype="string" operation="pattern match">.*</unix:username> | ||
| </unix:password_object> | ||
| <unix:file_state id="state_no_files_unowned_by_user_uids_list" version="1"> | ||
| <unix:user_id var_check="at least one" datatype="int" | ||
| var_ref="var_no_files_unowned_by_user_uids_list"/> | ||
| </unix:file_state> | ||
|
|
||
| <unix:file_object comment="all local files" id="file_permissions_unowned_object" version="1"> | ||
| <unix:behaviors recurse="directories" recurse_direction="down" recurse_file_system="local" /> | ||
| <unix:path>/</unix:path> | ||
| {{%- set var_local_mount_points = "var_" ~ rule_id ~ "_local_mountpoints" -%}} | ||
| {{{ create_local_mount_points_list(var_local_mount_points) }}} | ||
|
|
||
| <!-- This file_object will only find files located in local and not special file systems. The | ||
| recurse_file_system parameter is set to defined in order to make sure the probe doesn't | ||
| leave the scope of that mount point. For example, when probing "/", the probe will ignore | ||
| any child directory which is a mount point for any other partition. This will ensure | ||
| considerable performance improvement. --> | ||
| <unix:file_object id="object_no_files_unowned_by_user" version="2" | ||
| comment="all local files without a known owner"> | ||
| <unix:behaviors recurse="directories" recurse_direction="down" | ||
| recurse_file_system="defined" max_depth="-1"/> | ||
| <unix:path operation="equals" var_check="at least one" | ||
| var_ref="{{{ var_local_mount_points }}}"/> | ||
| <unix:filename operation="pattern match">.*</unix:filename> | ||
| <filter action="exclude">file_permissions_unowned_userid_list_match</filter> | ||
| <filter action="exclude">state_no_files_unowned_by_user_uids_list</filter> | ||
| </unix:file_object> | ||
| <unix:file_test xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" | ||
| check="all" check_existence="none_exist" comment="Check user ids on all files on the system" | ||
| id="no_files_unowned_by_user_test" version="1"> | ||
| <unix:object object_ref="file_permissions_unowned_object" /> | ||
|
|
||
| <unix:file_test id="test_no_files_unowned_by_user" version="2" | ||
| check="all" check_existence="none_exist" | ||
| comment="there are no files without a known owner"> | ||
| <unix:object object_ref="object_no_files_unowned_by_user"/> | ||
| </unix:file_test> | ||
| </def-group> | ||
|
|