From 15f31c8d487f24d0d6971801531ebfc9e06161ec Mon Sep 17 00:00:00 2001
From: Sven Vermeulen <sven.vermeulen@siphos.be>
Date: Sun, 30 Mar 2014 22:06:31 +0200
Subject: Add test for world writable directories

---
 xml/SCAP/gentoo-oval.xml  | 101 ++++++++++++++++++++++++++++++++++++++++++++++
 xml/SCAP/gentoo-xccdf.xml |  29 ++++++++++++-
 2 files changed, 128 insertions(+), 2 deletions(-)

diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index f873701..427e5c1 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -581,6 +581,37 @@
     </criteria>
   </definition>
 
+  <definition id="oval:org.gentoo.dev.swift:def:35" version="1" class="compliance">
+    <metadata>
+      <title>/etc/lilo.conf has a password set</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <description>
+        If /etc/lilo.conf exists, then it must have a password set.
+      </description>
+    </metadata>
+    <criteria operator="OR">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:38" comment="/etc/lilo.conf does not exist" />
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:39" comment="/etc/lilo.conf has a password set" />
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:36" version="1" class="compliance">
+    <metadata>
+      <title>All world writable directories have the sticky bit set</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <description>
+        All world writable directories must have the sticky bit set.
+      </description>
+    </metadata>
+    <criteria>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:40" comment="All world writable directories have the sticky bit set" />
+    </criteria>
+  </definition>
+
 </definitions>
 
 <tests>
@@ -879,6 +910,7 @@
     version="1" check="at least one" check_existence="at_least_one_exists">
     <!-- The /boot/grub/grub.conf file content -->
     <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:23" />
+    <!-- A "password - -md5 somevalue" match -->
     <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:15" />
   </ind-def:textfilecontent54_test>
 
@@ -889,6 +921,31 @@
     <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:24" />
   </unix-def:file_test>
 
+  <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:38"
+    version="1" check="all" check_existence="none_exist"
+    comment="/etc/lilo.conf does not exist">
+    <!-- The /etc/lilo.conf file -->
+    <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:25" />
+  </unix-def:file_test>
+
+  <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:39"
+    comment="lilo.conf has a password set"
+    version="1" check="at least one" check_existence="at_least_one_exists">
+    <!-- The /etc/lilo.conf content -->
+    <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:26" />
+    <!-- A password=somevalue match -->
+    <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:16" />
+  </ind-def:textfilecontent54_test>
+
+  <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:40"
+    comment="All world writable directories have the sticky bit set"
+    version="1" check="all" check_existence="all_exist">
+    <!-- All world writable directories -->
+    <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:27" />
+    <!-- sticky bit is set -->
+    <unix-def:state state_ref="oval:org.gentoo.dev.swift:ste:17" />
+  </unix-def:file_test>
+
 </tests>
 
 <objects>
@@ -1031,6 +1088,35 @@
     <unix-def:filepath>/boot/grub</unix-def:filepath>
   </unix-def:file_object>
 
+  <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:25"
+    version="1" comment="The /etc/lilo.conf file">
+    <unix-def:filepath>/etc/lilo.conf</unix-def:filepath>
+  </unix-def:file_object>
+
+  <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:26"
+    version="1" comment="The /etc/lilo.conf content">
+    <ind-def:filepath>/etc/lilo.conf</ind-def:filepath>
+    <ind-def:pattern operation="pattern match">^([^#\n]*)(?#.*)?$</ind-def:pattern>
+    <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
+  </ind-def:textfilecontent54_object>
+
+  <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:27"
+    version="1" comment="All world writable directories">
+    <set set_operator="UNION" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+      <!-- All local directories -->
+      <object_reference>oval:org.gentoo.dev.swift:obj:28</object_reference>
+      <!-- filter out just those with the world-writable bit set -->
+      <filter action="exclude">oval:org.gentoo.dev.swift:ste:18</filter> <!-- exclude is default but this is more readable -->
+    </set>
+  </unix-def:file_object>
+
+  <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:28"
+    version="1" comment="All local directories">
+    <unix-def:behaviors recurse_direction="down" recurse_file_system="local" recurse="directories"/>
+    <unix-def:path>/</unix-def:path>
+    <unix-def:filename xsi:nil="true"/>
+  </unix-def:file_object>
+
 </objects>
 
 <states>
@@ -1110,6 +1196,21 @@
     <ind-def:subexpression datatype="string" operation="pattern match" entity_check="all">[\s]*password --md5 [\S]+</ind-def:subexpression>
   </ind-def:textfilecontent54_state>
 
+  <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:16"
+    version="1" comment="Has a password=... entry">
+    <ind-def:subexpression datatype="string" operation="pattern match" entity_check="all">[\s]*password=[\S]+</ind-def:subexpression>
+  </ind-def:textfilecontent54_state>
+
+  <unix-def:file_state id="oval:org.gentoo.dev.swift:ste:17"
+    version="1" comment="The sticky bit is set">
+    <unix-def:sticky datatype="boolean">1</unix-def:sticky>
+  </unix-def:file_state>
+
+  <unix-def:file_state id="oval:org.gentoo.dev.swift:ste:18"
+    version="1" comment="Not world writable">
+    <unix-def:owrite datatype="boolean">0</unix-def:owrite>
+  </unix-def:file_state>
+
 </states>
 
 <variables>
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index 732bde3..aa85c1e 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -20,6 +20,8 @@
       large impact on the performance of a server. Tests include scripted
       validationn.
     </description>
+    <!-- Make sure all world-writable directories have the sticky bit set -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_worldwritedir-stickybit" selected="true" />
   </Profile>
   <Profile id="xccdf_org.gentoo.dev.swift_profile_intensive-oval" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
     <title>Intensive validation profile (non-scripted)</title>
@@ -30,6 +32,8 @@
       large impact on the performance of a server. Tests do not include
       scripted validation.
     </description>
+    <!-- Make sure all world-writable directories have the sticky bit set -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_worldwritedir-stickybit" selected="true" />
   </Profile>
   <Profile id="xccdf_org.gentoo.dev.swift_profile_default-oval">
     <title>Default server setup settings (non-scripted)</title>
@@ -103,8 +107,10 @@
     <select idref="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="true" />
     <!-- Make sure /proc is mounted with hidepid=1 or hidepid=2 -->
     <select idref="xccdf_org.gentoo.dev.swift_rule_proc-hidepid" selected="true" />
-    <!-- Make sure /boot/grub/grub.conf has a password entry with md5 hash -->
+    <!-- Make sure /boot/grub/grub.conf (if it exists) has a password entry with md5 hash -->
     <select idref="xccdf_org.gentoo.dev.swift_rule_grubconf-password-md5" selected="true" />
+    <!-- Make sure /etc/lilo.conf (if it exists) has a password entry -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_liloconf-password" selected="true" />
   </Profile>
   <Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
     <title>Default server setup settings</title>
@@ -1516,7 +1522,7 @@ grub&gt; <h:b>quit</h:b></h:pre>
 	  </h:p>
         </description>
         <Rule id="xccdf_org.gentoo.dev.swift_rule_grubconf-password-md5" selected="false" severity="low" weight="6.9">
-	  <title>Grub legacy has a password entry with md5 hash</title>
+	  <title>Grub legacy (if it exists) has a password entry with md5 hash</title>
 	  <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_grubconf-password-md5">
 	    Edit /boot/grub/grub.conf and set a password entry with md5 hash
 	  </fixtext>
@@ -1557,6 +1563,15 @@ image=/boot/bzImage
            Rerun <h:code>lilo</h:code> after updating the configuration file.
 	   </h:p>
         </description>
+        <Rule id="xccdf_org.gentoo.dev.swift_rule_liloconf-password" selected="false" severity="low" weight="6.9">
+	  <title>LILO (if it exists) has a password entry</title>
+	  <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_liloconf-password">
+	    Edit /etc/lilo.conf and set a password entry
+	  </fixtext>
+	  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+	    <check-content-ref name="oval:org.gentoo.dev.swift:def:35" href="gentoo-oval.xml" />
+	  </check>
+	</Rule>
       </Group>
     </Group>
     <Group id="xccdf_org.gentoo.dev.swift_group_system-auth">
@@ -1782,6 +1797,16 @@ session  required pam_unix.so</h:pre>
           world writable privilege is not accessible anyhow).
 	  </h:p>
         </description>
+        <Rule id="xccdf_org.gentoo.dev.swift_rule_worldwritedir-stickybit" selected="false" severity="medium" weight="4.3">
+	  <title>All world writable directories have the sticky bit set</title>
+	  <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_worldwritedirs-stickybit">
+	    Make sure all world-writable directories have the sticky bit set
+	  </fixtext>
+	  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+	    <check-content-ref name="oval:org.gentoo.dev.swift:def:36" href="gentoo-oval.xml" />
+	  </check>
+	</Rule>
+
       </Group>
       <Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-suidsgid">
         <title>Limit setuid and setgid file and directory usage</title>
-- 
cgit v1.2.3