skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.47-compare_suid_files_with_rpm.patch

c7 c7-alt c7-beta c8 c8-beta c8s
  1.   44eea6a9e825fa8b92b0a094c2157625bab711e3
  2.   SOURCES
  3.   scap-security-guide-0.1.47-compare_suid_files_with_rpm.patch
Blob History Raw
44eea6 
From b457ba1cf5ea6043a501ecc45f7a54c4de61b372 Mon Sep 17 00:00:00 2001
44eea6 
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
44eea6 
Date: Mon, 22 Jul 2019 15:26:48 +0200
44eea6 
Subject: [PATCH 1/6] Compare suid/sgid files with the RPM database
44eea6
44eea6 
It is difficult to maintain the list to list paths of all possible suid
44eea6 
and sgid binaries in a Linux distribution. Instead, we can check if the
44eea6 
suid or sgid file is owned by an RPM package by consulting the RPM
44eea6 
database. Another advantage of this solution is that we can have a
44eea6 
single OVAL for all RPM-related Linux distributions.  The patch modifies
44eea6 
OVAL for rules file_permissions_unauthorized_suid and
44eea6 
file_permissions_unauthorized_sgid and also adds test scenarios for
44eea6 
these rules.
44eea6 
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1693026
44eea6 
---
44eea6 
 .../oval/shared.xml                           | 131 ++++++++----------
44eea6 
 .../oval/wrlinux.xml                          |  42 ------
44eea6 
 .../tests/no_unpackaged_sgid.pass.sh          |  10 ++
44eea6 
 .../tests/unpackaged_sgid.fail.sh             |  13 ++
44eea6 
 .../oval/ol7.xml                              |  93 -------------
44eea6 
 .../oval/ol8.xml                              |  93 -------------
44eea6 
 .../oval/rhel6.xml                            |  99 -------------
44eea6 
 .../oval/rhel7.xml                            |  95 -------------
44eea6 
 .../oval/shared.xml                           |  62 +++++++++
44eea6 
 .../oval/wrlinux.xml                          |  55 --------
44eea6 
 .../tests/no_unpackaged_suid.pass.sh          |  10 ++
44eea6 
 .../tests/unpackaged_suid.fail.sh             |  13 ++
44eea6 
 12 files changed, 162 insertions(+), 554 deletions(-)
44eea6 
 delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/wrlinux.xml
44eea6 
 create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/no_unpackaged_sgid.pass.sh
44eea6 
 create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/unpackaged_sgid.fail.sh
44eea6 
 delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol7.xml
44eea6 
 delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol8.xml
44eea6 
 delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel6.xml
44eea6 
 delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel7.xml
44eea6 
 create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml
44eea6 
 delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/wrlinux.xml
44eea6 
 create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/no_unpackaged_suid.pass.sh
44eea6 
 create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/unpackaged_suid.fail.sh
44eea6
44eea6 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml
44eea6 
index de4b86c3e0..83988feec7 100644
44eea6 
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml
44eea6 
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml
44eea6 
@@ -1,85 +1,62 @@
44eea6 
 <def-group>
44eea6 
-  <definition class="compliance" id="file_permissions_unauthorized_sgid" version="2">
44eea6 
-    <metadata>
44eea6 
-      <title>Find setgid files system packages</title>
44eea6 
-      <affected family="unix">
44eea6 
-        <platform>multi_platform_rhel</platform>
44eea6 
-        <platform>multi_platform_ol</platform>
44eea6 
-      </affected>
44eea6 
-      <description>All files with setgid should be owned by a base system package</description>
44eea6 
-    </metadata>
44eea6 
-    <criteria>
44eea6 
-      <criterion comment="Check all setgid files" test_ref="check_setgid_files" />
44eea6 
-    </criteria>
44eea6 
-  </definition>
44eea6 
+    <definition id="file_permissions_unauthorized_sgid" version="1" class="compliance">
44eea6 
+        <metadata>
44eea6 
+            <title>Find SGID files that are not owned by RPM packages</title>
44eea6 
+            <affected family="unix">
44eea6 
+                <platform>multi_platform_fedora</platform>
44eea6 
+                <platform>multi_platform_rhel</platform>
44eea6 
+                <platform>multi_platform_ol</platform>
44eea6 
+                <platform>multi_platform_wrlinux</platform>
44eea6 
+            </affected>
44eea6 
+            <description>Evaluates to true if all files with SGID set are owned by RPM packages.</description>
44eea6 
+        </metadata>
44eea6 
+        <criteria>
44eea6 
+            <criterion comment="Check all sgid files" test_ref="test_file_permissions_unauthorized_sgid"/>
44eea6 
+        </criteria>
44eea6 
+    </definition>
44eea6
44eea6 
-  <unix:file_test check="all" check_existence="none_exist" comment="setgid files outside system RPMs" id="check_setgid_files" version="1">
44eea6 
-    <unix:object object_ref="object_file_permissions_unauthorized_sgid" />
44eea6 
-  </unix:file_test>
44eea6 
+    <unix:file_test check="all" check_existence="none_exist" comment="sgid files outside system RPMs" id="test_file_permissions_unauthorized_sgid" version="1">
44eea6 
+        <unix:object object_ref="obj_file_permissions_unauthorized_sgid_unowned" />
44eea6 
+    </unix:file_test>
44eea6
44eea6 
-  <unix:file_object comment="files with sgid set" id="object_file_permissions_unauthorized_sgid" version="1">
44eea6 
-    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
44eea6 
-    <unix:path operation="equals">/</unix:path>
44eea6 
-    <unix:filename operation="pattern match">^.*$</unix:filename>
44eea6 
-    <filter action="include">state_file_permissions_unauthorized_sgid</filter>
44eea6 
-    <filter action="exclude">state_sgid_whitelist</filter>
44eea6 
-  </unix:file_object>
44eea6 
+    <unix:file_object comment="files with sgid set which are not owned by any RPM package" id="obj_file_permissions_unauthorized_sgid_unowned" version="1">
44eea6 
+        <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
44eea6 
+        <unix:path operation="equals">/</unix:path>
44eea6 
+        <unix:filename operation="pattern match">^.*$</unix:filename>
44eea6 
+        <filter action="include">state_file_permissions_unauthorized_sgid_sgid_set</filter>
44eea6 
+        <filter action="exclude">state_file_permissions_unauthorized_sgid_filepaths</filter>
44eea6 
+    </unix:file_object>
44eea6
44eea6 
-  <unix:file_state id="state_file_permissions_unauthorized_sgid" version="1">
44eea6 
-    <unix:sgid datatype="boolean">true</unix:sgid>
44eea6 
-  </unix:file_state>
44eea6 
+    <linux:rpmverifyfile_object id="obj_file_permissions_unauthorized_sgid_rpms" version="1" comment="all files with sgid set that come from a RPM package">
44eea6 
+        <linux:behaviors nolinkto="true" nomd5="true" nosize="true" nouser="true" nogroup="true" nomtime="true" nomode="true" nordev="true" />
44eea6 
+        <linux:name operation="pattern match">.*</linux:name>
44eea6 
+        <linux:epoch operation="pattern match">.*</linux:epoch>
44eea6 
+        <linux:version operation="pattern match">.*</linux:version>
44eea6 
+        <linux:release operation="pattern match">.*</linux:release>
44eea6 
+        <linux:arch operation="pattern match">.*</linux:arch>
44eea6 
+        <linux:filepath var_ref="var_file_permissions_unauthorized_sgid_all" operation="equals" var_check="all" />
44eea6 
+    </linux:rpmverifyfile_object>
44eea6
44eea6 
-
44eea6 
-  <unix:file_state id="state_sgid_whitelist" version="1">
44eea6 
-    <unix:filepath var_ref="var_sgid_whitelist" var_check="at least one" />
44eea6 
-  </unix:file_state>
44eea6 
+    <unix:file_object comment="all files with sgid set" id="obj_file_permissions_unauthorized_sgid_files" version="1">
44eea6 
+        <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
44eea6 
+        <unix:path operation="equals">/</unix:path>
44eea6 
+        <unix:filename operation="pattern match">^.*$</unix:filename>
44eea6 
+        <filter action="include">state_file_permissions_unauthorized_sgid_sgid_set</filter>
44eea6 
+    </unix:file_object>
44eea6
44eea6 
-  <constant_variable id="var_sgid_whitelist" version="1" datatype="string" comment="sgid whitelist">
44eea6 
-    {{% if product == "rhel6" %}}
44eea6 
-    <value>/bin/cgclassify</value>
44eea6 
-    <value>/bin/cgexec</value>
44eea6 
-    <value>/sbin/netreport</value>
44eea6 
-    {{% else %}}
44eea6 
-    <value>/usr/bin/cgclassify</value>
44eea6 
-    <value>/usr/bin/cgexec</value>
44eea6 
-    <value>/usr/sbin/netreport</value>
44eea6 
-    <value>/usr/lib/vte-2.90/gnome-pty-helper</value>
44eea6 
-    <value>/usr/lib/vte-2.91/gnome-pty-helper</value>
44eea6 
-    <value>/usr/lib64/vte/gnome-pty-helper</value>
44eea6 
-    <value>/usr/lib64/vte-2.90/gnome-pty-helper</value>
44eea6 
-    <value>/usr/lib64/vte-2.91/gnome-pty-helper</value>
44eea6 
-    <value>/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache</value>
44eea6 
-    <value>/usr/libexec/openssh/ssh-keysign</value>
44eea6 
-    {{% endif %}}
44eea6 
-    <value>/usr/bin/crontab</value>
44eea6 
-    <value>/usr/bin/gnomine</value>
44eea6 
-    <value>/usr/bin/iagno</value>
44eea6 
-    <value>/usr/bin/locate</value>
44eea6 
-    <value>/usr/bin/lockfile</value>
44eea6 
-    <value>/usr/bin/same-gnome</value>
44eea6 
-    <value>/usr/bin/screen</value>
44eea6 
-    <value>/usr/bin/ssh-agent</value>
44eea6 
-    <value>/usr/bin/wall</value>
44eea6 
-    <value>/usr/bin/write</value>
44eea6 
-    <value>/usr/lib/vte/gnome-pty-helper</value>
44eea6 
-    <value>/usr/libexec/kde4/kdesud</value>
44eea6 
-    <value>/usr/libexec/utempter/utempter</value>
44eea6 
-    <value>/usr/lib/mailman/cgi-bin/admindb</value>
44eea6 
-    <value>/usr/lib/mailman/cgi-bin/admin</value>
44eea6 
-    <value>/usr/lib/mailman/cgi-bin/confirm</value>
44eea6 
-    <value>/usr/lib/mailman/cgi-bin/create</value>
44eea6 
-    <value>/usr/lib/mailman/cgi-bin/edithtml</value>
44eea6 
-    <value>/usr/lib/mailman/cgi-bin/listinfo</value>
44eea6 
-    <value>/usr/lib/mailman/cgi-bin/options</value>
44eea6 
-    <value>/usr/lib/mailman/cgi-bin/private</value>
44eea6 
-    <value>/usr/lib/mailman/cgi-bin/rmlist</value>
44eea6 
-    <value>/usr/lib/mailman/cgi-bin/roster</value>
44eea6 
-    <value>/usr/lib/mailman/cgi-bin/subscribe</value>
44eea6 
-    <value>/usr/lib/mailman/mail/mailman</value>
44eea6 
-    <value>/usr/sbin/lockdev</value>
44eea6 
-    <value>/usr/sbin/postdrop</value>
44eea6 
-    <value>/usr/sbin/postqueue</value>
44eea6 
-    <value>/usr/sbin/sendmail.sendmail</value>
44eea6 
-  </constant_variable>
44eea6 
+    <unix:file_state id="state_file_permissions_unauthorized_sgid_sgid_set" version="1">
44eea6 
+        <unix:sgid datatype="boolean">true</unix:sgid>
44eea6 
+    </unix:file_state>
44eea6
44eea6 
+    <unix:file_state id="state_file_permissions_unauthorized_sgid_filepaths" version="1">
44eea6 
+        <unix:filepath var_ref="var_file_permissions_unauthorized_sgid_rpms" var_check="at least one" />
44eea6 
+    </unix:file_state>
44eea6 
+
44eea6 
+    <local_variable id="var_file_permissions_unauthorized_sgid_rpms" datatype="string" version="1" comment="all files with sgid set that come from a RPM package">
44eea6 
+        <object_component item_field="filepath" object_ref="obj_file_permissions_unauthorized_sgid_rpms" />
44eea6 
+    </local_variable>
44eea6 
+
44eea6 
+    <local_variable id="var_file_permissions_unauthorized_sgid_all" datatype="string" version="1" comment="all files with sgid set">
44eea6 
+        <object_component item_field="filepath" object_ref="obj_file_permissions_unauthorized_sgid_files" />
44eea6 
+    </local_variable>
44eea6 
 </def-group>
44eea6 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/wrlinux.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/wrlinux.xml
44eea6 
deleted file mode 100644
44eea6 
index 962a26d5f3..0000000000
44eea6 
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/wrlinux.xml
44eea6 
+++ /dev/null
44eea6 
@@ -1,42 +0,0 @@
44eea6 
-<def-group>
44eea6 
-  <definition class="compliance" id="file_permissions_unauthorized_sgid" version="2">
44eea6 
-    <metadata>
44eea6 
-      <title>Find setgid files system packages</title>
44eea6 
-      <affected family="unix">
44eea6 
-        <platform>Wind River Linux 8</platform>
44eea6 
-      </affected>
44eea6 
-      <description>All files with setgid should be owned by a base system package</description>
44eea6 
-    </metadata>
44eea6 
-    <criteria>
44eea6 
-      <criterion comment="Check all setgid files" test_ref="check_setgid_files" />
44eea6 
-    </criteria>
44eea6 
-  </definition>
44eea6 
-
44eea6 
-  <unix:file_test check="all" check_existence="none_exist" comment="setgid files outside system RPMs" id="check_setgid_files" version="1">
44eea6 
-    <unix:object object_ref="object_file_permissions_unauthorized_sgid" />
44eea6 
-  </unix:file_test>
44eea6 
-
44eea6 
-  <unix:file_object comment="files with sgid set" id="object_file_permissions_unauthorized_sgid" version="1">
44eea6 
-    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
44eea6 
-    <unix:path operation="equals">/</unix:path>
44eea6 
-    <unix:filename operation="pattern match">^.*$</unix:filename>
44eea6 
-    <filter action="include">state_file_permissions_unauthorized_sgid</filter>
44eea6 
-    <filter action="exclude">state_sgid_whitelist</filter>
44eea6 
-  </unix:file_object>
44eea6 
-
44eea6 
-  <unix:file_state id="state_file_permissions_unauthorized_sgid" version="1">
44eea6 
-    <unix:sgid datatype="boolean">true</unix:sgid>
44eea6 
-  </unix:file_state>
44eea6 
-
44eea6 
-
44eea6 
-  <unix:file_state id="state_sgid_whitelist" version="1">
44eea6 
-    <unix:filepath var_ref="var_sgid_whitelist" var_check="at least one" />
44eea6 
-  </unix:file_state>
44eea6 
-
44eea6 
-  <constant_variable id="var_sgid_whitelist" version="1" datatype="string" comment="sgid whitelist">
44eea6 
-    <value>/usr/bin/crontab</value>
44eea6 
-    <value>/usr/sbin/postdrop</value>
44eea6 
-    <value>/usr/sbin/postqueue</value>
44eea6 
-  </constant_variable>
44eea6 
-
44eea6 
-</def-group>
44eea6 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/no_unpackaged_sgid.pass.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/no_unpackaged_sgid.pass.sh
44eea6 
new file mode 100644
44eea6 
index 0000000000..adf6b6b959
44eea6 
--- /dev/null
44eea6 
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/no_unpackaged_sgid.pass.sh
44eea6 
@@ -0,0 +1,10 @@
44eea6 
+#!/bin/bash
44eea6 
+
44eea6 
+# profiles = xccdf_org.ssgproject.content_profile_standard
44eea6 
+# remediation = none
44eea6 
+
44eea6 
+for x in $(find / -perm /g=s) ; do
44eea6 
+	if ! rpm -qf $x ; then
44eea6 
+		rm -rf $x
44eea6 
+	fi
44eea6 
+done
44eea6 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/unpackaged_sgid.fail.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/unpackaged_sgid.fail.sh
44eea6 
new file mode 100644
44eea6 
index 0000000000..4aa273ca89
44eea6 
--- /dev/null
44eea6 
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/unpackaged_sgid.fail.sh
44eea6 
@@ -0,0 +1,13 @@
44eea6 
+#!/bin/bash
44eea6 
+
44eea6 
+# profiles = xccdf_org.ssgproject.content_profile_standard
44eea6 
+# remediation = none
44eea6 
+
44eea6 
+for x in $(find / -perm /g=s) ; do
44eea6 
+	if ! rpm -qf $x ; then
44eea6 
+		rm -rf $x
44eea6 
+	fi
44eea6 
+done
44eea6 
+
44eea6 
+touch /usr/bin/sgid_binary
44eea6 
+chmod g+xs /usr/bin/sgid_binary
44eea6 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol7.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol7.xml
44eea6 
deleted file mode 100644
44eea6 
index 6f4a87e3fb..0000000000
44eea6 
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol7.xml
44eea6 
+++ /dev/null
44eea6 
@@ -1,93 +0,0 @@
44eea6 
-<def-group>
44eea6 
-  <definition class="compliance" id="file_permissions_unauthorized_suid" version="1">
44eea6 
-    <metadata>
44eea6 
-      <title>Find setuid files from system packages</title>
44eea6 
-      <affected family="unix">
44eea6 
-        <platform>Oracle Linux 7</platform>
44eea6 
-      </affected>
44eea6 
-      <description>All files with setuid should be owned by a base system package</description>
44eea6 
-    </metadata>
44eea6 
-    <criteria>
44eea6 
-      <criterion comment="Check all setuid files" test_ref="check_setuid_files" />
44eea6 
-    </criteria>
44eea6 
-  </definition>
44eea6 
-
44eea6 
-  <unix:file_test check="all" check_existence="none_exist" comment="setuid files outside system RPMs" id="check_setuid_files" version="1">
44eea6 
-    <unix:object object_ref="object_file_permissions_unauthorized_suid" />
44eea6 
-  </unix:file_test>
44eea6 
-
44eea6 
-  <unix:file_object comment="files with suid set" id="object_file_permissions_unauthorized_suid" version="1">
44eea6 
-    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
44eea6 
-    <unix:path operation="equals">/</unix:path>
44eea6 
-    <unix:filename operation="pattern match">^.*$</unix:filename>
44eea6 
-    <filter action="include">state_file_permissions_unauthorized_suid</filter>
44eea6 
-    <filter action="exclude">state_suid_whitelist</filter>
44eea6 
-  </unix:file_object>
44eea6 
-
44eea6 
-  <unix:file_state id="state_file_permissions_unauthorized_suid" version="1">
44eea6 
-    <unix:suid datatype="boolean">true</unix:suid>
44eea6 
-  </unix:file_state>
44eea6 
-
44eea6 
-
44eea6 
-
44eea6 
-  <unix:file_state id="state_suid_whitelist" version="1">
44eea6 
-    <unix:filepath var_ref="var_suid_whitelist" var_check="at least one" />
44eea6 
-  </unix:file_state>
44eea6 
-
44eea6 
-  <constant_variable id="var_suid_whitelist" version="1" datatype="string" comment="suid whitelist">
44eea6 
-    <value>/usr/bin/abrt-action-install-debuginfo-to-abrt-cache</value>
44eea6 
-    <value>/usr/bin/at</value>
44eea6 
-    <value>/usr/bin/chage</value>
44eea6 
-    <value>/usr/bin/chfn</value>
44eea6 
-    <value>/usr/bin/chsh</value>
44eea6 
-    <value>/usr/bin/crontab</value>
44eea6 
-    <value>/usr/bin/fusermount</value>
44eea6 
-    <value>/usr/bin/gpasswd</value>
44eea6 
-    <value>/usr/bin/ksu</value>
44eea6 
-    <value>/usr/bin/mount</value>
44eea6 
-    <value>/usr/bin/newgrp</value>
44eea6 
-    <value>/usr/bin/passwd</value>
44eea6 
-    <value>/usr/bin/pkexec</value>
44eea6 
-    <value>/usr/bin/staprun</value>
44eea6 
-    <value>/usr/bin/sudoedit</value>
44eea6 
-    <value>/usr/bin/sudo</value>
44eea6 
-    <value>/usr/bin/su</value>
44eea6 
-    <value>/usr/bin/umount</value>
44eea6 
-    <value>/usr/bin/Xorg</value>
44eea6 
-    <value>/usr/lib64/amanda/application/amgtar</value>
44eea6 
-    <value>/usr/lib64/amanda/application/amstar</value>
44eea6 
-    <value>/usr/lib64/amanda/calcsize</value>
44eea6 
-    <value>/usr/lib64/amanda/dumper</value>
44eea6 
-    <value>/usr/lib64/amanda/killpgrp</value>
44eea6 
-    <value>/usr/lib64/amanda/planner</value>
44eea6 
-    <value>/usr/lib64/amanda/rundump</value>
44eea6 
-    <value>/usr/lib64/amanda/runtar</value>
44eea6 
-    <value>/usr/lib64/dbus-1/dbus-daemon-launch-helper</value>
44eea6 
-    <value>/usr/lib/amanda/application/amgtar</value>
44eea6 
-    <value>/usr/lib/amanda/application/amstar</value>
44eea6 
-    <value>/usr/lib/amanda/calcsize</value>
44eea6 
-    <value>/usr/lib/amanda/dumper</value>
44eea6 
-    <value>/usr/lib/amanda/killpgrp</value>
44eea6 
-    <value>/usr/lib/amanda/planner</value>
44eea6 
-    <value>/usr/lib/amanda/rundump</value>
44eea6 
-    <value>/usr/lib/amanda/runtar</value>
44eea6 
-    <value>/usr/lib/dbus-1/dbus-daemon-launch-helper</value>
44eea6 
-    <value>/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache</value>
44eea6 
-    <value>/usr/libexec/kde4/kpac_dhcp_helper</value>
44eea6 
-    <value>/usr/libexec/qemu-bridge-helper</value>
44eea6 
-    <value>/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper</value>
44eea6 
-    <value>/usr/libexec/sssd/krb5_child</value>
44eea6 
-    <value>/usr/libexec/sssd/ldap_child</value>
44eea6 
-    <value>/usr/libexec/sssd/proxy_child</value>
44eea6 
-    <value>/usr/libexec/sssd/selinux_child</value>
44eea6 
-    <value>/usr/lib/polkit-1/polkit-agent-helper-1</value>
44eea6 
-    <value>/usr/sbin/amcheck</value>
44eea6 
-    <value>/usr/sbin/amservice</value>
44eea6 
-    <value>/usr/sbin/mount.nfs</value>
44eea6 
-    <value>/usr/sbin/pam_timestamp_check</value>
44eea6 
-    <value>/usr/sbin/unix_chkpwd</value>
44eea6 
-    <value>/usr/sbin/userhelper</value>
44eea6 
-    <value>/usr/sbin/usernetctl</value>
44eea6 
-  </constant_variable>
44eea6 
-
44eea6 
-</def-group>
44eea6 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol8.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol8.xml
44eea6 
deleted file mode 100644
44eea6 
index f185efc221..0000000000
44eea6 
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol8.xml
44eea6 
+++ /dev/null
44eea6 
@@ -1,93 +0,0 @@
44eea6 
-<def-group>
44eea6 
-  <definition class="compliance" id="file_permissions_unauthorized_suid" version="1">
44eea6 
-    <metadata>
44eea6 
-      <title>Find setuid files from system packages</title>
44eea6 
-      <affected family="unix">
44eea6 
-        <platform>Oracle Linux 8</platform>
44eea6 
-      </affected>
44eea6 
-      <description>All files with setuid should be owned by a base system package</description>
44eea6 
-    </metadata>
44eea6 
-    <criteria>
44eea6 
-      <criterion comment="Check all setuid files" test_ref="check_setuid_files" />
44eea6 
-    </criteria>
44eea6 
-  </definition>
44eea6 
-
44eea6 
-  <unix:file_test check="all" check_existence="none_exist" comment="setuid files outside system RPMs" id="check_setuid_files" version="1">
44eea6 
-    <unix:object object_ref="object_file_permissions_unauthorized_suid" />
44eea6 
-  </unix:file_test>
44eea6 
-
44eea6 
-  <unix:file_object comment="files with suid set" id="object_file_permissions_unauthorized_suid" version="1">
44eea6 
-    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
44eea6 
-    <unix:path operation="equals">/</unix:path>
44eea6 
-    <unix:filename operation="pattern match">^.*$</unix:filename>
44eea6 
-    <filter action="include">state_file_permissions_unauthorized_suid</filter>
44eea6 
-    <filter action="exclude">state_suid_whitelist</filter>
44eea6 
-  </unix:file_object>
44eea6 
-
44eea6 
-  <unix:file_state id="state_file_permissions_unauthorized_suid" version="1">
44eea6 
-    <unix:suid datatype="boolean">true</unix:suid>
44eea6 
-  </unix:file_state>
44eea6 
-
44eea6 
-
44eea6 
-
44eea6 
-  <unix:file_state id="state_suid_whitelist" version="1">
44eea6 
-    <unix:filepath var_ref="var_suid_whitelist" var_check="at least one" />
44eea6 
-  </unix:file_state>
44eea6 
-
44eea6 
-  <constant_variable id="var_suid_whitelist" version="1" datatype="string" comment="suid whitelist">
44eea6 
-    <value>/usr/bin/abrt-action-install-debuginfo-to-abrt-cache</value>
44eea6 
-    <value>/usr/bin/at</value>
44eea6 
-    <value>/usr/bin/chage</value>
44eea6 
-    <value>/usr/bin/chfn</value>
44eea6 
-    <value>/usr/bin/chsh</value>
44eea6 
-    <value>/usr/bin/crontab</value>
44eea6 
-    <value>/usr/bin/fusermount</value>
44eea6 
-    <value>/usr/bin/gpasswd</value>
44eea6 
-    <value>/usr/bin/ksu</value>
44eea6 
-    <value>/usr/bin/mount</value>
44eea6 
-    <value>/usr/bin/newgrp</value>
44eea6 
-    <value>/usr/bin/passwd</value>
44eea6 
-    <value>/usr/bin/pkexec</value>
44eea6 
-    <value>/usr/bin/staprun</value>
44eea6 
-    <value>/usr/bin/sudoedit</value>
44eea6 
-    <value>/usr/bin/sudo</value>
44eea6 
-    <value>/usr/bin/su</value>
44eea6 
-    <value>/usr/bin/umount</value>
44eea6 
-    <value>/usr/bin/Xorg</value>
44eea6 
-    <value>/usr/lib64/amanda/application/amgtar</value>
44eea6 
-    <value>/usr/lib64/amanda/application/amstar</value>
44eea6 
-    <value>/usr/lib64/amanda/calcsize</value>
44eea6 
-    <value>/usr/lib64/amanda/dumper</value>
44eea6 
-    <value>/usr/lib64/amanda/killpgrp</value>
44eea6 
-    <value>/usr/lib64/amanda/planner</value>
44eea6 
-    <value>/usr/lib64/amanda/rundump</value>
44eea6 
-    <value>/usr/lib64/amanda/runtar</value>
44eea6 
-    <value>/usr/lib64/dbus-1/dbus-daemon-launch-helper</value>
44eea6 
-    <value>/usr/lib/amanda/application/amgtar</value>
44eea6 
-    <value>/usr/lib/amanda/application/amstar</value>
44eea6 
-    <value>/usr/lib/amanda/calcsize</value>
44eea6 
-    <value>/usr/lib/amanda/dumper</value>
44eea6 
-    <value>/usr/lib/amanda/killpgrp</value>
44eea6 
-    <value>/usr/lib/amanda/planner</value>
44eea6 
-    <value>/usr/lib/amanda/rundump</value>
44eea6 
-    <value>/usr/lib/amanda/runtar</value>
44eea6 
-    <value>/usr/lib/dbus-1/dbus-daemon-launch-helper</value>
44eea6 
-    <value>/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache</value>
44eea6 
-    <value>/usr/libexec/kde4/kpac_dhcp_helper</value>
44eea6 
-    <value>/usr/libexec/qemu-bridge-helper</value>
44eea6 
-    <value>/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper</value>
44eea6 
-    <value>/usr/libexec/sssd/krb5_child</value>
44eea6 
-    <value>/usr/libexec/sssd/ldap_child</value>
44eea6 
-    <value>/usr/libexec/sssd/proxy_child</value>
44eea6 
-    <value>/usr/libexec/sssd/selinux_child</value>
44eea6 
-    <value>/usr/lib/polkit-1/polkit-agent-helper-1</value>
44eea6 
-    <value>/usr/sbin/amcheck</value>
44eea6 
-    <value>/usr/sbin/amservice</value>
44eea6 
-    <value>/usr/sbin/mount.nfs</value>
44eea6 
-    <value>/usr/sbin/pam_timestamp_check</value>
44eea6 
-    <value>/usr/sbin/unix_chkpwd</value>
44eea6 
-    <value>/usr/sbin/userhelper</value>
44eea6 
-    <value>/usr/sbin/usernetctl</value>
44eea6 
-  </constant_variable>
44eea6 
-
44eea6 
-</def-group>
44eea6 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel6.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel6.xml
44eea6 
deleted file mode 100644
44eea6 
index 3a59897356..0000000000
44eea6 
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel6.xml
44eea6 
+++ /dev/null
44eea6 
@@ -1,99 +0,0 @@
44eea6 
-<def-group>
44eea6 
-  <definition class="compliance" id="file_permissions_unauthorized_suid" version="1">
44eea6 
-    <metadata>
44eea6 
-      <title>Find setuid files from system packages</title>
44eea6 
-      <affected family="unix">
44eea6 
-        <platform>Red Hat Enterprise Linux 6</platform>
44eea6 
-      </affected>
44eea6 
-      <description>All files with setuid should be owned by a base system package</description>
44eea6 
-    </metadata>
44eea6 
-    <criteria>
44eea6 
-      <criterion comment="Check all setuid files" test_ref="check_setuid_files" />
44eea6 
-    </criteria>
44eea6 
-  </definition>
44eea6 
-
44eea6 
- <unix:file_test check="all" check_existence="none_exist" comment="setuid files outside system RPMs" id="check_setuid_files" version="1">
44eea6 
-    <unix:object object_ref="object_file_permissions_unauthorized_suid" />
44eea6 
-  </unix:file_test>
44eea6 
-
44eea6 
-  <unix:file_object comment="files with suid set" id="object_file_permissions_unauthorized_suid" version="1">
44eea6 
-    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
44eea6 
-    <unix:path operation="equals">/</unix:path>
44eea6 
-    <unix:filename operation="pattern match">^.*$</unix:filename>
44eea6 
-    <filter action="include">state_file_permissions_unauthorized_suid</filter>
44eea6 
-    <filter action="exclude">state_suid_whitelist</filter>
44eea6 
-  </unix:file_object>
44eea6 
-
44eea6 
-  <unix:file_state id="state_file_permissions_unauthorized_suid" version="1">
44eea6 
-    <unix:suid datatype="boolean">true</unix:suid>
44eea6 
-  </unix:file_state>
44eea6 
-
44eea6 
-
44eea6 
-   <unix:file_state id="state_suid_whitelist" version="1">
44eea6 
-      <unix:filepath var_ref="var_suid_whitelist" var_check="at least one" />
44eea6 
-   </unix:file_state>
44eea6 
-
44eea6 
-        <constant_variable id="var_suid_whitelist" version="1" datatype="string" comment="suid whitelist">
44eea6 
-                <value>/bin/fusermount</value>
44eea6 
-                <value>/bin/mount</value>
44eea6 
-                <value>/bin/ping6</value>
44eea6 
-                <value>/bin/ping</value>
44eea6 
-                <value>/bin/su</value>
44eea6 
-                <value>/bin/umount</value>
44eea6 
-                <value>/lib64/dbus-1/dbus-daemon-launch-helper</value>
44eea6 
-                <value>/lib/dbus-1/dbus-daemon-launch-helper</value>
44eea6 
-                <value>/sbin/mount.ecryptfs_private</value>
44eea6 
-                <value>/sbin/mount.nfs</value>
44eea6 
-                <value>/sbin/pam_timestamp_check</value>
44eea6 
-                <value>/sbin/unix_chkpwd</value>
44eea6 
-                <value>/usr/bin/abrt-action-install-debuginfo-to-abrt-cache</value>
44eea6 
-                <value>/usr/bin/at</value>
44eea6 
-                <value>/usr/bin/chage</value>
44eea6 
-                <value>/usr/bin/chfn</value>
44eea6 
-                <value>/usr/bin/chsh</value>
44eea6 
-                <value>/usr/bin/crontab</value>
44eea6 
-                <value>/usr/bin/gpasswd</value>
44eea6 
-                <value>/usr/bin/kgrantpty</value>
44eea6 
-                <value>/usr/bin/kpac_dhcp_helper</value>
44eea6 
-                <value>/usr/bin/ksu</value>
44eea6 
-                <value>/usr/bin/newgrp</value>
44eea6 
-                <value>/usr/bin/newrole</value>
44eea6 
-                <value>/usr/bin/passwd</value>
44eea6 
-                <value>/usr/bin/pkexec</value>
44eea6 
-                <value>/usr/bin/rcp</value>
44eea6 
-                <value>/usr/bin/rlogin</value>
44eea6 
-                <value>/usr/bin/rsh</value>
44eea6 
-                <value>/usr/bin/sperl5.10.1</value>
44eea6 
-                <value>/usr/bin/staprun</value>
44eea6 
-                <value>/usr/bin/sudoedit</value>
44eea6 
-                <value>/usr/bin/sudo</value>
44eea6 
-                <value>/usr/bin/Xorg</value>
44eea6 
-                <value>/usr/lib64/amanda/calcsize</value>
44eea6 
-                <value>/usr/lib64/amanda/dumper</value>
44eea6 
-                <value>/usr/lib64/amanda/killpgrp</value>
44eea6 
-                <value>/usr/lib64/amanda/planner</value>
44eea6 
-                <value>/usr/lib64/amanda/rundump</value>
44eea6 
-                <value>/usr/lib64/amanda/runtar</value>
44eea6 
-                <value>/usr/lib64/nspluginwrapper/plugin-config</value>
44eea6 
-                <value>/usr/lib/amanda/calcsize</value>
44eea6 
-                <value>/usr/lib/amanda/dumper</value>
44eea6 
-                <value>/usr/lib/amanda/killpgrp</value>
44eea6 
-                <value>/usr/lib/amanda/planner</value>
44eea6 
-                <value>/usr/lib/amanda/rundump</value>
44eea6 
-                <value>/usr/lib/amanda/runtar</value>
44eea6 
-                <value>/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache</value>
44eea6 
-                <value>/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper</value>
44eea6 
-                <value>/usr/libexec/mc/cons.saver</value>
44eea6 
-                <value>/usr/libexec/openssh/ssh-keysign</value>
44eea6 
-                <value>/usr/libexec/polkit-1/polkit-agent-helper-1</value>
44eea6 
-                <value>/usr/libexec/pt_chown</value>
44eea6 
-                <value>/usr/libexec/pulse/proximity-helper</value>
44eea6 
-                <value>/usr/lib/nspluginwrapper/plugin-config</value>
44eea6 
-                <value>/usr/sbin/amcheck</value>
44eea6 
-                <value>/usr/sbin/seunshare</value>
44eea6 
-                <value>/usr/sbin/suexec</value>
44eea6 
-                <value>/usr/sbin/userhelper</value>
44eea6 
-                <value>/usr/sbin/usernetctl</value>
44eea6 
-        </constant_variable>
44eea6 
-
44eea6 
-</def-group>
44eea6 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel7.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel7.xml
44eea6 
deleted file mode 100644
44eea6 
index c48bda0ef6..0000000000
44eea6 
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel7.xml
44eea6 
+++ /dev/null
44eea6 
@@ -1,95 +0,0 @@
44eea6 
-<def-group>
44eea6 
-  <definition class="compliance" id="file_permissions_unauthorized_suid" version="1">
44eea6 
-    <metadata>
44eea6 
-      <title>Find setuid files from system packages</title>
44eea6 
-      <affected family="unix">
44eea6 
-        <platform>Red Hat Enterprise Linux 7</platform>
44eea6 
-      </affected>
44eea6 
-      <description>All files with setuid should be owned by a base system package</description>
44eea6 
-    </metadata>
44eea6 
-    <criteria>
44eea6 
-      <criterion comment="Check all setuid files" test_ref="check_setuid_files" />
44eea6 
-    </criteria>
44eea6 
-  </definition>
44eea6 
-
44eea6 
-  <unix:file_test check="all" check_existence="none_exist" comment="setuid files outside system RPMs" id="check_setuid_files" version="1">
44eea6 
-    <unix:object object_ref="object_file_permissions_unauthorized_suid" />
44eea6 
-  </unix:file_test>
44eea6 
-
44eea6 
-  <unix:file_object comment="files with suid set" id="object_file_permissions_unauthorized_suid" version="1">
44eea6 
-    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
44eea6 
-    <unix:path operation="equals">/</unix:path>
44eea6 
-    <unix:filename operation="pattern match">^.*$</unix:filename>
44eea6 
-    <filter action="include">state_file_permissions_unauthorized_suid</filter>
44eea6 
-    <filter action="exclude">state_suid_whitelist</filter>
44eea6 
-  </unix:file_object>
44eea6 
-
44eea6 
-  <unix:file_state id="state_file_permissions_unauthorized_suid" version="1">
44eea6 
-    <unix:suid datatype="boolean">true</unix:suid>
44eea6 
-  </unix:file_state>
44eea6 
-
44eea6 
-
44eea6 
-
44eea6 
-  <unix:file_state id="state_suid_whitelist" version="1">
44eea6 
-    <unix:filepath var_ref="var_suid_whitelist" var_check="at least one" />
44eea6 
-  </unix:file_state>
44eea6 
-
44eea6 
-  <constant_variable id="var_suid_whitelist" version="1" datatype="string" comment="suid whitelist">
44eea6 
-    <value>/usr/bin/abrt-action-install-debuginfo-to-abrt-cache</value>
44eea6 
-    <value>/usr/bin/at</value>
44eea6 
-    <value>/usr/bin/chage</value>
44eea6 
-    <value>/usr/bin/chfn</value>
44eea6 
-    <value>/usr/bin/chsh</value>
44eea6 
-    <value>/usr/bin/crontab</value>
44eea6 
-    <value>/usr/bin/fusermount</value>
44eea6 
-    <value>/usr/bin/gpasswd</value>
44eea6 
-    <value>/usr/bin/ksu</value>
44eea6 
-    <value>/usr/bin/mount</value>
44eea6 
-    <value>/usr/bin/newgrp</value>
44eea6 
-    <value>/usr/bin/passwd</value>
44eea6 
-    <value>/usr/bin/pkexec</value>
44eea6 
-    <value>/usr/bin/staprun</value>
44eea6 
-    <value>/usr/bin/sudoedit</value>
44eea6 
-    <value>/usr/bin/sudo</value>
44eea6 
-    <value>/usr/bin/su</value>
44eea6 
-    <value>/usr/bin/umount</value>
44eea6 
-    <value>/usr/bin/Xorg</value>
44eea6 
-    <value>/usr/lib64/amanda/application/amgtar</value>
44eea6 
-    <value>/usr/lib64/amanda/application/amstar</value>
44eea6 
-    <value>/usr/lib64/amanda/calcsize</value>
44eea6 
-    <value>/usr/lib64/amanda/dumper</value>
44eea6 
-    <value>/usr/lib64/amanda/killpgrp</value>
44eea6 
-    <value>/usr/lib64/amanda/planner</value>
44eea6 
-    <value>/usr/lib64/amanda/rundump</value>
44eea6 
-    <value>/usr/lib64/amanda/runtar</value>
44eea6 
-    <value>/usr/lib64/dbus-1/dbus-daemon-launch-helper</value>
44eea6 
-    <value>/usr/lib/amanda/application/amgtar</value>
44eea6 
-    <value>/usr/lib/amanda/application/amstar</value>
44eea6 
-    <value>/usr/lib/amanda/calcsize</value>
44eea6 
-    <value>/usr/lib/amanda/dumper</value>
44eea6 
-    <value>/usr/lib/amanda/killpgrp</value>
44eea6 
-    <value>/usr/lib/amanda/planner</value>
44eea6 
-    <value>/usr/lib/amanda/rundump</value>
44eea6 
-    <value>/usr/lib/amanda/runtar</value>
44eea6 
-    <value>/usr/lib/dbus-1/dbus-daemon-launch-helper</value>
44eea6 
-    <value>/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache</value>
44eea6 
-    <value>/usr/libexec/cockpit-session</value>
44eea6 
-    <value>/usr/libexec/dbus-1/dbus-daemon-launch-helper</value>
44eea6 
-    <value>/usr/libexec/kde4/kpac_dhcp_helper</value>
44eea6 
-    <value>/usr/libexec/qemu-bridge-helper</value>
44eea6 
-    <value>/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper</value>
44eea6 
-    <value>/usr/libexec/sssd/krb5_child</value>
44eea6 
-    <value>/usr/libexec/sssd/ldap_child</value>
44eea6 
-    <value>/usr/libexec/sssd/proxy_child</value>
44eea6 
-    <value>/usr/libexec/sssd/selinux_child</value>
44eea6 
-    <value>/usr/lib/polkit-1/polkit-agent-helper-1</value>
44eea6 
-    <value>/usr/sbin/amcheck</value>
44eea6 
-    <value>/usr/sbin/amservice</value>
44eea6 
-    <value>/usr/sbin/mount.nfs</value>
44eea6 
-    <value>/usr/sbin/pam_timestamp_check</value>
44eea6 
-    <value>/usr/sbin/unix_chkpwd</value>
44eea6 
-    <value>/usr/sbin/userhelper</value>
44eea6 
-    <value>/usr/sbin/usernetctl</value>
44eea6 
-  </constant_variable>
44eea6 
-
44eea6 
-</def-group>
44eea6 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml
44eea6 
new file mode 100644
44eea6 
index 0000000000..e83595c198
44eea6 
--- /dev/null
44eea6 
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml
44eea6 
@@ -0,0 +1,62 @@
44eea6 
+<def-group>
44eea6 
+    <definition id="file_permissions_unauthorized_suid" version="1" class="compliance">
44eea6 
+        <metadata>
44eea6 
+            <title>Find SUID files that are not owned by RPM packages</title>
44eea6 
+            <affected family="unix">
44eea6 
+                <platform>multi_platform_fedora</platform>
44eea6 
+                <platform>multi_platform_rhel</platform>
44eea6 
+                <platform>multi_platform_ol</platform>
44eea6 
+                <platform>multi_platform_wrlinux</platform>
44eea6 
+            </affected>
44eea6 
+            <description>Evaluates to true if all files with SUID set are owned by RPM packages.</description>
44eea6 
+        </metadata>
44eea6 
+        <criteria>
44eea6 
+            <criterion comment="Check all suid files" test_ref="test_file_permissions_unauthorized_suid"/>
44eea6 
+        </criteria>
44eea6 
+    </definition>
44eea6 
+
44eea6 
+    <unix:file_test check="all" check_existence="none_exist" comment="suid files outside system RPMs" id="test_file_permissions_unauthorized_suid" version="1">
44eea6 
+        <unix:object object_ref="obj_file_permissions_unauthorized_suid_unowned" />
44eea6 
+    </unix:file_test>
44eea6 
+
44eea6 
+    <unix:file_object comment="files with suid set which are not owned by any RPM package" id="obj_file_permissions_unauthorized_suid_unowned" version="1">
44eea6 
+        <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
44eea6 
+        <unix:path operation="equals">/</unix:path>
44eea6 
+        <unix:filename operation="pattern match">^.*$</unix:filename>
44eea6 
+        <filter action="include">state_file_permissions_unauthorized_suid_suid_set</filter>
44eea6 
+        <filter action="exclude">state_file_permissions_unauthorized_suid_filepaths</filter>
44eea6 
+    </unix:file_object>
44eea6 
+
44eea6 
+    <linux:rpmverifyfile_object id="obj_file_permissions_unauthorized_suid_rpms" version="1" comment="all files with suid set that come from a RPM package">
44eea6 
+        <linux:behaviors nolinkto="true" nomd5="true" nosize="true" nouser="true" nogroup="true" nomtime="true" nomode="true" nordev="true" />
44eea6 
+        <linux:name operation="pattern match">.*</linux:name>
44eea6 
+        <linux:epoch operation="pattern match">.*</linux:epoch>
44eea6 
+        <linux:version operation="pattern match">.*</linux:version>
44eea6 
+        <linux:release operation="pattern match">.*</linux:release>
44eea6 
+        <linux:arch operation="pattern match">.*</linux:arch>
44eea6 
+        <linux:filepath var_ref="var_file_permissions_unauthorized_suid_all" operation="equals" var_check="all" />
44eea6 
+    </linux:rpmverifyfile_object>
44eea6 
+
44eea6 
+    <unix:file_object comment="all files with suid set" id="obj_file_permissions_unauthorized_suid_files" version="1">
44eea6 
+        <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
44eea6 
+        <unix:path operation="equals">/</unix:path>
44eea6 
+        <unix:filename operation="pattern match">^.*$</unix:filename>
44eea6 
+        <filter action="include">state_file_permissions_unauthorized_suid_suid_set</filter>
44eea6 
+    </unix:file_object>
44eea6 
+
44eea6 
+    <unix:file_state id="state_file_permissions_unauthorized_suid_suid_set" version="1">
44eea6 
+        <unix:suid datatype="boolean">true</unix:suid>
44eea6 
+    </unix:file_state>
44eea6 
+
44eea6 
+    <unix:file_state id="state_file_permissions_unauthorized_suid_filepaths" version="1">
44eea6 
+        <unix:filepath var_ref="var_file_permissions_unauthorized_suid_rpms" var_check="at least one" />
44eea6 
+    </unix:file_state>
44eea6 
+
44eea6 
+    <local_variable id="var_file_permissions_unauthorized_suid_rpms" datatype="string" version="1" comment="all files with suid set that come from a RPM package">
44eea6 
+        <object_component item_field="filepath" object_ref="obj_file_permissions_unauthorized_suid_rpms" />
44eea6 
+    </local_variable>
44eea6 
+
44eea6 
+    <local_variable id="var_file_permissions_unauthorized_suid_all" datatype="string" version="1" comment="all files with suid set">
44eea6 
+        <object_component item_field="filepath" object_ref="obj_file_permissions_unauthorized_suid_files" />
44eea6 
+    </local_variable>
44eea6 
+</def-group>
44eea6 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/wrlinux.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/wrlinux.xml
44eea6 
deleted file mode 100644
44eea6 
index 8306d38211..0000000000
44eea6 
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/wrlinux.xml
44eea6 
+++ /dev/null
44eea6 
@@ -1,55 +0,0 @@
44eea6 
-<def-group>
44eea6 
-  <definition class="compliance" id="file_permissions_unauthorized_suid" version="1">
44eea6 
-    <metadata>
44eea6 
-      <title>Find setuid files from system packages</title>
44eea6 
-      <affected family="unix">
44eea6 
-        <platform>Wind River Linux 8</platform>
44eea6 
-      </affected>
44eea6 
-      <description>All files with setuid should be owned by a base system package</description>
44eea6 
-    </metadata>
44eea6 
-    <criteria>
44eea6 
-      <criterion comment="Check all setuid files" test_ref="check_setuid_files" />
44eea6 
-    </criteria>
44eea6 
-  </definition>
44eea6 
-
44eea6 
-  <unix:file_test check="all" check_existence="none_exist" comment="setuid files outside system RPMs" id="check_setuid_files" version="1">
44eea6 
-    <unix:object object_ref="object_file_permissions_unauthorized_suid" />
44eea6 
-  </unix:file_test>
44eea6 
-
44eea6 
-  <unix:file_object comment="files with suid set" id="object_file_permissions_unauthorized_suid" version="1">
44eea6 
-    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
44eea6 
-    <unix:path operation="equals">/</unix:path>
44eea6 
-    <unix:filename operation="pattern match">^.*$</unix:filename>
44eea6 
-    <filter action="include">state_file_permissions_unauthorized_suid</filter>
44eea6 
-    <filter action="exclude">state_suid_whitelist</filter>
44eea6 
-  </unix:file_object>
44eea6 
-
44eea6 
-  <unix:file_state id="state_file_permissions_unauthorized_suid" version="1">
44eea6 
-    <unix:suid datatype="boolean">true</unix:suid>
44eea6 
-  </unix:file_state>
44eea6 
-
44eea6 
-
44eea6 
-
44eea6 
-  <unix:file_state id="state_suid_whitelist" version="1">
44eea6 
-    <unix:filepath var_ref="var_suid_whitelist" var_check="at least one" />
44eea6 
-  </unix:file_state>
44eea6 
-
44eea6 
-  <constant_variable id="var_suid_whitelist" version="1" datatype="string" comment="suid whitelist">
44eea6 
-    <value>/bin/su.shadow</value>
44eea6 
-    <value>/bin/su.util-linux</value>
44eea6 
-    <value>/usr/bin/chage</value>
44eea6 
-    <value>/usr/bin/chfn.shadow</value>
44eea6 
-    <value>/usr/bin/chsh.shadow</value>
44eea6 
-    <value>/usr/bin/expiry</value>
44eea6 
-    <value>/usr/bin/gpasswd</value>
44eea6 
-    <value>/usr/bin/newgidmap</value>
44eea6 
-    <value>/usr/bin/newgrp.shadow</value>
44eea6 
-    <value>/usr/bin/newuidmap</value>
44eea6 
-    <value>/usr/bin/passwd.shadow</value>
44eea6 
-    <value>/usr/bin/sudo</value>
44eea6 
-    <value>/usr/lib64/dbus/dbus-daemon-launch-helper</value>
44eea6 
-    <value>/usr/sbin/unix_chkpwd</value>
44eea6 
-    <value>/usr/sbin/vlock-main</value>
44eea6 
-  </constant_variable>
44eea6 
-
44eea6 
-</def-group>
44eea6 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/no_unpackaged_suid.pass.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/no_unpackaged_suid.pass.sh
44eea6 
new file mode 100644
44eea6 
index 0000000000..e6e5a29fb3
44eea6 
--- /dev/null
44eea6 
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/no_unpackaged_suid.pass.sh
44eea6 
@@ -0,0 +1,10 @@
44eea6 
+#!/bin/bash
44eea6 
+
44eea6 
+# profiles = xccdf_org.ssgproject.content_profile_standard
44eea6 
+# remediation = none
44eea6 
+
44eea6 
+for x in $(find / -perm /u=s) ; do
44eea6 
+	if ! rpm -qf $x ; then
44eea6 
+		rm -rf $x
44eea6 
+	fi
44eea6 
+done
44eea6 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/unpackaged_suid.fail.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/unpackaged_suid.fail.sh
44eea6 
new file mode 100644
44eea6 
index 0000000000..f05f1821ec
44eea6 
--- /dev/null
44eea6 
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/unpackaged_suid.fail.sh
44eea6 
@@ -0,0 +1,13 @@
44eea6 
+#!/bin/bash
44eea6 
+
44eea6 
+# profiles = xccdf_org.ssgproject.content_profile_standard
44eea6 
+# remediation = none
44eea6 
+
44eea6 
+for x in $(find / -perm /u=s) ; do
44eea6 
+	if ! rpm -qf $x ; then
44eea6 
+		rm -rf $x
44eea6 
+	fi
44eea6 
+done
44eea6 
+
44eea6 
+touch /usr/bin/suid_binary
44eea6 
+chmod u+xs /usr/bin/suid_binary
44eea6
44eea6 
From 359400441acb2290af7e5ff49942dec01cb39a43 Mon Sep 17 00:00:00 2001
44eea6 
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
44eea6 
Date: Fri, 9 Aug 2019 08:44:59 +0200
44eea6 
Subject: [PATCH 2/6] Describe the logic of the check in rule description
44eea6
44eea6 
---
44eea6 
 .../files/file_permissions_unauthorized_sgid/rule.yml        | 5 +++++
44eea6 
 .../files/file_permissions_unauthorized_suid/rule.yml        | 5 +++++
44eea6 
 2 files changed, 10 insertions(+)
44eea6
44eea6 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
44eea6 
index f039eea88c..9bad52d9b2 100644
44eea6 
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
44eea6 
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
44eea6 
@@ -8,6 +8,11 @@ description: |-
44eea6 
     unauthorized SGID files is determine if any were not installed as part of an
44eea6 
     RPM package, which is cryptographically verified. Investigate the origin
44eea6 
     of any unpackaged SGID files.
44eea6 
+    This configuration check whitelists SGID files which were installed via RPM.
44eea6 
+    It is assumed that when an individual has sudo access to install an RPM
44eea6 
+    and all packages are signed with an organizationally-recognized GPG key,
44eea6 
+    the software should be considered an approved package on the system.
44eea6 
+    Any SGID file not deployed through an RPM will be flagged for further review.
44eea6
44eea6 
 rationale: |-
44eea6 
     Executable files with the SGID permission run with the privileges of
44eea6 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
44eea6 
index 5f4bc02cd1..1e01924469 100644
44eea6 
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
44eea6 
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
44eea6 
@@ -8,6 +8,11 @@ description: |-
44eea6 
     unauthorized SGID files is determine if any were not installed as part of an
44eea6 
     RPM package, which is cryptographically verified. Investigate the origin
44eea6 
     of any unpackaged SUID files.
44eea6 
+    This configuration check whitelists SUID files which were installed via RPM.
44eea6 
+    It is assumed that when an individual has sudo access to install an RPM
44eea6 
+    and all packages are signed with an organizationally-recognized GPG key,
44eea6 
+    the software should be considered an approved package on the system.
44eea6 
+    Any SUID file not deployed through an RPM will be flagged for further review.
44eea6
44eea6 
 rationale: |-
44eea6 
     Executable files with the SUID permission run with the privileges of
44eea6
44eea6 
From f8f7c2ae18f6c1d0cb145d996fb59d875276c991 Mon Sep 17 00:00:00 2001
44eea6 
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
44eea6 
Date: Wed, 14 Aug 2019 11:28:38 +0200
44eea6 
Subject: [PATCH 3/6] Change 'whitelists' to 'considers authorized'
44eea6
44eea6 
---
44eea6 
 .../files/file_permissions_unauthorized_sgid/rule.yml           | 2 +-
44eea6 
 .../files/file_permissions_unauthorized_suid/rule.yml           | 2 +-
44eea6 
 2 files changed, 2 insertions(+), 2 deletions(-)
44eea6
44eea6 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
44eea6 
index 9bad52d9b2..e92637ca09 100644
44eea6 
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
44eea6 
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
44eea6 
@@ -8,7 +8,7 @@ description: |-
44eea6 
     unauthorized SGID files is determine if any were not installed as part of an
44eea6 
     RPM package, which is cryptographically verified. Investigate the origin
44eea6 
     of any unpackaged SGID files.
44eea6 
-    This configuration check whitelists SGID files which were installed via RPM.
44eea6 
+    This configuration check considers authorized SGID files which were installed via RPM.
44eea6 
     It is assumed that when an individual has sudo access to install an RPM
44eea6 
     and all packages are signed with an organizationally-recognized GPG key,
44eea6 
     the software should be considered an approved package on the system.
44eea6 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
44eea6 
index 1e01924469..9f3f3dc86c 100644
44eea6 
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
44eea6 
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
44eea6 
@@ -8,7 +8,7 @@ description: |-
44eea6 
     unauthorized SGID files is determine if any were not installed as part of an
44eea6 
     RPM package, which is cryptographically verified. Investigate the origin
44eea6 
     of any unpackaged SUID files.
44eea6 
-    This configuration check whitelists SUID files which were installed via RPM.
44eea6 
+    This configuration check considers authorized SUID files which were installed via RPM.
44eea6 
     It is assumed that when an individual has sudo access to install an RPM
44eea6 
     and all packages are signed with an organizationally-recognized GPG key,
44eea6 
     the software should be considered an approved package on the system.
44eea6
44eea6 
From 69fac9536f88047a77aea67db81004872e27dae6 Mon Sep 17 00:00:00 2001
44eea6 
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
44eea6 
Date: Wed, 16 Oct 2019 10:23:47 +0200
44eea6 
Subject: [PATCH 4/6] Fix OCIL
44eea6
44eea6 
---
44eea6 
 .../files/file_permissions_unauthorized_sgid/rule.yml         | 4 ++--
44eea6 
 .../files/file_permissions_unauthorized_suid/rule.yml         | 4 ++--
44eea6 
 2 files changed, 4 insertions(+), 4 deletions(-)
44eea6
44eea6 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
44eea6 
index e92637ca09..d03e7bf980 100644
44eea6 
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
44eea6 
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
44eea6 
@@ -41,5 +41,5 @@ references:
44eea6 
 ocil_clause: 'there is output'
44eea6
44eea6 
 ocil: |-
44eea6 
-    To find world-writable files, run the following command:
44eea6 
-    
$ sudo find / -xdev -type f -perm -002
44eea6 
+    To find SGID files, run the following command:
44eea6 
+    
$ sudo find / -xdev -type f -perm -2000
44eea6 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
44eea6 
index 9f3f3dc86c..9aa7f40161 100644
44eea6 
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
44eea6 
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
44eea6 
@@ -41,5 +41,5 @@ references:
44eea6 
 ocil_clause: 'only authorized files appear in the output of the find command'
44eea6
44eea6 
 ocil: |-
44eea6 
-    To find world-writable files, run the following command:
44eea6 
-    
$ sudo find / -xdev -type f -perm -002
44eea6 
+    To find SUID files, run the following command:
44eea6 
+    
$ sudo find / -xdev -type f -perm -4000
44eea6
44eea6 
From 4cd5fec7f7c71a475bbd5e9781dbfc38fdda5b92 Mon Sep 17 00:00:00 2001
44eea6 
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
44eea6 
Date: Wed, 16 Oct 2019 10:23:58 +0200
44eea6 
Subject: [PATCH 5/6] Fix a typo
44eea6
44eea6 
---
44eea6 
 .../files/file_permissions_unauthorized_suid/rule.yml           | 2 +-
44eea6 
 1 file changed, 1 insertion(+), 1 deletion(-)
44eea6
44eea6 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
44eea6 
index 9aa7f40161..6cfcff2e4b 100644
44eea6 
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
44eea6 
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
44eea6 
@@ -5,7 +5,7 @@ title: 'Ensure All SUID Executables Are Authorized'
44eea6 
 description: |-
44eea6 
     The SUID (set user id) bit should be set only on files that were
44eea6 
     installed via authorized means. A straightforward means of identifying
44eea6 
-    unauthorized SGID files is determine if any were not installed as part of an
44eea6 
+    unauthorized SUID files is determine if any were not installed as part of an
44eea6 
     RPM package, which is cryptographically verified. Investigate the origin
44eea6 
     of any unpackaged SUID files.
44eea6 
     This configuration check considers authorized SUID files which were installed via RPM.
44eea6
44eea6 
From 5cce2c77ae93750442a9635929786fb265834310 Mon Sep 17 00:00:00 2001
44eea6 
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
44eea6 
Date: Wed, 16 Oct 2019 11:19:54 +0200
44eea6 
Subject: [PATCH 6/6] Add prodtype
44eea6
44eea6 
This rule has OVAL only for RHEL, Fedora, OL and WRLinux.
44eea6 
We can specify it in prodtype to prevent its inclusion to datastreams
44eea6 
for products where this rule isn't applicable
44eea6 
---
44eea6 
 .../files/file_permissions_unauthorized_sgid/rule.yml           | 2 ++
44eea6 
 .../files/file_permissions_unauthorized_suid/rule.yml           | 2 ++
44eea6 
 2 files changed, 4 insertions(+)
44eea6
44eea6 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
44eea6 
index d03e7bf980..de627fbe7e 100644
44eea6 
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
44eea6 
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
44eea6 
@@ -2,6 +2,8 @@ documentation_complete: true
44eea6
44eea6 
 title: 'Ensure All SGID Executables Are Authorized'
44eea6
44eea6 
+prodtype: rhel6,rhel7,rhel8,ol7,ol8,fedora,wrlinux8,wrlinux1019
44eea6 
+
44eea6 
 description: |-
44eea6 
     The SGID (set group id) bit should be set only on files that were
44eea6 
     installed via authorized means. A straightforward means of identifying
44eea6 
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
44eea6 
index 6cfcff2e4b..27946fb86a 100644
44eea6 
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
44eea6 
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
44eea6 
@@ -2,6 +2,8 @@ documentation_complete: true
44eea6
44eea6 
 title: 'Ensure All SUID Executables Are Authorized'
44eea6
44eea6 
+prodtype: rhel6,rhel7,rhel8,ol7,ol8,fedora,wrlinux8,wrlinux1019
44eea6 
+
44eea6 
 description: |-
44eea6 
     The SUID (set user id) bit should be set only on files that were
44eea6 
     installed via authorized means. A straightforward means of identifying

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation