[Open-scap] RHEL5, Character Special Files, & Extended ACLs

Thu Jul 3 15:40:07 UTC 2014

On 06/25/2014 07:05 PM, Trey Henefield wrote:
> Greetings,
>
> I am using OpenSCAP v1.0.8 and am experiencing an odd behavior.
>
> I am developing a rule to check for extended ACLs on audio devices, as
> is required not to exist per the RHEL5 STIG.
>
> The rule processes correctly on RHEL6 but not RHEL5. On RHEL5, it shows
> the extended ACL flag being set to true. However, I have verified that
> no extended ACLs exist by validating that no ‘+’ sign is present next to
> the display of permissions for each respective file.
>

Hello Trey,

I have dig into the issue and I find out that rhel5 sound system does
not support ACL. Hence you see different results on rhel5 vs. on rhel6.

     # setfacl -m u:nobody:rw- /dev/snd/pcmC1D0p
     setfacl: /dev/snd/pcmC1D0p: Operation not supported

In OVAL System Characteristics specification [1] I have found the
following snippet:

     If the file or directory doesn't have an ACL, or it matches the
     standard UNIX permissions, the value will be 'false'. Otherwise, if
     a file or directory has an ACL, the value will be 'true'. If the
     system does not support ACLs, the status will be 'does not exist'
     and if the system supports ACLs, the status will be 'exists'.

OpenSCAP reported "true" result as adviced by the "Otherwise" statement.
But I figured out that it would be better to report 'does not exist'.

Hence, I changed OpenSCAP behavior from

     <unix-sys:has_extended_acl 
datatype="boolean">true</unix-sys:has_extended_acl>

to

     <unix-sys:has_extended_acl datatype="boolean" state="does not exist"/>

when extended attributes are not available [2].

Best regards,

-- 
Simon Lukasik
Security Technologies, Red Hat, Inc.

[1]: 
http://oval.mitre.org/language/version5.10.1/ovalsc/documentation/unix-system-characteristics-schema.html
[2]: 
https://git.fedorahosted.org/cgit/openscap.git/commit/?id=0e6c214708fcfa34d724180003beeafb7de069b6