[Open-scap] RHEL5, Character Special Files, & Extended ACLs

Trey Henefield trey.henefield at ultra-ats.com
Mon Jul 7 12:32:58 UTC 2014 

Thank you sir for looking into this. That did not occur to me, but certainly makes sense in the way you described it. Much appreciated!

Best regards,
 

Trey Henefield, CISSP
Senior IAVA Engineer

Ultra Electronics
Advanced Tactical Systems, Inc.
4101 Smith School Road
Building IV, Suite 100
Austin, TX 78744 USA

Trey.Henefield at ultra-ats.com
Tel: +1 512 327 6795 ext. 647
Fax: +1 512 327 8043
Mobile: +1 512 541 6450

www.ultra-ats.com

-----Original Message-----
From: Simon Lukasik [mailto:slukasik at redhat.com] 
Sent: Thursday, July 03, 2014 10:40 AM
To: Trey Henefield
Cc: open-scap-list
Subject: Re: [Open-scap] RHEL5, Character Special Files, & Extended ACLs

On 06/25/2014 07:05 PM, Trey Henefield wrote:
> Greetings,
>
> I am using OpenSCAP v1.0.8 and am experiencing an odd behavior.
>
> I am developing a rule to check for extended ACLs on audio devices, as 
> is required not to exist per the RHEL5 STIG.
>
> The rule processes correctly on RHEL6 but not RHEL5. On RHEL5, it 
> shows the extended ACL flag being set to true. However, I have 
> verified that no extended ACLs exist by validating that no '+' sign is 
> present next to the display of permissions for each respective file.
>

Hello Trey,

I have dig into the issue and I find out that rhel5 sound system does not support ACL. Hence you see different results on rhel5 vs. on rhel6.

     # setfacl -m u:nobody:rw- /dev/snd/pcmC1D0p
     setfacl: /dev/snd/pcmC1D0p: Operation not supported

In OVAL System Characteristics specification [1] I have found the following snippet:

     If the file or directory doesn't have an ACL, or it matches the
     standard UNIX permissions, the value will be 'false'. Otherwise, if
     a file or directory has an ACL, the value will be 'true'. If the
     system does not support ACLs, the status will be 'does not exist'
     and if the system supports ACLs, the status will be 'exists'.

OpenSCAP reported "true" result as adviced by the "Otherwise" statement.
But I figured out that it would be better to report 'does not exist'.

Hence, I changed OpenSCAP behavior from

     <unix-sys:has_extended_acl
datatype="boolean">true</unix-sys:has_extended_acl>

to

     <unix-sys:has_extended_acl datatype="boolean" state="does not exist"/>

when extended attributes are not available [2].

Best regards,

--
Simon Lukasik
Security Technologies, Red Hat, Inc.

[1]: 
http://oval.mitre.org/language/version5.10.1/ovalsc/documentation/unix-system-characteristics-schema.html
[2]: 
https://git.fedorahosted.org/cgit/openscap.git/commit/?id=0e6c214708fcfa34d724180003beeafb7de069b6

Disclaimer
The information contained in this communication from trey.henefield at ultra-ats.com sent at 2014-07-07 08:33:03 is confidential and may be legally privileged.
It is intended solely for use by open-scap-list at redhat.com and others authorized to receive it. If you are not open-scap-list at redhat.com you are hereby notified that
any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20140707/89058f20/attachment.htm>

More information about the Open-scap-list mailing list