-
Notifications
You must be signed in to change notification settings - Fork 706
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Increase the robustness of OVAL check
The previous check was reporting "unknown" when there is no password defined in the /etc/shadow file of the checked system. Before, it was not clear the reason for the unknown result. Therefore, a new test was included to check if passwords are inexistent in the system. The rule is no longer reporting "unknown" and the generated reports are more clearly informing which checks passed or not.
- Loading branch information
1 parent
a5f853a
commit 8def7b5
Showing
1 changed file
with
39 additions
and
31 deletions.
There are no files selected for viewing
70 changes: 39 additions & 31 deletions
70
...ts-restrictions/password_storage/accounts_password_last_change_is_in_past/oval/shared.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,51 +1,59 @@ | ||
| <def-group> | ||
| <definition class="compliance" id="{{{ rule_id }}}" version="1"> | ||
| {{{ oval_metadata("All password change date is in the past.") }}} | ||
| <criteria> | ||
| <criterion comment="passward last change was in the past" | ||
| test_ref="test_accounts_password_last_change_time_secs"/> | ||
| {{{ oval_metadata("All passwords last change date is in the past.") }}} | ||
| <criteria operator="OR"> | ||
| <criterion test_ref="test_accounts_password_last_change_is_in_past" | ||
| comment="All passwords last change date is in the past"/> | ||
| <criterion test_ref="test_accounts_password_last_change_is_in_past_no_pass" | ||
| comment="There is no password defined in /etc/shadow"/> | ||
| </criteria> | ||
| </definition> | ||
|
|
||
| <local_variable id="var_accounts_password_last_change_time_secs" datatype="int" version="1" | ||
| comment="last change component of password entry"> | ||
| <unix:shadow_state id="state_accounts_password_all_chage_past_has_no_password" version="1"> | ||
| <unix:password operation="pattern match">^(!|!!|!\*|\*|!locked)$</unix:password> | ||
| </unix:shadow_state> | ||
|
|
||
| <unix:shadow_object id="object_accounts_password_all_chage_in_past" version="1"> | ||
| <unix:username operation="pattern match">.*</unix:username> | ||
| <filter action="exclude">state_accounts_password_all_chage_past_has_no_password</filter> | ||
| </unix:shadow_object> | ||
|
|
||
| <local_variable id="var_accounts_password_last_change_time_secs" version="1" | ||
| datatype="int" comment="last change field of shadow entry in seconds"> | ||
| <arithmetic arithmetic_operation="multiply"> | ||
| <object_component object_ref="object_accounts_password_all_chage_in_past" | ||
| item_field="chg_lst"/> | ||
| item_field="chg_lst"/> | ||
| <literal_component datatype="int">86400</literal_component> | ||
| </arithmetic> | ||
| </arithmetic> | ||
| </local_variable> | ||
|
|
||
| <local_variable id="var_accounts_password_last_change_time_diff" datatype="int" version="1" | ||
| comment="last change component of password entry compared to current time"> | ||
| comment="time difference between the last change field of shadow entry and the current time"> | ||
| <time_difference format_2="seconds_since_epoch"> | ||
| <variable_component var_ref="var_accounts_password_last_change_time_secs"/> | ||
| <variable_component var_ref="var_accounts_password_last_change_time_secs"/> | ||
| </time_difference> | ||
| </local_variable> | ||
|
|
||
| <ind:variable_object id="object_accounts_password_last_change_time_diff" version="1"> | ||
| <ind:var_ref>var_accounts_password_last_change_time_diff</ind:var_ref> | ||
| </ind:variable_object> | ||
|
|
||
| <ind:variable_state id="state_accounts_password_last_change_time_diff" version="1"> | ||
| <!-- With negative time I actually get very big number so instead | ||
| of checking greater than zero I am checking if less than 1000 years --> | ||
| <ind:value datatype="int" operation="less than or equal">86400000</ind:value> | ||
| </ind:variable_state> | ||
|
|
||
| <ind:variable_test check="all" check_existence="all_exist" | ||
| id="test_accounts_password_last_change_time_secs" version="1" | ||
| comment="Check if the password chage time is less than equal than today."> | ||
| <ind:variable_test id="test_accounts_password_last_change_is_in_past" version="1" | ||
| check="all" check_existence="all_exist" | ||
| comment="Check if the password last chage time is less than or equal today."> | ||
| <ind:object object_ref="object_accounts_password_last_change_time_diff"/> | ||
| <ind:state state_ref="state_accounts_password_last_change_time_diff"/> | ||
| </ind:variable_test> | ||
| </ind:variable_test> | ||
|
|
||
| <unix:shadow_object id="object_accounts_password_all_chage_in_past" version="1"> | ||
| <unix:username operation="pattern match">.*</unix:username> | ||
| <filter action="exclude">state_accounts_password_all_chage_past_has_no_password</filter> | ||
| </unix:shadow_object> | ||
| <unix:shadow_state id="state_accounts_password_all_chage_past_has_no_password" version="1"> | ||
| <unix:password operation="pattern match">^(!|!!|!\*|\*|!locked)$</unix:password> | ||
| </unix:shadow_state> | ||
| <ind:variable_object id="object_accounts_password_last_change_time_diff" version="1"> | ||
| <ind:var_ref>var_accounts_password_last_change_time_diff</ind:var_ref> | ||
| </ind:variable_object> | ||
|
|
||
| <ind:variable_state id="state_accounts_password_last_change_time_diff" version="1"> | ||
| <!-- With negative time I actually get very big number so instead | ||
| of checking greater than zero I am checking if less than 1000 years --> | ||
| <ind:value datatype="int" operation="less than or equal">86400000</ind:value> | ||
| </ind:variable_state> | ||
|
|
||
| <unix:shadow_test id="test_accounts_password_last_change_is_in_past_no_pass" version="1" | ||
| check="all" check_existence="none_exist" | ||
| comment="Check the inexistence of users with a password defined"> | ||
| <unix:object object_ref="object_accounts_password_all_chage_in_past"/> | ||
| </unix:shadow_test> | ||
| </def-group> |