Unify handling of file permissions checks

 * Uses a single template, create_permissions.py, to generate all
   unix attribute checks (mode, uid, gid)
 * Removes create_file_groupowner.py, create_file_owner.py, and
   create_file_permissions.py
 * Updates file_dir_permissions.csv to contain checks from other csvs
 * Updates rules, profiles, and overlays to match new names
 * Removes shadowing checks and remediations

Signed-off-by: Alexander Scheel <[email protected]>

Author: cipherboy

Diff for: fedora/templates/csv/file_dir_permissions.csv

@@ -1,2 +1,11 @@
-/etc,gshadow,0,0,0000
 /etc,shadow,0,0,0000
+/etc,gshadow,0,0,0000
+/etc,passwd,0,0,0644
+/etc,group,0,0,0644
+/etc,cron.allow,,,0644,cron_allow
+/etc/httpd/conf.d,*,,,0640,httpd_server_conf_d_files
+/etc/httpd/conf,*,,,0640,httpd_server_conf_files
+/etc/ssh,*.pub,,,0644,sshd_pub_key
+/etc/ssh,*_key,,,0600,sshd_private_key
+/etc/httpd/conf.modules.d,*,,,0640,https_server_modules_files
+/boot/grub,grub.conf,0,0,600,grub_conf

Diff for: fedora/templates/csv/file_groupowner.csv

@@ -20,6 +20,6 @@ selections:
     - file_owner_etc_passwd
     - file_groupowner_etc_passwd
     - file_permissions_etc_passwd
-    - file_user_owner_grub2_cfg
-    - file_group_owner_grub2_cfg
+    - file_owner_grub2_cfg
+    - file_groupowner_grub2_cfg
     - package_libreswan_installed

Diff for: fedora/templates/csv/file_owner.csv

@@ -1,4 +1,4 @@
 /etc,shadow,0,0,0000
 /etc,group,0,0,0644
 /etc,passwd,0,0,0644
-#/boot/grub,grub.conf,0,0,600 # different filename
+/boot/grub,grub.conf,0,0,600,grub_conf

Diff for: linux_os/guide/system/bootloader-grub-legacy/file_group_owner_grub_conf.rule renamed to linux_os/guide/system/bootloader-grub-legacy/file_groupowner_grub_conf.rule

@@ -0,0 +1 @@
+/etc,cron.allow,0,0,0644,cron_allow

Diff for: linux_os/guide/system/bootloader-grub-legacy/file_user_owner_grub_conf.rule renamed to linux_os/guide/system/bootloader-grub-legacy/file_owner_grub_conf.rule

@@ -96,11 +96,11 @@
 		<VMSinfo VKey="38500" SVKey="50301" VRelease="2" />
 		<title>The root account must be the only account having a UID of 0.</title>
 	</overlay>
-	<overlay owner="disastig" ruleid="userowner_shadow_file" ownerid="RHEL-06-000033" disa="366" severity="medium">
+	<overlay owner="disastig" ruleid="file_owner_etc_shadow" ownerid="RHEL-06-000033" disa="366" severity="medium">
 		<VMSinfo VKey="38502" SVKey="50303" VRelease="1" />
 		<title>The /etc/shadow file must be owned by root.</title>
 	</overlay>
-	<overlay owner="disastig" ruleid="groupowner_shadow_file" ownerid="RHEL-06-000034" disa="366" severity="medium">
+	<overlay owner="disastig" ruleid="file_groupowner_etc_shadow" ownerid="RHEL-06-000034" disa="366" severity="medium">
 		<VMSinfo VKey="38503" SVKey="50304" VRelease="1" />
 		<title>The /etc/shadow file must be group-owned by root.</title>
 	</overlay>
@@ -212,11 +212,11 @@
 		<VMSinfo VKey="38577" SVKey="50378" VRelease="1" />
 		<title>The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).</title>
 	</overlay>
-	<overlay owner="disastig" ruleid="file_user_owner_grub_conf" ownerid="RHEL-06-000065" disa="366" severity="medium">
+	<overlay owner="disastig" ruleid="file_owner_grub_conf" ownerid="RHEL-06-000065" disa="366" severity="medium">
 		<VMSinfo VKey="38579" SVKey="50380" VRelease="1" />
 		<title>The system boot loader configuration file(s) must be owned by root.</title>
 	</overlay>
-	<overlay owner="disastig" ruleid="file_group_owner_grub_conf" ownerid="RHEL-06-000066" disa="366" severity="medium">
+	<overlay owner="disastig" ruleid="file_groupowner_grub_conf" ownerid="RHEL-06-000066" disa="366" severity="medium">
 		<VMSinfo VKey="38581" SVKey="50382" VRelease="1" />
 		<title>The system boot loader configuration file(s) must be group-owned by root.</title>
 	</overlay>

Diff for: linux_os/guide/system/bootloader-grub2/file_group_owner_efi_grub2_cfg.rule renamed to linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg.rule

@@ -1548,7 +1548,7 @@ rule=no_files_unowned_by_group manual=no
 <note ref="22339" auth="KS">
 Check does exist in the RHEL6 prose, it can be automated and the OVAL for it 
 does exist.
-rule=userowner_shadow_file manual=no
+rule=file_owner_etc_shadow manual=no
 </note>
 
 <note ref="22347" auth="KS">

Diff for: linux_os/guide/system/bootloader-grub2/file_group_owner_grub2_cfg.rule renamed to linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg.rule

@@ -54,8 +54,8 @@ selections:
     - package_setroubleshoot_removed
     - package_mcstrans_removed
     - selinux_confinement_of_daemons
-    - file_user_owner_grub_conf
-    - file_group_owner_grub_conf
+    - file_owner_grub_conf
+    - file_groupowner_grub_conf
     - file_permissions_grub_conf
     - grub_legacy_password
     - require_singleuser_auth
@@ -185,8 +185,8 @@ selections:
     - file_permissions_etc_group
     - file_owner_etc_passwd
     - file_groupowner_etc_passwd
-    - userowner_shadow_file
-    - groupowner_shadow_file
+    - file_owner_etc_shadow
+    - file_groupowner_etc_shadow
     - file_owner_etc_gshadow
     - file_groupowner_etc_gshadow
     - file_owner_etc_group

Diff for: linux_os/guide/system/bootloader-grub2/file_user_owner_efi_grub2_cfg.rule renamed to linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg.rule

@@ -133,8 +133,8 @@ selections:
     - audit_rules_file_deletion_events
     - securetty_root_login_console_only
     - no_direct_root_logins
-    - userowner_shadow_file
-    - groupowner_shadow_file
+    - file_owner_etc_shadow
+    - file_groupowner_etc_shadow
     - file_permissions_etc_shadow
     - file_owner_etc_gshadow
     - file_groupowner_etc_gshadow
@@ -151,8 +151,8 @@ selections:
     - file_ownership_binary_dirs
     - gid_passwd_group_same
     - file_permissions_home_dirs
-    - file_user_owner_grub_conf
-    - file_group_owner_grub_conf
+    - file_owner_grub_conf
+    - file_groupowner_grub_conf
     - file_permissions_grub_conf
     - sysctl_fs_suid_dumpable
     - service_restorecond_enabled

Diff for: linux_os/guide/system/bootloader-grub2/file_user_owner_grub2_cfg.rule renamed to linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg.rule

@@ -118,7 +118,7 @@ selections:
     - file_groupowner_etc_gshadow
     - file_groupowner_etc_passwd
     - rsyslog_files_groupownership
-    - groupowner_shadow_file
+    - file_groupowner_etc_shadow
     - file_permissions_httpd_server_conf_files
     - dir_perms_var_log_httpd
     - httpd_servertokens_prod
@@ -253,7 +253,7 @@ selections:
     - file_owner_etc_gshadow
     - file_owner_etc_passwd
     - "!rsyslog_files_ownership"
-    - userowner_shadow_file
+    - file_owner_etc_shadow
     - wireless_disable_in_bios
     - "!dir_perms_world_writable_system_owned"
     - grub_legacy_disable_interactive_boot

Diff for: linux_os/guide/system/permissions/files/permissions_important_account_files/groupowner_shadow_file.rule renamed to linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow.rule

@@ -28,8 +28,8 @@ selections:
     - var_umask_for_daemons=022
     - sshd_disable_root_login
     - umask_for_daemons
-    - userowner_shadow_file
-    - groupowner_shadow_file
+    - file_owner_etc_shadow
+    - file_groupowner_etc_shadow
     - file_permissions_etc_shadow
     - file_owner_etc_group
     - file_groupowner_etc_group

Diff for: linux_os/guide/system/permissions/files/permissions_important_account_files/userowner_shadow_file.rule renamed to linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow.rule

@@ -49,8 +49,8 @@ selections:
     - rpm_verify_permissions
     - file_permissions_var_log_audit
     - file_ownership_var_log_audit
-    - userowner_shadow_file
-    - groupowner_shadow_file
+    - file_owner_etc_shadow
+    - file_groupowner_etc_shadow
     - file_permissions_etc_shadow
     - file_owner_etc_group
     - file_groupowner_etc_group

Diff for: ol7/profiles/pci-dss.profile

@@ -95,15 +95,15 @@ selections:
     - set_password_hashing_algorithm_systemauth
     - set_password_hashing_algorithm_logindefs
     - set_password_hashing_algorithm_libuserconf
-    - userowner_shadow_file
-    - groupowner_shadow_file
+    - file_owner_etc_shadow
+    - file_groupowner_etc_shadow
     - file_permissions_etc_shadow
     - file_owner_etc_group
     - file_groupowner_etc_group
     - file_permissions_etc_group
     - file_owner_etc_passwd
     - file_groupowner_etc_passwd
     - file_permissions_etc_passwd
-    - file_user_owner_grub_conf
-    - file_group_owner_grub_conf
+    - file_owner_grub_conf
+    - file_groupowner_grub_conf
     - package_libreswan_installed

Diff for: ol7/templates/csv/file_dir_permissions.csv

@@ -56,8 +56,8 @@ selections:
     - set_password_hashing_algorithm_logindefs
     - set_password_hashing_algorithm_libuserconf
     - require_singleuser_auth
-    - userowner_shadow_file
-    - groupowner_shadow_file
+    - file_owner_etc_shadow
+    - file_groupowner_etc_shadow
     - file_permissions_etc_shadow
     - file_owner_etc_gshadow
     - file_groupowner_etc_gshadow
@@ -73,8 +73,8 @@ selections:
     - file_permissions_binary_dirs
     - file_ownership_binary_dirs
     - file_permissions_var_log_audit
-    - file_user_owner_grub_conf
-    - file_group_owner_grub_conf
+    - file_owner_grub_conf
+    - file_groupowner_grub_conf
     - file_permissions_grub_conf
     - grub_legacy_password
     - sysctl_kernel_randomize_va_space

Diff for: ol7/templates/csv/file_groupowner.csv

@@ -37,8 +37,8 @@ selections:
     - dir_perms_world_writable_sticky_bits
     - accounts_password_all_shadowed
     - accounts_no_uid_except_zero
-    - userowner_shadow_file
-    - groupowner_shadow_file
+    - file_owner_etc_shadow
+    - file_groupowner_etc_shadow
     - file_permissions_etc_shadow
     - file_owner_etc_gshadow
     - file_groupowner_etc_gshadow
@@ -68,8 +68,8 @@ selections:
     - set_password_hashing_algorithm_systemauth
     - set_password_hashing_algorithm_logindefs
     - set_password_hashing_algorithm_libuserconf
-    - file_user_owner_grub_conf
-    - file_group_owner_grub_conf
+    - file_owner_grub_conf
+    - file_groupowner_grub_conf
     - file_permissions_grub_conf
     - grub_legacy_password
     - require_singleuser_auth

Diff for: ol7/templates/csv/file_owner.csv

@@ -43,8 +43,8 @@ selections:
     - file_owner_etc_gshadow
     - file_groupowner_etc_gshadow
     - file_permissions_etc_shadow
-    - userowner_shadow_file
-    - groupowner_shadow_file
+    - file_owner_etc_shadow
+    - file_groupowner_etc_shadow
     - file_permissions_etc_group
     - file_owner_etc_group
     - file_groupowner_etc_group
@@ -102,8 +102,8 @@ selections:
     - accounts_umask_etc_csh_cshrc
     - accounts_umask_etc_profile
     - accounts_umask_etc_login_defs
-    - file_user_owner_grub_conf
-    - file_group_owner_grub_conf
+    - file_owner_grub_conf
+    - file_groupowner_grub_conf
     - file_permissions_grub_conf
     - grub_legacy_password
     - grub_legacy_disable_interactive_boot

Diff for: opensuse/templates/csv/file_dir_permissions.csv

@@ -1,5 +1,11 @@
 /etc,shadow,0,0,0000
 /etc,gshadow,0,0,0000
 /etc,passwd,0,0,0644
-/etc,group,0,0,0000
-#/boot/grub,grub.conf,0,0,600 # different filename
+/etc,group,0,0,0644
+/etc,cron.allow,0,0,0644,cron_allow
+/etc/httpd/conf.d,*,,,0640,httpd_server_conf_d_files
+/etc/httpd/conf,*,,,0640,httpd_server_conf_files
+/etc/ssh,*.pub,,,0644,sshd_pub_key
+/etc/ssh,*_key,,,0600,sshd_private_key
+/etc/httpd/conf.modules.d,*,,,0640,https_server_modules_files
+/boot/grub,grub.conf,0,0,600,grub_conf

Diff for: opensuse/templates/csv/file_groupowner.csv

@@ -49,8 +49,8 @@ selections:
     - service_rhnsd_disabled
     - package_aide_installed
     - aide_periodic_cron_checking
-    - file_user_owner_grub2_cfg
-    - file_group_owner_grub2_cfg
+    - file_owner_grub2_cfg
+    - file_groupowner_grub2_cfg
     - file_permissions_grub2_cfg
     - grub2_password
     - grub2_uefi_password
@@ -227,8 +227,8 @@ selections:
     - file_owner_etc_passwd
     - file_groupowner_etc_passwd
     - file_permissions_etc_passwd
-    - userowner_shadow_file
-    - groupowner_shadow_file
+    - file_owner_etc_shadow
+    - file_groupowner_etc_shadow
     - file_permissions_etc_shadow
     - file_owner_etc_group
     - file_groupowner_etc_group