From 21e1f0ba03a5cbb406f35060b111607e709cee6c Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 30 Nov 2023 15:50:45 +0100 Subject: [PATCH 1/3] Improve rule description in rpm_verify_permissions Also update warning about high consume of system resources in some scenarios. --- .../rpm_verify_permissions/rule.yml | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml index 5ba5ce1f030..d48f48391c4 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml @@ -5,27 +5,24 @@ prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8 title: 'Verify and Correct File Permissions with RPM' description: |- - The RPM package management system can check file access permissions - of installed software packages, including many that are important - to system security. - Verify that the file permissions of system files - and commands match vendor values. Check the file permissions - with the following command: + The RPM package management system can check file access permissions of installed software + packages, including many that are important to system security. Verify that the file + permissions of system files and commands match vendor values. Check the file permissions with + the following command:
$ sudo rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'
Output indicates files that do not match vendor defaults. - After locating a file with incorrect permissions, - run the following command to determine which package owns it: + + After locating a file with incorrect permissions, run the following command to determine which + package owns it:
$ rpm -qf FILENAME

- Next, run the following command to reset its permissions to - the correct values: + Next, run the following command to reset its permissions to the correct values:
$ sudo rpm --setperms PACKAGENAME
rationale: |- - Permissions on system binaries and configuration files that are too generous - could allow an unauthorized user to gain privileges that they should not have. - The permissions set by the vendor should be maintained. Any deviations from - this baseline should be investigated. + Permissions on system binaries and configuration files that are too generous could allow an + unauthorized user to gain privileges that they should not have. The permissions set by the + vendor should be maintained. Any deviations from this baseline should be investigated. severity: high @@ -74,7 +71,6 @@ fixtext: |- $ sudo rpm -qf [path to file] - Reset the permissions of files within a package with the following command: $ sudo rpm --setperms [package] @@ -83,7 +79,11 @@ srg_requirement: '{{{ full_name }}} must be configured so that the file permissi warnings: - general: |- - Profiles may require that specific files have stricter file permissions than defined by the - vendor. - Such files will be reported as a finding and need to be evaluated according to your policy - and deployment environment. + Profiles may require that specific files have stricter file permissions than defined by + the vendor. Such files will be reported as a finding and need to be evaluated according to + your policy and deployment environment. + - general: |- + This rule can take a long time to perform the check and might consume a considerable + amount of resources depending on the number of packages present on the system. It is not a + problem in most cases, but especially systems with a large number of installed packages + can be affected. See https://access.redhat.com/articles/6999111. From c8af50998d4ea9f140e723cfb40b4a4a74abdb6d Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 30 Nov 2023 15:57:10 +0100 Subject: [PATCH 2/3] Improved OVAL readability in rpm_verify_permissions It was not identified opportunities to increase performance during the check. So the changes were limited to readability. --- .../rpm_verify_permissions/oval/shared.xml | 34 +++++++++++-------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/oval/shared.xml index 66e3dea2032..6c73f41fbac 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/oval/shared.xml @@ -1,17 +1,20 @@ - - {{{ oval_metadata("Verify the permissions of installed packages - by comparing the installed files with information about the - files taken from the package metadata stored in the RPM - database.") }}} + + {{{ oval_metadata("Verify the permissions of installed packages by comparing the installed + files with information about the files taken from the package metadata stored in the RPM + database.") }}} - + - - - - + + + fail + + + .* .* @@ -19,9 +22,12 @@ .* .* .* - state_files_fail_mode + state_rpm_verify_permissions_files_fail_mode - - fail - + + + + From ddb6efb93626aba2f3d9cd0f80d663b55473cfd1 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 5 Dec 2023 13:02:47 +0100 Subject: [PATCH 3/3] Show rhel article in warning only to rhel products --- .../rpm_verification/rpm_verify_permissions/rule.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml index d48f48391c4..ea6ff69f9bf 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml @@ -86,4 +86,7 @@ warnings: This rule can take a long time to perform the check and might consume a considerable amount of resources depending on the number of packages present on the system. It is not a problem in most cases, but especially systems with a large number of installed packages - can be affected. See https://access.redhat.com/articles/6999111. + can be affected. + {{% if "rhel" in product %}} + See https://access.redhat.com/articles/6999111. + {{% endif %}}