Review rpm_verify_permissions rule #11335
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Also update warning about high consume of system resources in some scenarios.
It was not identified opportunities to increase performance during the check. So the changes were limited to readability.
marcusburghardt
added
the
Update Rule
marcusburghardt
changed the title
10 tasks
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_permissions'.
--- xccdf_org.ssgproject.content_rule_rpm_verify_permissions
+++ xccdf_org.ssgproject.content_rule_rpm_verify_permissions
@@ -3,27 +3,32 @@
Verify and Correct File Permissions with RPM
[description]:
-The RPM package management system can check file access permissions
-of installed software packages, including many that are important
-to system security.
-Verify that the file permissions of system files
-and commands match vendor values. Check the file permissions
-with the following command:
+The RPM package management system can check file access permissions of installed software
+packages, including many that are important to system security. Verify that the file
+permissions of system files and commands match vendor values. Check the file permissions with
+the following command:
$ sudo rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'
Output indicates files that do not match vendor defaults.
-After locating a file with incorrect permissions,
-run the following command to determine which package owns it:
+
+After locating a file with incorrect permissions, run the following command to determine which
+package owns it:
$ rpm -qf FILENAME
-Next, run the following command to reset its permissions to
-the correct values:
+Next, run the following command to reset its permissions to the correct values:
$ sudo rpm --setperms PACKAGENAME
[warning]:
-Profiles may require that specific files have stricter file permissions than defined by the
-vendor.
-Such files will be reported as a finding and need to be evaluated according to your policy
-and deployment environment.
+Profiles may require that specific files have stricter file permissions than defined by
+the vendor. Such files will be reported as a finding and need to be evaluated according to
+your policy and deployment environment.
+
+[warning]:
+This rule can take a long time to perform the check and might consume a considerable
+amount of resources depending on the number of packages present on the system. It is not a
+problem in most cases, but especially systems with a large number of installed packages
+can be affected.
+
+See https://access.redhat.com/articles/6999111.
[reference]:
1
@@ -386,10 +391,9 @@
6.1.9
[rationale]:
-Permissions on system binaries and configuration files that are too generous
-could allow an unauthorized user to gain privileges that they should not have.
-The permissions set by the vendor should be maintained. Any deviations from
-this baseline should be investigated.
+Permissions on system binaries and configuration files that are too generous could allow an
+unauthorized user to gain privileges that they should not have. The permissions set by the
+vendor should be maintained. Any deviations from this baseline should be investigated.
[ident]:
CCE-80858-4
OVAL for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_permissions' differs.
--- oval:ssg-rpm_verify_permissions:def:1
+++ oval:ssg-rpm_verify_permissions:def:1
@@ -1,2 +1,2 @@
criteria AND
-criterion oval:ssg-test_verify_all_rpms_mode:tst:1
+criterion oval:ssg-test_rpm_verify_permissions:tst:1 |
jan-cerny
reviewed
Dec 4, 2023
| This rule can take a long time to perform the check and might consume a considerable | ||
| amount of resources depending on the number of packages present on the system. It is not a | ||
| problem in most cases, but especially systems with a large number of installed packages | ||
| can be affected. See <code>https://access.redhat.com/articles/6999111</code>. |
There was a problem hiding this comment.
I think that the link to the article should be present only in RHEL products because users who aren't Red Hat customers can't access this page.
|
Code Climate has analyzed commit ddb6efb and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 58.5%. View more on Code Climate. |
jan-cerny
approved these changes
Dec 5, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
This PR extract the commits related to
rpm_verify_permissionsfrom #11319It:
Rationale:
Better description and awareness of possible performance issues in the rule.
Better OVAL readability.
Review Hints:
Automatus tests should be enough.