Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RHEL7 rule Verify and Correct File Permissions with RPM #2336

Closed
bgjoseluis opened this issue Sep 19, 2017 · 3 comments
Closed

RHEL7 rule Verify and Correct File Permissions with RPM #2336

bgjoseluis opened this issue Sep 19, 2017 · 3 comments
Labels
bugfix Fixes to reported bugs.
Milestone
0.1.36

Comments

@bgjoseluis
Copy link
Contributor

Hello,

just trying to help.

In RHEL7, the rule "Verify and Correct File Permissions with RPM", ask for "Check the file permissions, ownership, and group membership".

To check if it is ok, and detect which files are wrong, the guide proposes:

rpm -Va | grep '^.M'

But the character M just warn for "Mode differs (includes permissions and file type)":

Details:
man rpm
....
S file Size differs
M Mode differs (includes permissions and file type)
5 digest (formerly MD5 sum) differs
D Device major/minor number mismatch
L readLink(2) path mismatch
U User ownership differs
G Group ownership differs
T mTime differs
P caPabilities differ
...

To check ownership and membership too, could it be better to use the below command?
rpm -Va |awk '$1 ~ /[MUG]/{print $3}'

Example

cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)

uname -a
Linux localhost.localdomain 3.10.0-327.el7.x86_64 #1 SMP Thu Oct 29 17:29:29 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux

rpm -Va |awk '$1 ~ /[MUG]/{print $0}'
ls -l /etc/nsswitch.conf
-rw-r--r--. 1 root root 1723 Sep 19 13:10 /etc/nsswitch.conf

chown root:joseluis /etc/nsswitch.conf
ls -l /etc/nsswitch.conf
-rw-r--r--. 1 root joseluis 1723 Sep 19 13:10 /etc/nsswitch.conf
rpm -Va |awk '$1 ~ /[MUG]/{print $0}'
......G.. c /etc/nsswitch.conf

chown joseluis:joseluis /etc/nsswitch.conf
rpm -Va |awk '$1 ~ /[MUG]/{print $0}'
.....UG.. c /etc/nsswitch.conf

Please take care that in RHEL6 guides, the same rule is only related to permissions, not to the owner and any group.

Many thanks for your help and time.

JLBG

PS; please excuse me if i have not expressed correctly, nglish is not my natural language.
@matusmarhefka
Copy link
Member

@bgjoseluis Hello, after looking at oval definitions for this rule in ./shared/oval/rpm_verify_permissions.xml I found out that the oval checks are correct, they are checking for mode, user ownership and group ownership.

What need to be fixed is description of the rule in ./shared/xccdf/system/software/integrity.xml and also its remediation in ./shared/templates/static/bash/rpm_verify_permissions.sh. The remediation only corrects the mode but not the user and group ownerships.

Thank you for pointing to this. Are you planning to fix this in some pull request?

@matusmarhefka matusmarhefka added the bugfix Fixes to reported bugs. label Sep 25, 2017
@bgjoseluis
Copy link
Contributor Author

Thanks @matusmarhefka.

Yes, just give me a few days.

@bgjoseluis
Copy link
Contributor Author

@matusmarhefka , PR done #2387.

Any comment will be welcome.

@redhatrises redhatrises added this to the 0.1.36 milestone Sep 28, 2017
redhatrises pushed a commit to redhatrises/scap-security-guide that referenced this issue Oct 23, 2017
@bgjoseluis @redhatrises
Add rpm_verify_ownership to rhel7 XCCDF
d1380d0 
- Fixes ComplianceAsCode#2336
@redhatrises redhatrises mentioned this issue Oct 23, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bugfix Fixes to reported bugs.
Projects
None yet
Milestone
0.1.36
Development

No branches or pull requests
3 participants
@matusmarhefka @redhatrises @bgjoseluis