Skip to content

Check more paths with verify_rpm_hashes #1738

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Mar 7, 2017
Merged

Check more paths with verify_rpm_hashes #1738

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
14412e9
Check /usr, /lib, /lib64, and others when verifying hashes
Mar 6, 2017
a1f2fdc
Changed the rpm_verify_hashes Ansible remediation to match the OVAL c…
Mar 6, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 4 additions & 6 deletions shared/oval/rpm_verify_hashes.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,18 +5,16 @@
<affected family="unix">
<platform>multi_platform_fedora</platform>
<platform>multi_platform_rhel</platform>
:w
</affected>
<description>Verify the RPM digests of system binaries using the RPM database.</description>
</metadata>
<criteria>
<criterion test_ref="test_files_fail_md5_hash" comment="verify file md5 hashes" />
</criteria>
</definition>
<!-- NOTE: If you examine the regex below you notice that I am only interested in files containing -->
<!-- "bin/" in the path. This essentially narrows our focus down to system executables in directories -->
<!-- such as /sbin, /usr/bin, and such. After testing I decided that doing it this way was most -->
<!-- effective at reducing the false positives. If you look at the state below you will notice that I -->
<!-- NOTE: If you examine the regex below you notice that we are interested in /bin, /sbin, /lib, /lib64 -->
<!-- and /usr directories. This narrows the search down to executables, libraries and supporting content. -->
<!-- If you look at the state below you will notice that I -->
<!-- commented out several attributes. The current rpmverify object has methods to distinguish between -->
<!-- configuration files, documentation files, etc. Using these discriminators in the state reduced -->
<!-- the number of false positives, but it did not eliminate them. I left them commented out to serve -->
Expand All @@ -31,7 +29,7 @@
<linux:version operation="pattern match">.*</linux:version>
<linux:release operation="pattern match">.*</linux:release>
<linux:arch operation="pattern match">.*</linux:arch>
<linux:filepath operation="pattern match">^.*bin/.*$</linux:filepath>
<linux:filepath operation="pattern match">^/(bin|sbin|lib|lib64|usr)/.+$</linux:filepath>
<filter action="include">state_files_fail_md5_hash</filter>
</linux:rpmverifyfile_object>
<linux:rpmverifyfile_state id="state_files_fail_md5_hash" version="1" operator="AND">
Expand Down
2 changes: 1 addition & 1 deletion shared/templates/static/ansible/rpm_verify_hashes.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
when: ansible_distribution == "RedHat"

- name: "Read files with incorrect hash"
shell: "rpm -Va | grep -E '^..5.*s?bin/' | sed -r 's;^.*\\s+(.+);\\1;g'"
shell: "rpm -Va | grep -E '^..5.* /(bin|sbin|lib|lib64|usr)/' | sed -r 's;^.*\\s+(.+);\\1;g'"
register: files_with_incorrect_hash
changed_when: False
when: package_manager_reinstall_cmd is defined
Expand Down