Add rpm_verify_ownership to rhel7 XCCDF

- Fixes ComplianceAsCode#2336
redhatrises · Oct 23, 2017 · d1380d0 · d1380d0
1 parent 26f9cc2
commit d1380d0
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 0 deletions.
diff --git a/rhel7/profiles/stig-rhel7-disa.xml b/rhel7/profiles/stig-rhel7-disa.xml
@@ -56,6 +56,7 @@ Storage deployments.
 
 <!-- SRG-OS-000257-GPOS-00098, SV-86473r2_rule, RHEL-07-010010 -->
 <select idref="rpm_verify_permissions" selected="true" />
+<select idref="rpm_verify_ownership" selected="true" />
 
 <!-- SRG-OS-000480-GPOS-00227, SV-86479r2_rule, RHEL-07-010020 -->
 <select idref="rpm_verify_hashes" selected="true" />

diff --git a/shared/xccdf/system/software/integrity.xml b/shared/xccdf/system/software/integrity.xml
@@ -310,6 +310,42 @@ Bugzilla #1275532.
 <ref nist="AC-6,AU-9(1),AU-9(3),CM-6(d),CM-6(3)" disa="1494,1496" pcidss="Req-11.5" cis="1.2.6,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9,6.2.3" srg="SRG-OS-000257-GPOS-00098,SRG-OS-000278-GPOS-00108" cjis="5.10.4.1" cui="3.3.8,3.4.1" />
 </Rule>
 
+<Rule id="rpm_verify_ownership" severity="high" prodtype="rhel7">
+<title>Verify and Correct Ownership with RPM</title>
+<description>
+The RPM package management system can check file ownership
+permissions of installed software packages, including many that are
+important to system security. After locating a file with incorrect
+permissions, which can be found with
+<pre>rpm -Va | grep "^.....\(U\|.G\)"</pre>
+run the following command to determine which package owns it:
+<pre>$ rpm -qf <i>FILENAME</i></pre>
+Next, run the following command to reset its permissions to
+the correct values:
+<pre>$ sudo rpm --setugids <i>PACKAGENAME</i></pre>
+</description>
+<ocil clause="there is output">
+The following command will list which files on the system have ownership different from what
+is expected by the RPM database:
+<pre>$ rpm -Va | grep "^.....\(U\|.G\)"</pre>
+</ocil>
+<rationale>
+Ownership of binaries and configuration files that is incorrect
+could allow an unauthorized user to gain privileges that they should
+not have. The ownership set by the vendor should be maintained. Any
+deviations from this baseline should be investigated.
+</rationale>
+<warning category="general">Note: Due to a bug in the <tt>gdm</tt> package, the
+RPM verify command may continue to fail even after file permissions have been
+correctly set on <tt>/var/log/gdm</tt>. This is being tracked in Red Hat
+Bugzilla #1275532.
+</warning>
+<ident prodtype="rhel7" cce="TBD" />
+<oval id="rpm_verify_ownership" />
+<ref prodtype="rhel7" stigid="TBD" />
+<ref nist="AC-6,AU-9(1),AU-9(3),CM-6(d),CM-6(3)" disa="1494,1496" pcidss="Req-11.5" cis="1.2.6,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9,6.2.3" srg="SRG-OS-000257-GPOS-00098,SRG-OS-000278-GPOS-00108" cjis="5.10.4.1" cui="3.3.8,3.4.1" />
+</Rule>
+
 <Rule id="rpm_verify_hashes" severity="high" prodtype="rhel7">
 <title>Verify File Hashes with RPM</title>
 <description>Without cryptographic integrity protections, system