-
Notifications
You must be signed in to change notification settings - Fork 698
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Review rpm_verify_permissions rule #11335
Review rpm_verify_permissions rule #11335
Conversation
Also update warning about high consume of system resources in some scenarios.
It was not identified opportunities to increase performance during the check. So the changes were limited to readability.
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_permissions'.
--- xccdf_org.ssgproject.content_rule_rpm_verify_permissions
+++ xccdf_org.ssgproject.content_rule_rpm_verify_permissions
@@ -3,27 +3,32 @@
Verify and Correct File Permissions with RPM
[description]:
-The RPM package management system can check file access permissions
-of installed software packages, including many that are important
-to system security.
-Verify that the file permissions of system files
-and commands match vendor values. Check the file permissions
-with the following command:
+The RPM package management system can check file access permissions of installed software
+packages, including many that are important to system security. Verify that the file
+permissions of system files and commands match vendor values. Check the file permissions with
+the following command:
$ sudo rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'
Output indicates files that do not match vendor defaults.
-After locating a file with incorrect permissions,
-run the following command to determine which package owns it:
+
+After locating a file with incorrect permissions, run the following command to determine which
+package owns it:
$ rpm -qf FILENAME
-Next, run the following command to reset its permissions to
-the correct values:
+Next, run the following command to reset its permissions to the correct values:
$ sudo rpm --setperms PACKAGENAME
[warning]:
-Profiles may require that specific files have stricter file permissions than defined by the
-vendor.
-Such files will be reported as a finding and need to be evaluated according to your policy
-and deployment environment.
+Profiles may require that specific files have stricter file permissions than defined by
+the vendor. Such files will be reported as a finding and need to be evaluated according to
+your policy and deployment environment.
+
+[warning]:
+This rule can take a long time to perform the check and might consume a considerable
+amount of resources depending on the number of packages present on the system. It is not a
+problem in most cases, but especially systems with a large number of installed packages
+can be affected.
+
+See https://access.redhat.com/articles/6999111.
[reference]:
1
@@ -386,10 +391,9 @@
6.1.9
[rationale]:
-Permissions on system binaries and configuration files that are too generous
-could allow an unauthorized user to gain privileges that they should not have.
-The permissions set by the vendor should be maintained. Any deviations from
-this baseline should be investigated.
+Permissions on system binaries and configuration files that are too generous could allow an
+unauthorized user to gain privileges that they should not have. The permissions set by the
+vendor should be maintained. Any deviations from this baseline should be investigated.
[ident]:
CCE-80858-4
OVAL for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_permissions' differs.
--- oval:ssg-rpm_verify_permissions:def:1
+++ oval:ssg-rpm_verify_permissions:def:1
@@ -1,2 +1,2 @@
criteria AND
-criterion oval:ssg-test_verify_all_rpms_mode:tst:1
+criterion oval:ssg-test_rpm_verify_permissions:tst:1 |
This rule can take a long time to perform the check and might consume a considerable | ||
amount of resources depending on the number of packages present on the system. It is not a | ||
problem in most cases, but especially systems with a large number of installed packages | ||
can be affected. See <code>https://access.redhat.com/articles/6999111</code>. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that the link to the article should be present only in RHEL products because users who aren't Red Hat customers can't access this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
Code Climate has analyzed commit ddb6efb and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 58.5%. View more on Code Climate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that the fail of SLE15 can be ignored because it happens due to a problematic file not because of the rule.
Description:
This PR extract the commits related to
rpm_verify_permissions
from #11319It:
Rationale:
Better description and awareness of possible performance issues in the rule.
Better OVAL readability.
Review Hints:
Automatus tests should be enough.