Verify and Correct Ownership with RPM
An XCCDF Rule
Description
The RPM package management system can check file ownership permissions of installed software packages, including many that are important to system security. After locating a file with incorrect permissions, which can be found with:
rpm -Va | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }'run the following command to determine which package owns it:
$ rpm -qf FILENAMENext, run the following command to reset its permissions to the correct values:
$ sudo rpm --setugids PACKAGENAME
warning alert: Warning
Profiles may require that specific files be owned by root while the default owner defined
by the vendor is different. Such files will be reported as a finding and need to be
evaluated according to your policy and deployment environment.
warning alert: Warning
This rule can take a long time to perform the check and might consume a considerable
amount of resources depending on the number of packages present on the system. It is not a
problem in most cases, but especially systems with a large number of installed packages
can be affected.
Rationale
Ownership of binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.
- ID
- xccdf_org.ssgproject.content_rule_rpm_verify_ownership
- Severity
- High
- References
- Updated
Remediation - Ansible
- name: Read list of files with incorrect ownership
command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev
--nocaps --nolinkto --nomode
register: files_with_incorrect_ownership
failed_when: files_with_incorrect_ownership.rc > 1
changed_when: false
Remediation - Shell Script
# Declare array to hold set of RPM packages we need to correct permissions for
declare -A SETPERMS_RPM_DICT
# Create a list of files on the system having permissions different from what
# is expected by the RPM database