From b457ba1cf5ea6043a501ecc45f7a54c4de61b372 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 22 Jul 2019 15:26:48 +0200
Subject: [PATCH 1/6] Compare suid/sgid files with the RPM database
It is difficult to maintain the list to list paths of all possible suid
and sgid binaries in a Linux distribution. Instead, we can check if the
suid or sgid file is owned by an RPM package by consulting the RPM
database. Another advantage of this solution is that we can have a
single OVAL for all RPM-related Linux distributions. The patch modifies
OVAL for rules file_permissions_unauthorized_suid and
file_permissions_unauthorized_sgid and also adds test scenarios for
these rules.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1693026
---
.../oval/shared.xml | 131 ++++++++----------
.../oval/wrlinux.xml | 42 ------
.../tests/no_unpackaged_sgid.pass.sh | 10 ++
.../tests/unpackaged_sgid.fail.sh | 13 ++
.../oval/ol7.xml | 93 -------------
.../oval/ol8.xml | 93 -------------
.../oval/rhel6.xml | 99 -------------
.../oval/rhel7.xml | 95 -------------
.../oval/shared.xml | 62 +++++++++
.../oval/wrlinux.xml | 55 --------
.../tests/no_unpackaged_suid.pass.sh | 10 ++
.../tests/unpackaged_suid.fail.sh | 13 ++
12 files changed, 162 insertions(+), 554 deletions(-)
delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/wrlinux.xml
create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/no_unpackaged_sgid.pass.sh
create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/unpackaged_sgid.fail.sh
delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol7.xml
delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol8.xml
delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel6.xml
delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel7.xml
create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml
delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/wrlinux.xml
create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/no_unpackaged_suid.pass.sh
create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/unpackaged_suid.fail.sh
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml
index de4b86c3e0..83988feec7 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml
@@ -1,85 +1,62 @@
<def-group>
- <definition class="compliance" id="file_permissions_unauthorized_sgid" version="2">
- <metadata>
- <title>Find setgid files system packages</title>
- <affected family="unix">
- <platform>multi_platform_rhel</platform>
- <platform>multi_platform_ol</platform>
- </affected>
- <description>All files with setgid should be owned by a base system package</description>
- </metadata>
- <criteria>
- <criterion comment="Check all setgid files" test_ref="check_setgid_files" />
- </criteria>
- </definition>
+ <definition id="file_permissions_unauthorized_sgid" version="1" class="compliance">
+ <metadata>
+ <title>Find SGID files that are not owned by RPM packages</title>
+ <affected family="unix">
+ <platform>multi_platform_fedora</platform>
+ <platform>multi_platform_rhel</platform>
+ <platform>multi_platform_ol</platform>
+ <platform>multi_platform_wrlinux</platform>
+ </affected>
+ <description>Evaluates to true if all files with SGID set are owned by RPM packages.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="Check all sgid files" test_ref="test_file_permissions_unauthorized_sgid"/>
+ </criteria>
+ </definition>
- <unix:file_test check="all" check_existence="none_exist" comment="setgid files outside system RPMs" id="check_setgid_files" version="1">
- <unix:object object_ref="object_file_permissions_unauthorized_sgid" />
- </unix:file_test>
+ <unix:file_test check="all" check_existence="none_exist" comment="sgid files outside system RPMs" id="test_file_permissions_unauthorized_sgid" version="1">
+ <unix:object object_ref="obj_file_permissions_unauthorized_sgid_unowned" />
+ </unix:file_test>
- <unix:file_object comment="files with sgid set" id="object_file_permissions_unauthorized_sgid" version="1">
- <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
- <unix:path operation="equals">/</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_file_permissions_unauthorized_sgid</filter>
- <filter action="exclude">state_sgid_whitelist</filter>
- </unix:file_object>
+ <unix:file_object comment="files with sgid set which are not owned by any RPM package" id="obj_file_permissions_unauthorized_sgid_unowned" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
+ <unix:path operation="equals">/</unix:path>
+ <unix:filename operation="pattern match">^.*$</unix:filename>
+ <filter action="include">state_file_permissions_unauthorized_sgid_sgid_set</filter>
+ <filter action="exclude">state_file_permissions_unauthorized_sgid_filepaths</filter>
+ </unix:file_object>
- <unix:file_state id="state_file_permissions_unauthorized_sgid" version="1">
- <unix:sgid datatype="boolean">true</unix:sgid>
- </unix:file_state>
+ <linux:rpmverifyfile_object id="obj_file_permissions_unauthorized_sgid_rpms" version="1" comment="all files with sgid set that come from a RPM package">
+ <linux:behaviors nolinkto="true" nomd5="true" nosize="true" nouser="true" nogroup="true" nomtime="true" nomode="true" nordev="true" />
+ <linux:name operation="pattern match">.*</linux:name>
+ <linux:epoch operation="pattern match">.*</linux:epoch>
+ <linux:version operation="pattern match">.*</linux:version>
+ <linux:release operation="pattern match">.*</linux:release>
+ <linux:arch operation="pattern match">.*</linux:arch>
+ <linux:filepath var_ref="var_file_permissions_unauthorized_sgid_all" operation="equals" var_check="all" />
+ </linux:rpmverifyfile_object>
- <!-- list of all setgid files included with base RHEL6,RHEL7,OL7 system -->
- <unix:file_state id="state_sgid_whitelist" version="1">
- <unix:filepath var_ref="var_sgid_whitelist" var_check="at least one" />
- </unix:file_state>
+ <unix:file_object comment="all files with sgid set" id="obj_file_permissions_unauthorized_sgid_files" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
+ <unix:path operation="equals">/</unix:path>
+ <unix:filename operation="pattern match">^.*$</unix:filename>
+ <filter action="include">state_file_permissions_unauthorized_sgid_sgid_set</filter>
+ </unix:file_object>
- <constant_variable id="var_sgid_whitelist" version="1" datatype="string" comment="sgid whitelist">
- {{% if product == "rhel6" %}}
- <value>/bin/cgclassify</value>
- <value>/bin/cgexec</value>
- <value>/sbin/netreport</value>
- {{% else %}}
- <value>/usr/bin/cgclassify</value>
- <value>/usr/bin/cgexec</value>
- <value>/usr/sbin/netreport</value>
- <value>/usr/lib/vte-2.90/gnome-pty-helper</value>
- <value>/usr/lib/vte-2.91/gnome-pty-helper</value>
- <value>/usr/lib64/vte/gnome-pty-helper</value>
- <value>/usr/lib64/vte-2.90/gnome-pty-helper</value>
- <value>/usr/lib64/vte-2.91/gnome-pty-helper</value>
- <value>/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache</value>
- <value>/usr/libexec/openssh/ssh-keysign</value>
- {{% endif %}}
- <value>/usr/bin/crontab</value>
- <value>/usr/bin/gnomine</value>
- <value>/usr/bin/iagno</value>
- <value>/usr/bin/locate</value>
- <value>/usr/bin/lockfile</value>
- <value>/usr/bin/same-gnome</value>
- <value>/usr/bin/screen</value>
- <value>/usr/bin/ssh-agent</value>
- <value>/usr/bin/wall</value>
- <value>/usr/bin/write</value>
- <value>/usr/lib/vte/gnome-pty-helper</value>
- <value>/usr/libexec/kde4/kdesud</value>
- <value>/usr/libexec/utempter/utempter</value>
- <value>/usr/lib/mailman/cgi-bin/admindb</value>
- <value>/usr/lib/mailman/cgi-bin/admin</value>
- <value>/usr/lib/mailman/cgi-bin/confirm</value>
- <value>/usr/lib/mailman/cgi-bin/create</value>
- <value>/usr/lib/mailman/cgi-bin/edithtml</value>
- <value>/usr/lib/mailman/cgi-bin/listinfo</value>
- <value>/usr/lib/mailman/cgi-bin/options</value>
- <value>/usr/lib/mailman/cgi-bin/private</value>
- <value>/usr/lib/mailman/cgi-bin/rmlist</value>
- <value>/usr/lib/mailman/cgi-bin/roster</value>
- <value>/usr/lib/mailman/cgi-bin/subscribe</value>
- <value>/usr/lib/mailman/mail/mailman</value>
- <value>/usr/sbin/lockdev</value>
- <value>/usr/sbin/postdrop</value>
- <value>/usr/sbin/postqueue</value>
- <value>/usr/sbin/sendmail.sendmail</value>
- </constant_variable>
+ <unix:file_state id="state_file_permissions_unauthorized_sgid_sgid_set" version="1">
+ <unix:sgid datatype="boolean">true</unix:sgid>
+ </unix:file_state>
+ <unix:file_state id="state_file_permissions_unauthorized_sgid_filepaths" version="1">
+ <unix:filepath var_ref="var_file_permissions_unauthorized_sgid_rpms" var_check="at least one" />
+ </unix:file_state>
+
+ <local_variable id="var_file_permissions_unauthorized_sgid_rpms" datatype="string" version="1" comment="all files with sgid set that come from a RPM package">
+ <object_component item_field="filepath" object_ref="obj_file_permissions_unauthorized_sgid_rpms" />
+ </local_variable>
+
+ <local_variable id="var_file_permissions_unauthorized_sgid_all" datatype="string" version="1" comment="all files with sgid set">
+ <object_component item_field="filepath" object_ref="obj_file_permissions_unauthorized_sgid_files" />
+ </local_variable>
</def-group>
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/wrlinux.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/wrlinux.xml
deleted file mode 100644
index 962a26d5f3..0000000000
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/wrlinux.xml
+++ /dev/null
@@ -1,42 +0,0 @@
-<def-group>
- <definition class="compliance" id="file_permissions_unauthorized_sgid" version="2">
- <metadata>
- <title>Find setgid files system packages</title>
- <affected family="unix">
- <platform>Wind River Linux 8</platform>
- </affected>
- <description>All files with setgid should be owned by a base system package</description>
- </metadata>
- <criteria>
- <criterion comment="Check all setgid files" test_ref="check_setgid_files" />
- </criteria>
- </definition>
-
- <unix:file_test check="all" check_existence="none_exist" comment="setgid files outside system RPMs" id="check_setgid_files" version="1">
- <unix:object object_ref="object_file_permissions_unauthorized_sgid" />
- </unix:file_test>
-
- <unix:file_object comment="files with sgid set" id="object_file_permissions_unauthorized_sgid" version="1">
- <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
- <unix:path operation="equals">/</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_file_permissions_unauthorized_sgid</filter>
- <filter action="exclude">state_sgid_whitelist</filter>
- </unix:file_object>
-
- <unix:file_state id="state_file_permissions_unauthorized_sgid" version="1">
- <unix:sgid datatype="boolean">true</unix:sgid>
- </unix:file_state>
-
- <!-- list of all setgid files included with base WRL8 system -->
- <unix:file_state id="state_sgid_whitelist" version="1">
- <unix:filepath var_ref="var_sgid_whitelist" var_check="at least one" />
- </unix:file_state>
-
- <constant_variable id="var_sgid_whitelist" version="1" datatype="string" comment="sgid whitelist">
- <value>/usr/bin/crontab</value>
- <value>/usr/sbin/postdrop</value>
- <value>/usr/sbin/postqueue</value>
- </constant_variable>
-
-</def-group>
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/no_unpackaged_sgid.pass.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/no_unpackaged_sgid.pass.sh
new file mode 100644
index 0000000000..adf6b6b959
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/no_unpackaged_sgid.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# profiles = xccdf_org.ssgproject.content_profile_standard
+# remediation = none
+
+for x in $(find / -perm /g=s) ; do
+ if ! rpm -qf $x ; then
+ rm -rf $x
+ fi
+done
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/unpackaged_sgid.fail.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/unpackaged_sgid.fail.sh
new file mode 100644
index 0000000000..4aa273ca89
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/unpackaged_sgid.fail.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# profiles = xccdf_org.ssgproject.content_profile_standard
+# remediation = none
+
+for x in $(find / -perm /g=s) ; do
+ if ! rpm -qf $x ; then
+ rm -rf $x
+ fi
+done
+
+touch /usr/bin/sgid_binary
+chmod g+xs /usr/bin/sgid_binary
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol7.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol7.xml
deleted file mode 100644
index 6f4a87e3fb..0000000000
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol7.xml
+++ /dev/null
@@ -1,93 +0,0 @@
-<def-group>
- <definition class="compliance" id="file_permissions_unauthorized_suid" version="1">
- <metadata>
- <title>Find setuid files from system packages</title>
- <affected family="unix">
- <platform>Oracle Linux 7</platform>
- </affected>
- <description>All files with setuid should be owned by a base system package</description>
- </metadata>
- <criteria>
- <criterion comment="Check all setuid files" test_ref="check_setuid_files" />
- </criteria>
- </definition>
-
- <unix:file_test check="all" check_existence="none_exist" comment="setuid files outside system RPMs" id="check_setuid_files" version="1">
- <unix:object object_ref="object_file_permissions_unauthorized_suid" />
- </unix:file_test>
-
- <unix:file_object comment="files with suid set" id="object_file_permissions_unauthorized_suid" version="1">
- <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
- <unix:path operation="equals">/</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_file_permissions_unauthorized_suid</filter>
- <filter action="exclude">state_suid_whitelist</filter>
- </unix:file_object>
-
- <unix:file_state id="state_file_permissions_unauthorized_suid" version="1">
- <unix:suid datatype="boolean">true</unix:suid>
- </unix:file_state>
-
-<!-- List of all setuid files included with base OL7 system -->
-<!-- KEEP THE LIST BELOW SORTED !!! -->
- <unix:file_state id="state_suid_whitelist" version="1">
- <unix:filepath var_ref="var_suid_whitelist" var_check="at least one" />
- </unix:file_state>
-
- <constant_variable id="var_suid_whitelist" version="1" datatype="string" comment="suid whitelist">
- <value>/usr/bin/abrt-action-install-debuginfo-to-abrt-cache</value>
- <value>/usr/bin/at</value>
- <value>/usr/bin/chage</value>
- <value>/usr/bin/chfn</value>
- <value>/usr/bin/chsh</value>
- <value>/usr/bin/crontab</value>
- <value>/usr/bin/fusermount</value>
- <value>/usr/bin/gpasswd</value>
- <value>/usr/bin/ksu</value>
- <value>/usr/bin/mount</value>
- <value>/usr/bin/newgrp</value>
- <value>/usr/bin/passwd</value>
- <value>/usr/bin/pkexec</value>
- <value>/usr/bin/staprun</value>
- <value>/usr/bin/sudoedit</value>
- <value>/usr/bin/sudo</value>
- <value>/usr/bin/su</value>
- <value>/usr/bin/umount</value>
- <value>/usr/bin/Xorg</value>
- <value>/usr/lib64/amanda/application/amgtar</value>
- <value>/usr/lib64/amanda/application/amstar</value>
- <value>/usr/lib64/amanda/calcsize</value>
- <value>/usr/lib64/amanda/dumper</value>
- <value>/usr/lib64/amanda/killpgrp</value>
- <value>/usr/lib64/amanda/planner</value>
- <value>/usr/lib64/amanda/rundump</value>
- <value>/usr/lib64/amanda/runtar</value>
- <value>/usr/lib64/dbus-1/dbus-daemon-launch-helper</value>
- <value>/usr/lib/amanda/application/amgtar</value>
- <value>/usr/lib/amanda/application/amstar</value>
- <value>/usr/lib/amanda/calcsize</value>
- <value>/usr/lib/amanda/dumper</value>
- <value>/usr/lib/amanda/killpgrp</value>
- <value>/usr/lib/amanda/planner</value>
- <value>/usr/lib/amanda/rundump</value>
- <value>/usr/lib/amanda/runtar</value>
- <value>/usr/lib/dbus-1/dbus-daemon-launch-helper</value>
- <value>/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache</value>
- <value>/usr/libexec/kde4/kpac_dhcp_helper</value>
- <value>/usr/libexec/qemu-bridge-helper</value>
- <value>/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper</value>
- <value>/usr/libexec/sssd/krb5_child</value>
- <value>/usr/libexec/sssd/ldap_child</value>
- <value>/usr/libexec/sssd/proxy_child</value>
- <value>/usr/libexec/sssd/selinux_child</value>
- <value>/usr/lib/polkit-1/polkit-agent-helper-1</value>
- <value>/usr/sbin/amcheck</value>
- <value>/usr/sbin/amservice</value>
- <value>/usr/sbin/mount.nfs</value>
- <value>/usr/sbin/pam_timestamp_check</value>
- <value>/usr/sbin/unix_chkpwd</value>
- <value>/usr/sbin/userhelper</value>
- <value>/usr/sbin/usernetctl</value>
- </constant_variable>
-
-</def-group>
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol8.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol8.xml
deleted file mode 100644
index f185efc221..0000000000
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol8.xml
+++ /dev/null
@@ -1,93 +0,0 @@
-<def-group>
- <definition class="compliance" id="file_permissions_unauthorized_suid" version="1">
- <metadata>
- <title>Find setuid files from system packages</title>
- <affected family="unix">
- <platform>Oracle Linux 8</platform>
- </affected>
- <description>All files with setuid should be owned by a base system package</description>
- </metadata>
- <criteria>
- <criterion comment="Check all setuid files" test_ref="check_setuid_files" />
- </criteria>
- </definition>
-
- <unix:file_test check="all" check_existence="none_exist" comment="setuid files outside system RPMs" id="check_setuid_files" version="1">
- <unix:object object_ref="object_file_permissions_unauthorized_suid" />
- </unix:file_test>
-
- <unix:file_object comment="files with suid set" id="object_file_permissions_unauthorized_suid" version="1">
- <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
- <unix:path operation="equals">/</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_file_permissions_unauthorized_suid</filter>
- <filter action="exclude">state_suid_whitelist</filter>
- </unix:file_object>
-
- <unix:file_state id="state_file_permissions_unauthorized_suid" version="1">
- <unix:suid datatype="boolean">true</unix:suid>
- </unix:file_state>
-
-<!-- List of all setuid files included with base OL7 system -->
-<!-- KEEP THE LIST BELOW SORTED !!! -->
- <unix:file_state id="state_suid_whitelist" version="1">
- <unix:filepath var_ref="var_suid_whitelist" var_check="at least one" />
- </unix:file_state>
-
- <constant_variable id="var_suid_whitelist" version="1" datatype="string" comment="suid whitelist">
- <value>/usr/bin/abrt-action-install-debuginfo-to-abrt-cache</value>
- <value>/usr/bin/at</value>
- <value>/usr/bin/chage</value>
- <value>/usr/bin/chfn</value>
- <value>/usr/bin/chsh</value>
- <value>/usr/bin/crontab</value>
- <value>/usr/bin/fusermount</value>
- <value>/usr/bin/gpasswd</value>
- <value>/usr/bin/ksu</value>
- <value>/usr/bin/mount</value>
- <value>/usr/bin/newgrp</value>
- <value>/usr/bin/passwd</value>
- <value>/usr/bin/pkexec</value>
- <value>/usr/bin/staprun</value>
- <value>/usr/bin/sudoedit</value>
- <value>/usr/bin/sudo</value>
- <value>/usr/bin/su</value>
- <value>/usr/bin/umount</value>
- <value>/usr/bin/Xorg</value>
- <value>/usr/lib64/amanda/application/amgtar</value>
- <value>/usr/lib64/amanda/application/amstar</value>
- <value>/usr/lib64/amanda/calcsize</value>
- <value>/usr/lib64/amanda/dumper</value>
- <value>/usr/lib64/amanda/killpgrp</value>
- <value>/usr/lib64/amanda/planner</value>
- <value>/usr/lib64/amanda/rundump</value>
- <value>/usr/lib64/amanda/runtar</value>
- <value>/usr/lib64/dbus-1/dbus-daemon-launch-helper</value>
- <value>/usr/lib/amanda/application/amgtar</value>
- <value>/usr/lib/amanda/application/amstar</value>
- <value>/usr/lib/amanda/calcsize</value>
- <value>/usr/lib/amanda/dumper</value>
- <value>/usr/lib/amanda/killpgrp</value>
- <value>/usr/lib/amanda/planner</value>
- <value>/usr/lib/amanda/rundump</value>
- <value>/usr/lib/amanda/runtar</value>
- <value>/usr/lib/dbus-1/dbus-daemon-launch-helper</value>
- <value>/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache</value>
- <value>/usr/libexec/kde4/kpac_dhcp_helper</value>
- <value>/usr/libexec/qemu-bridge-helper</value>
- <value>/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper</value>
- <value>/usr/libexec/sssd/krb5_child</value>
- <value>/usr/libexec/sssd/ldap_child</value>
- <value>/usr/libexec/sssd/proxy_child</value>
- <value>/usr/libexec/sssd/selinux_child</value>
- <value>/usr/lib/polkit-1/polkit-agent-helper-1</value>
- <value>/usr/sbin/amcheck</value>
- <value>/usr/sbin/amservice</value>
- <value>/usr/sbin/mount.nfs</value>
- <value>/usr/sbin/pam_timestamp_check</value>
- <value>/usr/sbin/unix_chkpwd</value>
- <value>/usr/sbin/userhelper</value>
- <value>/usr/sbin/usernetctl</value>
- </constant_variable>
-
-</def-group>
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel6.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel6.xml
deleted file mode 100644
index 3a59897356..0000000000
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel6.xml
+++ /dev/null
@@ -1,99 +0,0 @@
-<def-group>
- <definition class="compliance" id="file_permissions_unauthorized_suid" version="1">
- <metadata>
- <title>Find setuid files from system packages</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>All files with setuid should be owned by a base system package</description>
- </metadata>
- <criteria>
- <criterion comment="Check all setuid files" test_ref="check_setuid_files" />
- </criteria>
- </definition>
-
- <unix:file_test check="all" check_existence="none_exist" comment="setuid files outside system RPMs" id="check_setuid_files" version="1">
- <unix:object object_ref="object_file_permissions_unauthorized_suid" />
- </unix:file_test>
-
- <unix:file_object comment="files with suid set" id="object_file_permissions_unauthorized_suid" version="1">
- <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
- <unix:path operation="equals">/</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_file_permissions_unauthorized_suid</filter>
- <filter action="exclude">state_suid_whitelist</filter>
- </unix:file_object>
-
- <unix:file_state id="state_file_permissions_unauthorized_suid" version="1">
- <unix:suid datatype="boolean">true</unix:suid>
- </unix:file_state>
-
-<!-- list of all setuid files included with base RHEL6 system -->
- <unix:file_state id="state_suid_whitelist" version="1">
- <unix:filepath var_ref="var_suid_whitelist" var_check="at least one" />
- </unix:file_state>
-
- <constant_variable id="var_suid_whitelist" version="1" datatype="string" comment="suid whitelist">
- <value>/bin/fusermount</value>
- <value>/bin/mount</value>
- <value>/bin/ping6</value>
- <value>/bin/ping</value>
- <value>/bin/su</value>
- <value>/bin/umount</value>
- <value>/lib64/dbus-1/dbus-daemon-launch-helper</value>
- <value>/lib/dbus-1/dbus-daemon-launch-helper</value>
- <value>/sbin/mount.ecryptfs_private</value>
- <value>/sbin/mount.nfs</value>
- <value>/sbin/pam_timestamp_check</value>
- <value>/sbin/unix_chkpwd</value>
- <value>/usr/bin/abrt-action-install-debuginfo-to-abrt-cache</value>
- <value>/usr/bin/at</value>
- <value>/usr/bin/chage</value>
- <value>/usr/bin/chfn</value>
- <value>/usr/bin/chsh</value>
- <value>/usr/bin/crontab</value>
- <value>/usr/bin/gpasswd</value>
- <value>/usr/bin/kgrantpty</value>
- <value>/usr/bin/kpac_dhcp_helper</value>
- <value>/usr/bin/ksu</value>
- <value>/usr/bin/newgrp</value>
- <value>/usr/bin/newrole</value>
- <value>/usr/bin/passwd</value>
- <value>/usr/bin/pkexec</value>
- <value>/usr/bin/rcp</value>
- <value>/usr/bin/rlogin</value>
- <value>/usr/bin/rsh</value>
- <value>/usr/bin/sperl5.10.1</value>
- <value>/usr/bin/staprun</value>
- <value>/usr/bin/sudoedit</value>
- <value>/usr/bin/sudo</value>
- <value>/usr/bin/Xorg</value>
- <value>/usr/lib64/amanda/calcsize</value>
- <value>/usr/lib64/amanda/dumper</value>
- <value>/usr/lib64/amanda/killpgrp</value>
- <value>/usr/lib64/amanda/planner</value>
- <value>/usr/lib64/amanda/rundump</value>
- <value>/usr/lib64/amanda/runtar</value>
- <value>/usr/lib64/nspluginwrapper/plugin-config</value>
- <value>/usr/lib/amanda/calcsize</value>
- <value>/usr/lib/amanda/dumper</value>
- <value>/usr/lib/amanda/killpgrp</value>
- <value>/usr/lib/amanda/planner</value>
- <value>/usr/lib/amanda/rundump</value>
- <value>/usr/lib/amanda/runtar</value>
- <value>/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache</value>
- <value>/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper</value>
- <value>/usr/libexec/mc/cons.saver</value>
- <value>/usr/libexec/openssh/ssh-keysign</value>
- <value>/usr/libexec/polkit-1/polkit-agent-helper-1</value>
- <value>/usr/libexec/pt_chown</value>
- <value>/usr/libexec/pulse/proximity-helper</value>
- <value>/usr/lib/nspluginwrapper/plugin-config</value>
- <value>/usr/sbin/amcheck</value>
- <value>/usr/sbin/seunshare</value>
- <value>/usr/sbin/suexec</value>
- <value>/usr/sbin/userhelper</value>
- <value>/usr/sbin/usernetctl</value>
- </constant_variable>
-
-</def-group>
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel7.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel7.xml
deleted file mode 100644
index c48bda0ef6..0000000000
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel7.xml
+++ /dev/null
@@ -1,95 +0,0 @@
-<def-group>
- <definition class="compliance" id="file_permissions_unauthorized_suid" version="1">
- <metadata>
- <title>Find setuid files from system packages</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 7</platform>
- </affected>
- <description>All files with setuid should be owned by a base system package</description>
- </metadata>
- <criteria>
- <criterion comment="Check all setuid files" test_ref="check_setuid_files" />
- </criteria>
- </definition>
-
- <unix:file_test check="all" check_existence="none_exist" comment="setuid files outside system RPMs" id="check_setuid_files" version="1">
- <unix:object object_ref="object_file_permissions_unauthorized_suid" />
- </unix:file_test>
-
- <unix:file_object comment="files with suid set" id="object_file_permissions_unauthorized_suid" version="1">
- <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
- <unix:path operation="equals">/</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_file_permissions_unauthorized_suid</filter>
- <filter action="exclude">state_suid_whitelist</filter>
- </unix:file_object>
-
- <unix:file_state id="state_file_permissions_unauthorized_suid" version="1">
- <unix:suid datatype="boolean">true</unix:suid>
- </unix:file_state>
-
-<!-- List of all setuid files included with base RHEL7 system -->
-<!-- KEEP THE LIST BELOW SORTED !!! -->
- <unix:file_state id="state_suid_whitelist" version="1">
- <unix:filepath var_ref="var_suid_whitelist" var_check="at least one" />
- </unix:file_state>
-
- <constant_variable id="var_suid_whitelist" version="1" datatype="string" comment="suid whitelist">
- <value>/usr/bin/abrt-action-install-debuginfo-to-abrt-cache</value>
- <value>/usr/bin/at</value>
- <value>/usr/bin/chage</value>
- <value>/usr/bin/chfn</value>
- <value>/usr/bin/chsh</value>
- <value>/usr/bin/crontab</value>
- <value>/usr/bin/fusermount</value>
- <value>/usr/bin/gpasswd</value>
- <value>/usr/bin/ksu</value>
- <value>/usr/bin/mount</value>
- <value>/usr/bin/newgrp</value>
- <value>/usr/bin/passwd</value>
- <value>/usr/bin/pkexec</value>
- <value>/usr/bin/staprun</value>
- <value>/usr/bin/sudoedit</value>
- <value>/usr/bin/sudo</value>
- <value>/usr/bin/su</value>
- <value>/usr/bin/umount</value>
- <value>/usr/bin/Xorg</value>
- <value>/usr/lib64/amanda/application/amgtar</value>
- <value>/usr/lib64/amanda/application/amstar</value>
- <value>/usr/lib64/amanda/calcsize</value>
- <value>/usr/lib64/amanda/dumper</value>
- <value>/usr/lib64/amanda/killpgrp</value>
- <value>/usr/lib64/amanda/planner</value>
- <value>/usr/lib64/amanda/rundump</value>
- <value>/usr/lib64/amanda/runtar</value>
- <value>/usr/lib64/dbus-1/dbus-daemon-launch-helper</value>
- <value>/usr/lib/amanda/application/amgtar</value>
- <value>/usr/lib/amanda/application/amstar</value>
- <value>/usr/lib/amanda/calcsize</value>
- <value>/usr/lib/amanda/dumper</value>
- <value>/usr/lib/amanda/killpgrp</value>
- <value>/usr/lib/amanda/planner</value>
- <value>/usr/lib/amanda/rundump</value>
- <value>/usr/lib/amanda/runtar</value>
- <value>/usr/lib/dbus-1/dbus-daemon-launch-helper</value>
- <value>/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache</value>
- <value>/usr/libexec/cockpit-session</value>
- <value>/usr/libexec/dbus-1/dbus-daemon-launch-helper</value>
- <value>/usr/libexec/kde4/kpac_dhcp_helper</value>
- <value>/usr/libexec/qemu-bridge-helper</value>
- <value>/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper</value>
- <value>/usr/libexec/sssd/krb5_child</value>
- <value>/usr/libexec/sssd/ldap_child</value>
- <value>/usr/libexec/sssd/proxy_child</value>
- <value>/usr/libexec/sssd/selinux_child</value>
- <value>/usr/lib/polkit-1/polkit-agent-helper-1</value>
- <value>/usr/sbin/amcheck</value>
- <value>/usr/sbin/amservice</value>
- <value>/usr/sbin/mount.nfs</value>
- <value>/usr/sbin/pam_timestamp_check</value>
- <value>/usr/sbin/unix_chkpwd</value>
- <value>/usr/sbin/userhelper</value>
- <value>/usr/sbin/usernetctl</value>
- </constant_variable>
-
-</def-group>
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml
new file mode 100644
index 0000000000..e83595c198
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml
@@ -0,0 +1,62 @@
+<def-group>
+ <definition id="file_permissions_unauthorized_suid" version="1" class="compliance">
+ <metadata>
+ <title>Find SUID files that are not owned by RPM packages</title>
+ <affected family="unix">
+ <platform>multi_platform_fedora</platform>
+ <platform>multi_platform_rhel</platform>
+ <platform>multi_platform_ol</platform>
+ <platform>multi_platform_wrlinux</platform>
+ </affected>
+ <description>Evaluates to true if all files with SUID set are owned by RPM packages.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="Check all suid files" test_ref="test_file_permissions_unauthorized_suid"/>
+ </criteria>
+ </definition>
+
+ <unix:file_test check="all" check_existence="none_exist" comment="suid files outside system RPMs" id="test_file_permissions_unauthorized_suid" version="1">
+ <unix:object object_ref="obj_file_permissions_unauthorized_suid_unowned" />
+ </unix:file_test>
+
+ <unix:file_object comment="files with suid set which are not owned by any RPM package" id="obj_file_permissions_unauthorized_suid_unowned" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
+ <unix:path operation="equals">/</unix:path>
+ <unix:filename operation="pattern match">^.*$</unix:filename>
+ <filter action="include">state_file_permissions_unauthorized_suid_suid_set</filter>
+ <filter action="exclude">state_file_permissions_unauthorized_suid_filepaths</filter>
+ </unix:file_object>
+
+ <linux:rpmverifyfile_object id="obj_file_permissions_unauthorized_suid_rpms" version="1" comment="all files with suid set that come from a RPM package">
+ <linux:behaviors nolinkto="true" nomd5="true" nosize="true" nouser="true" nogroup="true" nomtime="true" nomode="true" nordev="true" />
+ <linux:name operation="pattern match">.*</linux:name>
+ <linux:epoch operation="pattern match">.*</linux:epoch>
+ <linux:version operation="pattern match">.*</linux:version>
+ <linux:release operation="pattern match">.*</linux:release>
+ <linux:arch operation="pattern match">.*</linux:arch>
+ <linux:filepath var_ref="var_file_permissions_unauthorized_suid_all" operation="equals" var_check="all" />
+ </linux:rpmverifyfile_object>
+
+ <unix:file_object comment="all files with suid set" id="obj_file_permissions_unauthorized_suid_files" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
+ <unix:path operation="equals">/</unix:path>
+ <unix:filename operation="pattern match">^.*$</unix:filename>
+ <filter action="include">state_file_permissions_unauthorized_suid_suid_set</filter>
+ </unix:file_object>
+
+ <unix:file_state id="state_file_permissions_unauthorized_suid_suid_set" version="1">
+ <unix:suid datatype="boolean">true</unix:suid>
+ </unix:file_state>
+
+ <unix:file_state id="state_file_permissions_unauthorized_suid_filepaths" version="1">
+ <unix:filepath var_ref="var_file_permissions_unauthorized_suid_rpms" var_check="at least one" />
+ </unix:file_state>
+
+ <local_variable id="var_file_permissions_unauthorized_suid_rpms" datatype="string" version="1" comment="all files with suid set that come from a RPM package">
+ <object_component item_field="filepath" object_ref="obj_file_permissions_unauthorized_suid_rpms" />
+ </local_variable>
+
+ <local_variable id="var_file_permissions_unauthorized_suid_all" datatype="string" version="1" comment="all files with suid set">
+ <object_component item_field="filepath" object_ref="obj_file_permissions_unauthorized_suid_files" />
+ </local_variable>
+</def-group>
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/wrlinux.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/wrlinux.xml
deleted file mode 100644
index 8306d38211..0000000000
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/wrlinux.xml
+++ /dev/null
@@ -1,55 +0,0 @@
-<def-group>
- <definition class="compliance" id="file_permissions_unauthorized_suid" version="1">
- <metadata>
- <title>Find setuid files from system packages</title>
- <affected family="unix">
- <platform>Wind River Linux 8</platform>
- </affected>
- <description>All files with setuid should be owned by a base system package</description>
- </metadata>
- <criteria>
- <criterion comment="Check all setuid files" test_ref="check_setuid_files" />
- </criteria>
- </definition>
-
- <unix:file_test check="all" check_existence="none_exist" comment="setuid files outside system RPMs" id="check_setuid_files" version="1">
- <unix:object object_ref="object_file_permissions_unauthorized_suid" />
- </unix:file_test>
-
- <unix:file_object comment="files with suid set" id="object_file_permissions_unauthorized_suid" version="1">
- <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
- <unix:path operation="equals">/</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_file_permissions_unauthorized_suid</filter>
- <filter action="exclude">state_suid_whitelist</filter>
- </unix:file_object>
-
- <unix:file_state id="state_file_permissions_unauthorized_suid" version="1">
- <unix:suid datatype="boolean">true</unix:suid>
- </unix:file_state>
-
-<!-- List of all setuid files included with base WRL8 system -->
-<!-- KEEP THE LIST BELOW SORTED !!! -->
- <unix:file_state id="state_suid_whitelist" version="1">
- <unix:filepath var_ref="var_suid_whitelist" var_check="at least one" />
- </unix:file_state>
-
- <constant_variable id="var_suid_whitelist" version="1" datatype="string" comment="suid whitelist">
- <value>/bin/su.shadow</value>
- <value>/bin/su.util-linux</value>
- <value>/usr/bin/chage</value>
- <value>/usr/bin/chfn.shadow</value>
- <value>/usr/bin/chsh.shadow</value>
- <value>/usr/bin/expiry</value>
- <value>/usr/bin/gpasswd</value>
- <value>/usr/bin/newgidmap</value>
- <value>/usr/bin/newgrp.shadow</value>
- <value>/usr/bin/newuidmap</value>
- <value>/usr/bin/passwd.shadow</value>
- <value>/usr/bin/sudo</value>
- <value>/usr/lib64/dbus/dbus-daemon-launch-helper</value>
- <value>/usr/sbin/unix_chkpwd</value>
- <value>/usr/sbin/vlock-main</value>
- </constant_variable>
-
-</def-group>
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/no_unpackaged_suid.pass.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/no_unpackaged_suid.pass.sh
new file mode 100644
index 0000000000..e6e5a29fb3
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/no_unpackaged_suid.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# profiles = xccdf_org.ssgproject.content_profile_standard
+# remediation = none
+
+for x in $(find / -perm /u=s) ; do
+ if ! rpm -qf $x ; then
+ rm -rf $x
+ fi
+done
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/unpackaged_suid.fail.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/unpackaged_suid.fail.sh
new file mode 100644
index 0000000000..f05f1821ec
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/unpackaged_suid.fail.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# profiles = xccdf_org.ssgproject.content_profile_standard
+# remediation = none
+
+for x in $(find / -perm /u=s) ; do
+ if ! rpm -qf $x ; then
+ rm -rf $x
+ fi
+done
+
+touch /usr/bin/suid_binary
+chmod u+xs /usr/bin/suid_binary
From 359400441acb2290af7e5ff49942dec01cb39a43 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 9 Aug 2019 08:44:59 +0200
Subject: [PATCH 2/6] Describe the logic of the check in rule description
---
.../files/file_permissions_unauthorized_sgid/rule.yml | 5 +++++
.../files/file_permissions_unauthorized_suid/rule.yml | 5 +++++
2 files changed, 10 insertions(+)
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
index f039eea88c..9bad52d9b2 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
@@ -8,6 +8,11 @@ description: |-
unauthorized SGID files is determine if any were not installed as part of an
RPM package, which is cryptographically verified. Investigate the origin
of any unpackaged SGID files.
+ This configuration check whitelists SGID files which were installed via RPM.
+ It is assumed that when an individual has sudo access to install an RPM
+ and all packages are signed with an organizationally-recognized GPG key,
+ the software should be considered an approved package on the system.
+ Any SGID file not deployed through an RPM will be flagged for further review.
rationale: |-
Executable files with the SGID permission run with the privileges of
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
index 5f4bc02cd1..1e01924469 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
@@ -8,6 +8,11 @@ description: |-
unauthorized SGID files is determine if any were not installed as part of an
RPM package, which is cryptographically verified. Investigate the origin
of any unpackaged SUID files.
+ This configuration check whitelists SUID files which were installed via RPM.
+ It is assumed that when an individual has sudo access to install an RPM
+ and all packages are signed with an organizationally-recognized GPG key,
+ the software should be considered an approved package on the system.
+ Any SUID file not deployed through an RPM will be flagged for further review.
rationale: |-
Executable files with the SUID permission run with the privileges of
From f8f7c2ae18f6c1d0cb145d996fb59d875276c991 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 14 Aug 2019 11:28:38 +0200
Subject: [PATCH 3/6] Change 'whitelists' to 'considers authorized'
---
.../files/file_permissions_unauthorized_sgid/rule.yml | 2 +-
.../files/file_permissions_unauthorized_suid/rule.yml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
index 9bad52d9b2..e92637ca09 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
@@ -8,7 +8,7 @@ description: |-
unauthorized SGID files is determine if any were not installed as part of an
RPM package, which is cryptographically verified. Investigate the origin
of any unpackaged SGID files.
- This configuration check whitelists SGID files which were installed via RPM.
+ This configuration check considers authorized SGID files which were installed via RPM.
It is assumed that when an individual has sudo access to install an RPM
and all packages are signed with an organizationally-recognized GPG key,
the software should be considered an approved package on the system.
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
index 1e01924469..9f3f3dc86c 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
@@ -8,7 +8,7 @@ description: |-
unauthorized SGID files is determine if any were not installed as part of an
RPM package, which is cryptographically verified. Investigate the origin
of any unpackaged SUID files.
- This configuration check whitelists SUID files which were installed via RPM.
+ This configuration check considers authorized SUID files which were installed via RPM.
It is assumed that when an individual has sudo access to install an RPM
and all packages are signed with an organizationally-recognized GPG key,
the software should be considered an approved package on the system.
From 69fac9536f88047a77aea67db81004872e27dae6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 16 Oct 2019 10:23:47 +0200
Subject: [PATCH 4/6] Fix OCIL
---
.../files/file_permissions_unauthorized_sgid/rule.yml | 4 ++--
.../files/file_permissions_unauthorized_suid/rule.yml | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
index e92637ca09..d03e7bf980 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
@@ -41,5 +41,5 @@ references:
ocil_clause: 'there is output'
ocil: |-
- To find world-writable files, run the following command:
- <pre>$ sudo find / -xdev -type f -perm -002</pre>
+ To find SGID files, run the following command:
+ <pre>$ sudo find / -xdev -type f -perm -2000</pre>
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
index 9f3f3dc86c..9aa7f40161 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
@@ -41,5 +41,5 @@ references:
ocil_clause: 'only authorized files appear in the output of the find command'
ocil: |-
- To find world-writable files, run the following command:
- <pre>$ sudo find / -xdev -type f -perm -002</pre>
+ To find SUID files, run the following command:
+ <pre>$ sudo find / -xdev -type f -perm -4000</pre>
From 4cd5fec7f7c71a475bbd5e9781dbfc38fdda5b92 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 16 Oct 2019 10:23:58 +0200
Subject: [PATCH 5/6] Fix a typo
---
.../files/file_permissions_unauthorized_suid/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
index 9aa7f40161..6cfcff2e4b 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
@@ -5,7 +5,7 @@ title: 'Ensure All SUID Executables Are Authorized'
description: |-
The SUID (set user id) bit should be set only on files that were
installed via authorized means. A straightforward means of identifying
- unauthorized SGID files is determine if any were not installed as part of an
+ unauthorized SUID files is determine if any were not installed as part of an
RPM package, which is cryptographically verified. Investigate the origin
of any unpackaged SUID files.
This configuration check considers authorized SUID files which were installed via RPM.
From 5cce2c77ae93750442a9635929786fb265834310 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 16 Oct 2019 11:19:54 +0200
Subject: [PATCH 6/6] Add prodtype
This rule has OVAL only for RHEL, Fedora, OL and WRLinux.
We can specify it in prodtype to prevent its inclusion to datastreams
for products where this rule isn't applicable
---
.../files/file_permissions_unauthorized_sgid/rule.yml | 2 ++
.../files/file_permissions_unauthorized_suid/rule.yml | 2 ++
2 files changed, 4 insertions(+)
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
index d03e7bf980..de627fbe7e 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
@@ -2,6 +2,8 @@ documentation_complete: true
title: 'Ensure All SGID Executables Are Authorized'
+prodtype: rhel6,rhel7,rhel8,ol7,ol8,fedora,wrlinux8,wrlinux1019
+
description: |-
The SGID (set group id) bit should be set only on files that were
installed via authorized means. A straightforward means of identifying
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
index 6cfcff2e4b..27946fb86a 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
@@ -2,6 +2,8 @@ documentation_complete: true
title: 'Ensure All SUID Executables Are Authorized'
+prodtype: rhel6,rhel7,rhel8,ol7,ol8,fedora,wrlinux8,wrlinux1019
+
description: |-
The SUID (set user id) bit should be set only on files that were
installed via authorized means. A straightforward means of identifying