From b457ba1cf5ea6043a501ecc45f7a54c4de61b372 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 22 Jul 2019 15:26:48 +0200 Subject: [PATCH 1/6] Compare suid/sgid files with the RPM database It is difficult to maintain the list to list paths of all possible suid and sgid binaries in a Linux distribution. Instead, we can check if the suid or sgid file is owned by an RPM package by consulting the RPM database. Another advantage of this solution is that we can have a single OVAL for all RPM-related Linux distributions. The patch modifies OVAL for rules file_permissions_unauthorized_suid and file_permissions_unauthorized_sgid and also adds test scenarios for these rules. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1693026 --- .../oval/shared.xml | 131 ++++++++---------- .../oval/wrlinux.xml | 42 ------ .../tests/no_unpackaged_sgid.pass.sh | 10 ++ .../tests/unpackaged_sgid.fail.sh | 13 ++ .../oval/ol7.xml | 93 ------------- .../oval/ol8.xml | 93 ------------- .../oval/rhel6.xml | 99 ------------- .../oval/rhel7.xml | 95 ------------- .../oval/shared.xml | 62 +++++++++ .../oval/wrlinux.xml | 55 -------- .../tests/no_unpackaged_suid.pass.sh | 10 ++ .../tests/unpackaged_suid.fail.sh | 13 ++ 12 files changed, 162 insertions(+), 554 deletions(-) delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/wrlinux.xml create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/no_unpackaged_sgid.pass.sh create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/unpackaged_sgid.fail.sh delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol7.xml delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol8.xml delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel6.xml delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel7.xml create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/wrlinux.xml create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/no_unpackaged_suid.pass.sh create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/unpackaged_suid.fail.sh diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml index de4b86c3e0..83988feec7 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml @@ -1,85 +1,62 @@ - - - Find setgid files system packages - - multi_platform_rhel - multi_platform_ol - - All files with setgid should be owned by a base system package - - - - - + + + Find SGID files that are not owned by RPM packages + + multi_platform_fedora + multi_platform_rhel + multi_platform_ol + multi_platform_wrlinux + + Evaluates to true if all files with SGID set are owned by RPM packages. + + + + + - - - + + + - - - / - ^.*$ - state_file_permissions_unauthorized_sgid - state_sgid_whitelist - + + + / + ^.*$ + state_file_permissions_unauthorized_sgid_sgid_set + state_file_permissions_unauthorized_sgid_filepaths + - - true - + + + .* + .* + .* + .* + .* + + - - - - + + + / + ^.*$ + state_file_permissions_unauthorized_sgid_sgid_set + - - {{% if product == "rhel6" %}} - /bin/cgclassify - /bin/cgexec - /sbin/netreport - {{% else %}} - /usr/bin/cgclassify - /usr/bin/cgexec - /usr/sbin/netreport - /usr/lib/vte-2.90/gnome-pty-helper - /usr/lib/vte-2.91/gnome-pty-helper - /usr/lib64/vte/gnome-pty-helper - /usr/lib64/vte-2.90/gnome-pty-helper - /usr/lib64/vte-2.91/gnome-pty-helper - /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache - /usr/libexec/openssh/ssh-keysign - {{% endif %}} - /usr/bin/crontab - /usr/bin/gnomine - /usr/bin/iagno - /usr/bin/locate - /usr/bin/lockfile - /usr/bin/same-gnome - /usr/bin/screen - /usr/bin/ssh-agent - /usr/bin/wall - /usr/bin/write - /usr/lib/vte/gnome-pty-helper - /usr/libexec/kde4/kdesud - /usr/libexec/utempter/utempter - /usr/lib/mailman/cgi-bin/admindb - /usr/lib/mailman/cgi-bin/admin - /usr/lib/mailman/cgi-bin/confirm - /usr/lib/mailman/cgi-bin/create - /usr/lib/mailman/cgi-bin/edithtml - /usr/lib/mailman/cgi-bin/listinfo - /usr/lib/mailman/cgi-bin/options - /usr/lib/mailman/cgi-bin/private - /usr/lib/mailman/cgi-bin/rmlist - /usr/lib/mailman/cgi-bin/roster - /usr/lib/mailman/cgi-bin/subscribe - /usr/lib/mailman/mail/mailman - /usr/sbin/lockdev - /usr/sbin/postdrop - /usr/sbin/postqueue - /usr/sbin/sendmail.sendmail - + + true + + + + + + + + + + + + diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/wrlinux.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/wrlinux.xml deleted file mode 100644 index 962a26d5f3..0000000000 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/wrlinux.xml +++ /dev/null @@ -1,42 +0,0 @@ - - - - Find setgid files system packages - - Wind River Linux 8 - - All files with setgid should be owned by a base system package - - - - - - - - - - - - - / - ^.*$ - state_file_permissions_unauthorized_sgid - state_sgid_whitelist - - - - true - - - - - - - - - /usr/bin/crontab - /usr/sbin/postdrop - /usr/sbin/postqueue - - - diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/no_unpackaged_sgid.pass.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/no_unpackaged_sgid.pass.sh new file mode 100644 index 0000000000..adf6b6b959 --- /dev/null +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/no_unpackaged_sgid.pass.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +# profiles = xccdf_org.ssgproject.content_profile_standard +# remediation = none + +for x in $(find / -perm /g=s) ; do + if ! rpm -qf $x ; then + rm -rf $x + fi +done diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/unpackaged_sgid.fail.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/unpackaged_sgid.fail.sh new file mode 100644 index 0000000000..4aa273ca89 --- /dev/null +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/unpackaged_sgid.fail.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +# profiles = xccdf_org.ssgproject.content_profile_standard +# remediation = none + +for x in $(find / -perm /g=s) ; do + if ! rpm -qf $x ; then + rm -rf $x + fi +done + +touch /usr/bin/sgid_binary +chmod g+xs /usr/bin/sgid_binary diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol7.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol7.xml deleted file mode 100644 index 6f4a87e3fb..0000000000 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol7.xml +++ /dev/null @@ -1,93 +0,0 @@ - - - - Find setuid files from system packages - - Oracle Linux 7 - - All files with setuid should be owned by a base system package - - - - - - - - - - - - - / - ^.*$ - state_file_permissions_unauthorized_suid - state_suid_whitelist - - - - true - - - - - - - - - - /usr/bin/abrt-action-install-debuginfo-to-abrt-cache - /usr/bin/at - /usr/bin/chage - /usr/bin/chfn - /usr/bin/chsh - /usr/bin/crontab - /usr/bin/fusermount - /usr/bin/gpasswd - /usr/bin/ksu - /usr/bin/mount - /usr/bin/newgrp - /usr/bin/passwd - /usr/bin/pkexec - /usr/bin/staprun - /usr/bin/sudoedit - /usr/bin/sudo - /usr/bin/su - /usr/bin/umount - /usr/bin/Xorg - /usr/lib64/amanda/application/amgtar - /usr/lib64/amanda/application/amstar - /usr/lib64/amanda/calcsize - /usr/lib64/amanda/dumper - /usr/lib64/amanda/killpgrp - /usr/lib64/amanda/planner - /usr/lib64/amanda/rundump - /usr/lib64/amanda/runtar - /usr/lib64/dbus-1/dbus-daemon-launch-helper - /usr/lib/amanda/application/amgtar - /usr/lib/amanda/application/amstar - /usr/lib/amanda/calcsize - /usr/lib/amanda/dumper - /usr/lib/amanda/killpgrp - /usr/lib/amanda/planner - /usr/lib/amanda/rundump - /usr/lib/amanda/runtar - /usr/lib/dbus-1/dbus-daemon-launch-helper - /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache - /usr/libexec/kde4/kpac_dhcp_helper - /usr/libexec/qemu-bridge-helper - /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper - /usr/libexec/sssd/krb5_child - /usr/libexec/sssd/ldap_child - /usr/libexec/sssd/proxy_child - /usr/libexec/sssd/selinux_child - /usr/lib/polkit-1/polkit-agent-helper-1 - /usr/sbin/amcheck - /usr/sbin/amservice - /usr/sbin/mount.nfs - /usr/sbin/pam_timestamp_check - /usr/sbin/unix_chkpwd - /usr/sbin/userhelper - /usr/sbin/usernetctl - - - diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol8.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol8.xml deleted file mode 100644 index f185efc221..0000000000 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol8.xml +++ /dev/null @@ -1,93 +0,0 @@ - - - - Find setuid files from system packages - - Oracle Linux 8 - - All files with setuid should be owned by a base system package - - - - - - - - - - - - - / - ^.*$ - state_file_permissions_unauthorized_suid - state_suid_whitelist - - - - true - - - - - - - - - - /usr/bin/abrt-action-install-debuginfo-to-abrt-cache - /usr/bin/at - /usr/bin/chage - /usr/bin/chfn - /usr/bin/chsh - /usr/bin/crontab - /usr/bin/fusermount - /usr/bin/gpasswd - /usr/bin/ksu - /usr/bin/mount - /usr/bin/newgrp - /usr/bin/passwd - /usr/bin/pkexec - /usr/bin/staprun - /usr/bin/sudoedit - /usr/bin/sudo - /usr/bin/su - /usr/bin/umount - /usr/bin/Xorg - /usr/lib64/amanda/application/amgtar - /usr/lib64/amanda/application/amstar - /usr/lib64/amanda/calcsize - /usr/lib64/amanda/dumper - /usr/lib64/amanda/killpgrp - /usr/lib64/amanda/planner - /usr/lib64/amanda/rundump - /usr/lib64/amanda/runtar - /usr/lib64/dbus-1/dbus-daemon-launch-helper - /usr/lib/amanda/application/amgtar - /usr/lib/amanda/application/amstar - /usr/lib/amanda/calcsize - /usr/lib/amanda/dumper - /usr/lib/amanda/killpgrp - /usr/lib/amanda/planner - /usr/lib/amanda/rundump - /usr/lib/amanda/runtar - /usr/lib/dbus-1/dbus-daemon-launch-helper - /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache - /usr/libexec/kde4/kpac_dhcp_helper - /usr/libexec/qemu-bridge-helper - /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper - /usr/libexec/sssd/krb5_child - /usr/libexec/sssd/ldap_child - /usr/libexec/sssd/proxy_child - /usr/libexec/sssd/selinux_child - /usr/lib/polkit-1/polkit-agent-helper-1 - /usr/sbin/amcheck - /usr/sbin/amservice - /usr/sbin/mount.nfs - /usr/sbin/pam_timestamp_check - /usr/sbin/unix_chkpwd - /usr/sbin/userhelper - /usr/sbin/usernetctl - - - diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel6.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel6.xml deleted file mode 100644 index 3a59897356..0000000000 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel6.xml +++ /dev/null @@ -1,99 +0,0 @@ - - - - Find setuid files from system packages - - Red Hat Enterprise Linux 6 - - All files with setuid should be owned by a base system package - - - - - - - - - - - - - / - ^.*$ - state_file_permissions_unauthorized_suid - state_suid_whitelist - - - - true - - - - - - - - - /bin/fusermount - /bin/mount - /bin/ping6 - /bin/ping - /bin/su - /bin/umount - /lib64/dbus-1/dbus-daemon-launch-helper - /lib/dbus-1/dbus-daemon-launch-helper - /sbin/mount.ecryptfs_private - /sbin/mount.nfs - /sbin/pam_timestamp_check - /sbin/unix_chkpwd - /usr/bin/abrt-action-install-debuginfo-to-abrt-cache - /usr/bin/at - /usr/bin/chage - /usr/bin/chfn - /usr/bin/chsh - /usr/bin/crontab - /usr/bin/gpasswd - /usr/bin/kgrantpty - /usr/bin/kpac_dhcp_helper - /usr/bin/ksu - /usr/bin/newgrp - /usr/bin/newrole - /usr/bin/passwd - /usr/bin/pkexec - /usr/bin/rcp - /usr/bin/rlogin - /usr/bin/rsh - /usr/bin/sperl5.10.1 - /usr/bin/staprun - /usr/bin/sudoedit - /usr/bin/sudo - /usr/bin/Xorg - /usr/lib64/amanda/calcsize - /usr/lib64/amanda/dumper - /usr/lib64/amanda/killpgrp - /usr/lib64/amanda/planner - /usr/lib64/amanda/rundump - /usr/lib64/amanda/runtar - /usr/lib64/nspluginwrapper/plugin-config - /usr/lib/amanda/calcsize - /usr/lib/amanda/dumper - /usr/lib/amanda/killpgrp - /usr/lib/amanda/planner - /usr/lib/amanda/rundump - /usr/lib/amanda/runtar - /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache - /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper - /usr/libexec/mc/cons.saver - /usr/libexec/openssh/ssh-keysign - /usr/libexec/polkit-1/polkit-agent-helper-1 - /usr/libexec/pt_chown - /usr/libexec/pulse/proximity-helper - /usr/lib/nspluginwrapper/plugin-config - /usr/sbin/amcheck - /usr/sbin/seunshare - /usr/sbin/suexec - /usr/sbin/userhelper - /usr/sbin/usernetctl - - - diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel7.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel7.xml deleted file mode 100644 index c48bda0ef6..0000000000 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel7.xml +++ /dev/null @@ -1,95 +0,0 @@ - - - - Find setuid files from system packages - - Red Hat Enterprise Linux 7 - - All files with setuid should be owned by a base system package - - - - - - - - - - - - - / - ^.*$ - state_file_permissions_unauthorized_suid - state_suid_whitelist - - - - true - - - - - - - - - - /usr/bin/abrt-action-install-debuginfo-to-abrt-cache - /usr/bin/at - /usr/bin/chage - /usr/bin/chfn - /usr/bin/chsh - /usr/bin/crontab - /usr/bin/fusermount - /usr/bin/gpasswd - /usr/bin/ksu - /usr/bin/mount - /usr/bin/newgrp - /usr/bin/passwd - /usr/bin/pkexec - /usr/bin/staprun - /usr/bin/sudoedit - /usr/bin/sudo - /usr/bin/su - /usr/bin/umount - /usr/bin/Xorg - /usr/lib64/amanda/application/amgtar - /usr/lib64/amanda/application/amstar - /usr/lib64/amanda/calcsize - /usr/lib64/amanda/dumper - /usr/lib64/amanda/killpgrp - /usr/lib64/amanda/planner - /usr/lib64/amanda/rundump - /usr/lib64/amanda/runtar - /usr/lib64/dbus-1/dbus-daemon-launch-helper - /usr/lib/amanda/application/amgtar - /usr/lib/amanda/application/amstar - /usr/lib/amanda/calcsize - /usr/lib/amanda/dumper - /usr/lib/amanda/killpgrp - /usr/lib/amanda/planner - /usr/lib/amanda/rundump - /usr/lib/amanda/runtar - /usr/lib/dbus-1/dbus-daemon-launch-helper - /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache - /usr/libexec/cockpit-session - /usr/libexec/dbus-1/dbus-daemon-launch-helper - /usr/libexec/kde4/kpac_dhcp_helper - /usr/libexec/qemu-bridge-helper - /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper - /usr/libexec/sssd/krb5_child - /usr/libexec/sssd/ldap_child - /usr/libexec/sssd/proxy_child - /usr/libexec/sssd/selinux_child - /usr/lib/polkit-1/polkit-agent-helper-1 - /usr/sbin/amcheck - /usr/sbin/amservice - /usr/sbin/mount.nfs - /usr/sbin/pam_timestamp_check - /usr/sbin/unix_chkpwd - /usr/sbin/userhelper - /usr/sbin/usernetctl - - - diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml new file mode 100644 index 0000000000..e83595c198 --- /dev/null +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml @@ -0,0 +1,62 @@ + + + + Find SUID files that are not owned by RPM packages + + multi_platform_fedora + multi_platform_rhel + multi_platform_ol + multi_platform_wrlinux + + Evaluates to true if all files with SUID set are owned by RPM packages. + + + + + + + + + + + + + / + ^.*$ + state_file_permissions_unauthorized_suid_suid_set + state_file_permissions_unauthorized_suid_filepaths + + + + + .* + .* + .* + .* + .* + + + + + + / + ^.*$ + state_file_permissions_unauthorized_suid_suid_set + + + + true + + + + + + + + + + + + + + diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/wrlinux.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/wrlinux.xml deleted file mode 100644 index 8306d38211..0000000000 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/wrlinux.xml +++ /dev/null @@ -1,55 +0,0 @@ - - - - Find setuid files from system packages - - Wind River Linux 8 - - All files with setuid should be owned by a base system package - - - - - - - - - - - - - / - ^.*$ - state_file_permissions_unauthorized_suid - state_suid_whitelist - - - - true - - - - - - - - - - /bin/su.shadow - /bin/su.util-linux - /usr/bin/chage - /usr/bin/chfn.shadow - /usr/bin/chsh.shadow - /usr/bin/expiry - /usr/bin/gpasswd - /usr/bin/newgidmap - /usr/bin/newgrp.shadow - /usr/bin/newuidmap - /usr/bin/passwd.shadow - /usr/bin/sudo - /usr/lib64/dbus/dbus-daemon-launch-helper - /usr/sbin/unix_chkpwd - /usr/sbin/vlock-main - - - diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/no_unpackaged_suid.pass.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/no_unpackaged_suid.pass.sh new file mode 100644 index 0000000000..e6e5a29fb3 --- /dev/null +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/no_unpackaged_suid.pass.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +# profiles = xccdf_org.ssgproject.content_profile_standard +# remediation = none + +for x in $(find / -perm /u=s) ; do + if ! rpm -qf $x ; then + rm -rf $x + fi +done diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/unpackaged_suid.fail.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/unpackaged_suid.fail.sh new file mode 100644 index 0000000000..f05f1821ec --- /dev/null +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/unpackaged_suid.fail.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +# profiles = xccdf_org.ssgproject.content_profile_standard +# remediation = none + +for x in $(find / -perm /u=s) ; do + if ! rpm -qf $x ; then + rm -rf $x + fi +done + +touch /usr/bin/suid_binary +chmod u+xs /usr/bin/suid_binary From 359400441acb2290af7e5ff49942dec01cb39a43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 9 Aug 2019 08:44:59 +0200 Subject: [PATCH 2/6] Describe the logic of the check in rule description --- .../files/file_permissions_unauthorized_sgid/rule.yml | 5 +++++ .../files/file_permissions_unauthorized_suid/rule.yml | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml index f039eea88c..9bad52d9b2 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml @@ -8,6 +8,11 @@ description: |- unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SGID files. + This configuration check whitelists SGID files which were installed via RPM. + It is assumed that when an individual has sudo access to install an RPM + and all packages are signed with an organizationally-recognized GPG key, + the software should be considered an approved package on the system. + Any SGID file not deployed through an RPM will be flagged for further review. rationale: |- Executable files with the SGID permission run with the privileges of diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml index 5f4bc02cd1..1e01924469 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml @@ -8,6 +8,11 @@ description: |- unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SUID files. + This configuration check whitelists SUID files which were installed via RPM. + It is assumed that when an individual has sudo access to install an RPM + and all packages are signed with an organizationally-recognized GPG key, + the software should be considered an approved package on the system. + Any SUID file not deployed through an RPM will be flagged for further review. rationale: |- Executable files with the SUID permission run with the privileges of From f8f7c2ae18f6c1d0cb145d996fb59d875276c991 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 14 Aug 2019 11:28:38 +0200 Subject: [PATCH 3/6] Change 'whitelists' to 'considers authorized' --- .../files/file_permissions_unauthorized_sgid/rule.yml | 2 +- .../files/file_permissions_unauthorized_suid/rule.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml index 9bad52d9b2..e92637ca09 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml @@ -8,7 +8,7 @@ description: |- unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SGID files. - This configuration check whitelists SGID files which were installed via RPM. + This configuration check considers authorized SGID files which were installed via RPM. It is assumed that when an individual has sudo access to install an RPM and all packages are signed with an organizationally-recognized GPG key, the software should be considered an approved package on the system. diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml index 1e01924469..9f3f3dc86c 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml @@ -8,7 +8,7 @@ description: |- unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SUID files. - This configuration check whitelists SUID files which were installed via RPM. + This configuration check considers authorized SUID files which were installed via RPM. It is assumed that when an individual has sudo access to install an RPM and all packages are signed with an organizationally-recognized GPG key, the software should be considered an approved package on the system. From 69fac9536f88047a77aea67db81004872e27dae6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 16 Oct 2019 10:23:47 +0200 Subject: [PATCH 4/6] Fix OCIL --- .../files/file_permissions_unauthorized_sgid/rule.yml | 4 ++-- .../files/file_permissions_unauthorized_suid/rule.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml index e92637ca09..d03e7bf980 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml @@ -41,5 +41,5 @@ references: ocil_clause: 'there is output' ocil: |- - To find world-writable files, run the following command: -
$ sudo find / -xdev -type f -perm -002
+ To find SGID files, run the following command: +
$ sudo find / -xdev -type f -perm -2000
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml index 9f3f3dc86c..9aa7f40161 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml @@ -41,5 +41,5 @@ references: ocil_clause: 'only authorized files appear in the output of the find command' ocil: |- - To find world-writable files, run the following command: -
$ sudo find / -xdev -type f -perm -002
+ To find SUID files, run the following command: +
$ sudo find / -xdev -type f -perm -4000
From 4cd5fec7f7c71a475bbd5e9781dbfc38fdda5b92 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 16 Oct 2019 10:23:58 +0200 Subject: [PATCH 5/6] Fix a typo --- .../files/file_permissions_unauthorized_suid/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml index 9aa7f40161..6cfcff2e4b 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml @@ -5,7 +5,7 @@ title: 'Ensure All SUID Executables Are Authorized' description: |- The SUID (set user id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying - unauthorized SGID files is determine if any were not installed as part of an + unauthorized SUID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SUID files. This configuration check considers authorized SUID files which were installed via RPM. From 5cce2c77ae93750442a9635929786fb265834310 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 16 Oct 2019 11:19:54 +0200 Subject: [PATCH 6/6] Add prodtype This rule has OVAL only for RHEL, Fedora, OL and WRLinux. We can specify it in prodtype to prevent its inclusion to datastreams for products where this rule isn't applicable --- .../files/file_permissions_unauthorized_sgid/rule.yml | 2 ++ .../files/file_permissions_unauthorized_suid/rule.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml index d03e7bf980..de627fbe7e 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml @@ -2,6 +2,8 @@ documentation_complete: true title: 'Ensure All SGID Executables Are Authorized' +prodtype: rhel6,rhel7,rhel8,ol7,ol8,fedora,wrlinux8,wrlinux1019 + description: |- The SGID (set group id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml index 6cfcff2e4b..27946fb86a 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml @@ -2,6 +2,8 @@ documentation_complete: true title: 'Ensure All SUID Executables Are Authorized' +prodtype: rhel6,rhel7,rhel8,ol7,ol8,fedora,wrlinux8,wrlinux1019 + description: |- The SUID (set user id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying