Tree - rpms/scap-security-guide

rpms / scap-security-guide

Files

Commit: c957b4e696e5ecf0a69844b2dd37d073e4d34868
Blob Blame History Raw
From 1e2617161624f5df945d2223f9a80f1186116f6b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 12 May 2020 14:59:41 +0200
Subject: [PATCH 1/3] Warn about findings from rpm_verify_permissions

There can be cases in which a Profile requires that a file permission be
more strict than package default permissions. In this cases this rule
will report the file changed by the Profile itself as a finding.

Not all permission changes make sense to be incorporated by the
package, and currently there is no mechanism to waive these findings.
---
 .../rpm_verification/rpm_verify_permissions/rule.yml          | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
index 863e2d05a3..0a91ce0108 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
@@ -67,8 +67,10 @@ ocil: |-
     is expected by the RPM database:
     <pre>$ rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'</pre>
 
-{{% if product == "rhel6" %}}
 warnings:
+    - general: |-
+        Profiles may require that specific files have stricter file permissions than defined by the vendor. Such files will be reported as a finding and need to be evaluated according to your policy and deployment environment.
+{{% if product == "rhel6" %}}
     - general: |-
         <b>Note: Due to a bug in the <tt>gdm</tt> package,
         the RPM verify command may continue to fail even after file permissions have

From b372888797152c859b332efae9722813b7f62ec0 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 12 May 2020 17:21:25 +0200
Subject: [PATCH 2/3] Warn about findings from rpm_verify_ownership

There can be cases in which a Profile requires that a file be owned
by root, while the package default owner is a different user.
In these cases this rule will report the change in file ownership
done by the Profile itself as a finding.

Not all ownership changes make sense to be incorporated by the
package, and currently there is no mechanism to waive these
findings.
---
 .../rpm_verification/rpm_verify_ownership/rule.yml            | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
index 7ae3f61919..f888db3b2c 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
@@ -58,8 +58,10 @@ ocil: |-
     is expected by the RPM database:
     <pre>$ rpm -Va | rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }'</pre>
 
-{{% if product == "rhel6" %}}
 warnings:
+    - general: |-
+        Profiles may require that specific files be owned by root while the default owner defined by the vendor is different. Such files will be reported as a finding and need to be evaluated according to your policy and deployment environment.
+{{% if product == "rhel6" %}}
     - general: |-
         <b>Note: Due to a bug in the <tt>gdm</tt> package,
         the RPM verify command may continue to fail even after file permissions have

From c3210e05aba0b479a3122f84dc149241e5866f5a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 12 May 2020 17:29:44 +0200
Subject: [PATCH 3/3] Warning readability changes

---
 .../rpm_verification/rpm_verify_ownership/rule.yml           | 5 ++++-
 .../rpm_verification/rpm_verify_permissions/rule.yml         | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
index f888db3b2c..e353ecef4c 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
@@ -60,7 +60,10 @@ ocil: |-
 
 warnings:
     - general: |-
-        Profiles may require that specific files be owned by root while the default owner defined by the vendor is different. Such files will be reported as a finding and need to be evaluated according to your policy and deployment environment.
+        Profiles may require that specific files be owned by root while the default owner defined
+        by the vendor is different.
+        Such files will be reported as a finding and need to be evaluated according to your policy
+        and deployment environment.
 {{% if product == "rhel6" %}}
     - general: |-
         <b>Note: Due to a bug in the <tt>gdm</tt> package,
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
index 0a91ce0108..677a239f3a 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
@@ -69,7 +69,10 @@ ocil: |-
 
 warnings:
     - general: |-
-        Profiles may require that specific files have stricter file permissions than defined by the vendor. Such files will be reported as a finding and need to be evaluated according to your policy and deployment environment.
+        Profiles may require that specific files have stricter file permissions than defined by the
+        vendor.
+        Such files will be reported as a finding and need to be evaluated according to your policy
+        and deployment environment.
 {{% if product == "rhel6" %}}
     - general: |-
         <b>Note: Due to a bug in the <tt>gdm</tt> package,
rpms / scap-security-guide

Source Code

Files
