Merge pull request #879 from iankko/rpm_verify_permissions_remediation

[Enhancement] [RHEL/6] [RHEL/7] Add remediation for 'rpm_verify_permissions' rule
ComplianceAsCode · Dec 2, 2015 · f3877f9 · f3877f9
2 parents 0112a0a + 46dc810
commit f3877f9
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 2 deletions.
diff --git a/RHEL/6/input/xccdf/system/software/integrity.xml b/RHEL/6/input/xccdf/system/software/integrity.xml
@@ -145,7 +145,13 @@ is expected by the RPM database:
 Permissions on system binaries and configuration files that are too generous
 could allow an unauthorized user to gain privileges that they should not have.
 The permissions set by the vendor should be maintained. Any deviations from
-this baseline should be investigated.</rationale>
+this baseline should be investigated.
+</rationale>
+<warning category="general"><b>Note: Due to a bug in the <tt>gdm</tt> package,
+the RPM verify command may continue to fail even after file permissions have
+been correctly set on <tt>/var/log/gdm</tt>. This is being tracked in Red Hat
+Bugzilla #1277603.</b>
+</warning>
 <ident cce="26731-0"  stig="RHEL-06-000518" />
 <oval id="rpm_verify_permissions" />
 <ref nist="AC-6,CM-6(d),SI-7" disa="1493,1494,1495" />

diff --git a/RHEL/7/input/xccdf/system/software/integrity.xml b/RHEL/7/input/xccdf/system/software/integrity.xml
@@ -145,7 +145,13 @@ is expected by the RPM database:
 Permissions on system binaries and configuration files that are too generous
 could allow an unauthorized user to gain privileges that they should not have.
 The permissions set by the vendor should be maintained. Any deviations from
-this baseline should be investigated.</rationale>
+this baseline should be investigated.
+</rationale>
+<warning category="general">Note: Due to a bug in the <tt>gdm</tt> package, the
+RPM verify command may continue to fail even after file permissions have been
+correctly set on <tt>/var/log/gdm</tt>. This is being tracked in Red Hat
+Bugzilla #1275532.
+</warning>
 <ident cce="27209-6" />
 <oval id="rpm_verify_permissions" />
 <ref nist="AC-6,CM-6(d),CM-6(3)" disa="1493,1494,1495" pcidss="Req-11" />

diff --git a/shared/remediations/bash/rpm_verify_permissions.sh b/shared/remediations/bash/rpm_verify_permissions.sh
@@ -0,0 +1,28 @@
+# platform = multi_platform_rhel
+
+# Declare array to hold list of RPM packages we need to correct permissions for
+declare -a SETPERMS_RPM_LIST
+
+# Create a list of files on the system having permissions different from what
+# is expected by the RPM database
+FILES_WITH_INCORRECT_PERMS=($(rpm -Va | grep '^.M'))
+
+# For each file path from that list:
+# * Determine the RPM package the file path is shipped by,
+# * Include it into SETPERMS_RPM_LIST array
+
+for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
+do
+	RPM_PACKAGE=$(rpm -qf "$FILE_PATH")
+	SETPERMS_RPM_LIST=("${SETPERMS_RPM_LIST[@]}" "$RPM_PACKAGE")
+done
+
+# Remove duplicate mention of same RPM in $SETPERMS_RPM_LIST (if any)
+SETPERMS_RPM_LIST=( $(echo "${SETPERMS_RPM_LIST[@]}" | sort -n | uniq) )
+
+# For each of the RPM packages left in the list -- reset its permissions to the
+# correct values
+for RPM_PACKAGE in "${SETPERMS_RPM_LIST[@]}"
+do
+	rpm --setperms "${RPM_PACKAGE}"
+done