Review rpm_verify_hashes rule #11332
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Also update warning about high consume of system resources in some scenarios.
It was not identified opportunities to increase performance during the check. So the changes were limited to readability.
During the OVAL review of this rule it was noticed the Bash remediation was fragile for some valid cases. Included a condition to avoid errors.
Removed unnecessary task in Playbook and made the fact definition more flexible.
marcusburghardt
added
the
Update Rule
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_hashes'.
--- xccdf_org.ssgproject.content_rule_rpm_verify_hashes
+++ xccdf_org.ssgproject.content_rule_rpm_verify_hashes
@@ -3,26 +3,33 @@
Verify File Hashes with RPM
[description]:
-Without cryptographic integrity protections, system
-executables and files can be altered by unauthorized users without
-detection.
-The RPM package management system can check the hashes of
-installed software packages, including many that are important to system
-security.
-To verify that the cryptographic hash of system files and commands matches vendor
-values, run the following command to list which files on the system
-have hashes that differ from what is expected by the RPM database:
+Without cryptographic integrity protections, system executables and files can be altered by
+unauthorized users without detection. The RPM package management system can check the hashes
+of installed software packages, including many that are important to system security.
+
+To verify that the cryptographic hash of system files and commands matches vendor values, run
+the following command to list which files on the system have hashes that differ from what is
+expected by the RPM database:
$ rpm -Va --noconfig | grep '^..5'
-A "c" in the second column indicates that a file is a configuration file, which
-may appropriately be expected to change. If the file was not expected to
-change, investigate the cause of the change using audit logs or other means.
-The package can then be reinstalled to restore the file.
-Run the following command to determine which package owns the file:
+
+If the file was not expected to change, investigate the cause of the change using audit logs
+or other means. The package can then be reinstalled to restore the file. Run the following
+command to determine which package owns the file:
$ rpm -qf FILENAME
+
The package can be reinstalled from a yum repository using the command:
$ sudo yum reinstall PACKAGENAME
+
Alternatively, the package can be reinstalled from trusted media using the command:
$ sudo rpm -Uvh PACKAGENAME
+
+[warning]:
+This rule can take a long time to perform the check and might consume a considerable
+amount of resources depending on the number of packages present on the system. It is not a
+problem in most cases, but especially systems with a large number of installed packages
+can be affected.
+
+See https://access.redhat.com/articles/6999111.
[reference]:
11
OVAL for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_hashes' differs.
--- oval:ssg-rpm_verify_hashes:def:1
+++ oval:ssg-rpm_verify_hashes:def:1
@@ -1,2 +1,2 @@
criteria AND
-criterion oval:ssg-test_files_fail_md5_hash:tst:1
+criterion oval:ssg-test_rpm_verify_hashes:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_hashes' differs.
--- ocil:ssg-rpm_verify_hashes_ocil:questionnaire:1
+++ ocil:ssg-rpm_verify_hashes_ocil:questionnaire:1
@@ -1,5 +1,5 @@
-The following command will list which files on the system
-have file hashes different from what is expected by the RPM database.
-$ rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"'
+The following command will list which files on the system have file hashes different from what
+is expected by the RPM database.
+$ rpm -Va --noconfig | awk '$1 ~ /..5/'
Is it the case that there is output?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_hashes' differs.
--- xccdf_org.ssgproject.content_rule_rpm_verify_hashes
+++ xccdf_org.ssgproject.content_rule_rpm_verify_hashes
@@ -2,8 +2,11 @@
# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+if [ -n "$files_with_incorrect_hash" ]; then
+ # From files names get package names and change newline to space, because rpm writes each package to new line
+ packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
+
+ yum reinstall -y $packages_to_reinstall
+
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_hashes' differs.
--- xccdf_org.ssgproject.content_rule_rpm_verify_hashes
+++ xccdf_org.ssgproject.content_rule_rpm_verify_hashes
@@ -1,32 +1,7 @@
-- name: 'Set fact: Package manager reinstall command (dnf)'
- set_fact:
- package_manager_reinstall_cmd: dnf reinstall -y
- when: ansible_distribution == "Fedora"
- tags:
- - CCE-80857-6
- - CJIS-5.10.4.1
- - NIST-800-171-3.3.8
- - NIST-800-171-3.4.1
- - NIST-800-53-AU-9(3)
- - NIST-800-53-CM-6(c)
- - NIST-800-53-CM-6(d)
- - NIST-800-53-SI-7
- - NIST-800-53-SI-7(1)
- - NIST-800-53-SI-7(6)
- - PCI-DSS-Req-11.5
- - PCI-DSSv4-11.5.2
- - high_complexity
- - high_severity
- - medium_disruption
- - no_reboot_needed
- - restrict_strategy
- - rpm_verify_hashes
-
-- name: 'Set fact: Package manager reinstall command (yum)'
+- name: 'Set fact: Package manager reinstall command'
set_fact:
package_manager_reinstall_cmd: yum reinstall -y
- when: (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution
- == "OracleLinux")
+ when: ansible_distribution in [ "Fedora", "RedHat", "CentOS", "OracleLinux" ]
tags:
- CCE-80857-6
- CJIS-5.10.4.1 |
10 tasks
jan-cerny
requested changes
Dec 4, 2023
There was a problem hiding this comment.
Overall it looks good to me, it's a clever change reusing the filter.
The CI fail of Automatus on SLE15 is OK because there is an offending file.
But, the CI fail of Automatus on Fedora is caused by a hole in the test scenario linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/tests/bad_document.fail.sh. I think it's worth fixing. Can you take look at the Fedora fail?
When executed locally, all tests are passing correctly.
jcerny@fedora ~/work/git/scap-security-guide (pr/11332) $ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible rpm_verify_hashes
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-12-04-1330/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_rpm_verify_hashes
INFO - Script bad_document.fail.sh using profile (all) OK
INFO - Script fresh_system.pass.sh using profile (all) OK
jcerny@fedora ~/work/git/scap-security-guide (pr/11332) $ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 rpm_verify_hashes
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-12-04-1333/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_rpm_verify_hashes
INFO - Script bad_document.fail.sh using profile (all) OK
INFO - Script fresh_system.pass.sh using profile (all) OK
...ide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml
Outdated
Show resolved
Hide resolved
|
@marcusburghardt It didn't help. I have download the artifact from the Automatus Fedora job and the prescripts log still shows a peculiar message: it looks like the variable is still empty. Any suggestions? |
I would like to avoid installing packages but I think this will be necessary for this test case. Let me try one here. |
marcusburghardt
force-pushed
the
rpm_verify_hashes_review
branch
from
1a91385
to
5e30f5b
Compare
It didn't work. I will try to reproduce it locally and find a way to make this test scenario more robust. |
marcusburghardt
force-pushed
the
rpm_verify_hashes_review
branch
from
5e30f5b
to
ba2a3c2
Compare
|
It should be ok now @jan-cerny |
|
/packit build |
|
/packit reset |
|
/packit build |
The intention is to modify the hash of a file managed by rpm package. The test was searching for specific file name in /usr/share/doc to be modified but some systems might not have the files assumed to be present. Therefore, the test scenario was updated to modify the ls" command, which is present even in minimal installations and a small modification for testing purposes is not harmfull for the system.
marcusburghardt
force-pushed
the
rpm_verify_hashes_review
branch
from
ba2a3c2
to
50f8a8a
Compare
|
Code Climate has analyzed commit 50f8a8a and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 58.5%. View more on Code Climate. |
|
/packit retest-failed |
jan-cerny
approved these changes
Dec 7, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
This PR extract the commits related to
rpm_verify_hashesfrom #11319It:
Rationale:
Better description, remediation and awareness of possible performance issues in the rule.
Review Hints:
Automatus tests should be enough