-
Notifications
You must be signed in to change notification settings - Fork 684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Enhancement] [RHEL/6] [RHEL/7] Add remediation for 'rpm_verify_permissions' rule #879
[Enhancement] [RHEL/6] [RHEL/7] Add remediation for 'rpm_verify_permissions' rule #879
Conversation
…ssions' rule Fixes: ComplianceAsCode#834 Testing report: --------------- The proposed change has been tested manually on recent RHEL-7 system & AFAICT from testing it's working fine. Note: ----- This remediation script will NOT put the system in question into 'fixed' state. This is because even after performing the remediation (calling permissions that saved in the RPM database there will remain one unfixed file path, namely "/var/log/gdm". The issue here being that this is known bug: [1] https://bugzilla.redhat.com/show_bug.cgi?id=1277603 reported to downstream bugzilla (till calling "# rpm --setperms gdm" won't fix the problem also for the "/var/log/gdm" location, the returned result of this remediation script will be 'error' instead of 'fixed'). But the proper work of this remediation can be verified by running the command: before and after the remediation and comparing the results (the count of files reported before the remediation will be higher than count of files having incorrect permissions after the remediation has finished -- the only unfixed exception should be "/var/log/gdm" file path and we have bugs reported downstream for these).
Tentatively giving to Martin. Of course should someone else be interested into reviewing of this one, feel free to go ahead, test & review. Thank you, Jan. |
Should we insert a note into the XCCDF about the bug?, e.g. |
ack to the remediation script |
Good point. Will update the XCCDF prose for both RHEL-6 & RHEL-7 (listing bug numbers there). Please do not merge yet. |
ComplianceAsCode#879 (comment) add a <warning> into the RHEL-6 & RHEL-7 XCCDF prose for 'rpm_verify_permissions' rule explaining that (due to RHEL-6 & RHEL-7 gdm package bugs) the corresponding OVAL may still fail after performing remediation due to permissions on /var/log/gdm location still not to be configure properly. Also provide links to corresponding RHEL-6 and RHEL-7 Red Hat Bugzilla reports.
Requested |
Safe to be reviewed (once particular Jenkins testing jobs has finished). |
The remediation has already been ACK-ed. |
[Enhancement] [RHEL/6] [RHEL/7] Add remediation for 'rpm_verify_permissions' rule
Fixes: #834
Testing report:
The proposed change has been tested manually on recent RHEL-7 system &
AFAICT from testing it's working fine.
Note:
This remediation script will NOT put the system in question into 'fixed'
state. This is because even after performing the remediation (calling
permissions that saved in the RPM database there will remain one unfixed
file path, namely "/var/log/gdm". The issue here being that this is known
bug:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1277603
reported to downstream bugzilla (till calling "# rpm --setperms gdm"
won't fix the problem also for the "/var/log/gdm" location, the returned
result of this remediation script will be 'error' instead of 'fixed').
But the proper work of this remediation can be verified by running the command:
before and after the remediation and comparing the results (the count of
files reported before the remediation will be higher than count of files
having incorrect permissions after the remediation has finished -- the
only unfixed exception should be "/var/log/gdm" file path and we have
bugs reported downstream for these).
Please review.
Thank you, Jan.