Greetings all,
Haven't been doing much on this list except for lurking lately, but I was
wondering if there has been any additional work on the various 'rpm -V' checks.
Specifically on removing false positives.
Some months ago I was doing the manual checks as per the official STIG
compared to what the SSG was showing and noticed the SSG seemed to be filtering
things, but w/o explicitly calling out the filtering in the human readable
prose. Also had some questions if there would be wording put in place to deal
with things like /usr/share/ibus-table/tables/latex.db and
/usr/share/ibus-table/tables/compose.db (from the 'ibus-table-additional' RPM),
or dealing with cases where the checksums have changed due to STIG actions,
such as /etc/init/control-alt-delete.conf (part of the 'initscripts' package
altered by RHEL-06-000286).
I am working with a Security Blanket customer (using RHEL6.4) on these latter
issues now, explaining that some of these issues are due to cases where the RPM
in question is mis-configured, or post-installation/startup settings change
things from how the RPM was packaged, and others are just due to the effects of
the STIG guidance themselves. A quick way to show the first set of
mis-verifications is to do the 'rpm -Va' command immediately after installing a
RHEL instance.
I've rippled several of these findings back to RedHat several months ago, but
here is list (scrubbed of files marked as configuration files) from a RHEL6.4
test vm where there is a content/ownership/permission discrepancy between RPM
and what is on disk (note - RHEL-06-000286 was manually applied):
.M.....G.. /var/log/gdm
group ownership expected to be root, found gdm
DACs expected to be drwxr-xr-x, found drwxrwx--T
.M....... /var/run/gdm
DACS expected to be drwxr-xr-t, found drwx--x--x
missing /var/run/gdm/greeter
S.5....T. /etc/init/control-alt-delete.conf
manual edited file as per RHEL-06-000286 resulting in checksum/timestamp
difference
..5.....T. /usr/share/ibus-table/tables/compose.db
not sure where/who altered
..5.....T. /usr/share/ibus-table/tables/latex.db
not sure where/who altered
.M....... /var/cache/libvirt/qemu
DACS expected to be drwxr-x---, found drwxr-xr-x
S.5....T. /usr/share/texmf/web2c/updmap.cfg
not sure where/who altered
I understand that if the RPM is mispackaged this is an issue for RedHat and/or
the upstream maintainers to deal with, but I've fielded several questions from
customers trying to understand why the RPM checks are having these findings.
Granted that if some of these packages were not installed (qemu for instance)
then that issue evaporates. Part of my concern is that if the SCAP checks are
filtering the output of 'rpm -V', then those filters need to be called out in
the manual prose as well.
-Rob
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
