On Tuesday, April 22, 2014 01:30:27 PM Shawn Wells wrote: > On 4/22/14, 12:46 PM, Steve Grubb wrote: > > On Tuesday, April 22, 2014 11:16:31 AM Renshaw, Richard /c wrote: > >> >Jan, > >> >Without the trailing / the regex will match any directory starting with > >> >/lib, /lib64, /usr/lib, or /usr/lib64. Like the spurious /usr/libexec/ > >> >file I was running into. Even if the trailing / isn't the correct fix, > >> >something needs to be changed to fix the regex. > > > > libexec is for executables that should not be called directly. I think > > files in that directory should be checked following the same rules as > > /(s)bin or /usr/(s)bin. The library checks should apply to /lib(64), > > /usr/lib(64) and possibly /usr/local/lib(64). I think in both cases it > > should be recursive, just in case. > > Could we use an SSG rule (which, eventually, would be STIG and USGCB) to > drive RHEL packaging RFEs?
I do that as much as I can. The program I use to look for packaging problems is here: http://people.redhat.com/sgrubb/files/stig-2011/stig-file-test.sh > As stands, /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache via > the brt-addon-ccpp package ships as abrt:abrt. We'd need big RHT to > alter default permissions to meet the adjusted rules you recommended. No, that is correct permissions in this particular case. Its a setuid abrt application so that it can write to /var/tmp/abrt and /var/run/abrt, and /var/cache/abrt. The point is that it's not setuid root which could be a big mistake if an attacker could take advantage of a flaw in abrtd's analysis. -Steve _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
