Verify and Correct File Permissions with RPM
This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project,
feel free to reach out to us!Description
The RPM package management system can check file access permissions
of installed software packages, including many that are important
to system security.
Verify that the file permissions of system files
and commands match vendor values. Check the file permissions
with the following command:
$ sudo rpm -Va | grep '^.M'
Output indicates files that do not match vendor defaults.
After locating a file with incorrect permissions,
run the following command to determine which package owns it:
Next, run the following command to reset its permissions to
the correct values:
$ sudo rpm --quiet --setperms PACKAGENAME
Rationale
Permissions on system binaries and configuration files that are too generous
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Declare array to hold list of RPM packages we need to correct permissions for
declare -a SETPERMS_RPM_LIST
# Create a list of files on the system having permissions different from what
# is expected by the RPM database
FILES_WITH_INCORRECT_PERMS=($(rpm -Va --nofiledigest | grep '^.M' | cut -d ' ' -f4-))
# For each file path from that list:
# * Determine the RPM package the file path is shipped by,
# * Include it into SETPERMS_RPM_LIST array
for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
do
RPM_PACKAGE=$(rpm -qf "$FILE_PATH")
SETPERMS_RPM_LIST=("${SETPERMS_RPM_LIST[@]}" "$RPM_PACKAGE")
done
# Remove duplicate mention of same RPM in $SETPERMS_RPM_LIST (if any)
SETPERMS_RPM_LIST=( $(echo "${SETPERMS_RPM_LIST[@]}" | tr ' ' '\n' | sort -u | tr '\n' ' ') )
# For each of the RPM packages left in the list -- reset its permissions to the
# correct values
for RPM_PACKAGE in "${SETPERMS_RPM_LIST[@]}"
do
rpm --quiet --setperms "${RPM_PACKAGE}"
done
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: "Read list of files with incorrect permissions"
shell: "rpm -Va | grep '^.M' | cut -d ' ' -f5- | sed -r 's;^.*\\s+(.+);\\1;g'"
register: files_with_incorrect_permissions
failed_when: False
changed_when: False
check_mode: no
tags:
- rpm_verify_permissions
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- NIST-800-53-AC-6
- NIST-800-53-AU-9(1)
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(d)
- NIST-800-53-CM-6(3)
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- PCI-DSS-Req-11.5
- CJIS-5.10.4.1
- DISA-STIG-RHEL-07-010010
- name: "Correct file permissions with RPM"
shell: "rpm --quiet --setperms $(rpm -qf '{{item}}')"
with_items: "{{ files_with_incorrect_permissions.stdout_lines }}"
when: files_with_incorrect_permissions.stdout_lines | length > 0
tags:
- rpm_verify_permissions
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- NIST-800-53-AC-6
- NIST-800-53-AU-9(1)
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(d)
- NIST-800-53-CM-6(3)
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- PCI-DSS-Req-11.5
- CJIS-5.10.4.1
- DISA-STIG-RHEL-07-010010
Warning
Note: Due to a bug in the gdm
package,
the RPM verify command may continue to fail even after file permissions have
been correctly set on /var/log/gdm
. This is being tracked in Red Hat
Bugzilla #1277603.