Detections
Analytics

6.1.1 Audit system file permissions

Information

The RPM and Debian package managers have a number of useful options. One of these, the --verify (or -V for RPM) option, can be used to verify that system packages are correctly installed. The --verify option can be used to verify a particular package or to verify all system packages. If no output is returned, the package is installed correctly. The following table describes the meaning of output from the verify option:

Code Meaning

S File size differs.

M File mode differs (includes permissions and file type).

5 The MD5 checksum differs.

D The major and minor version numbers differ on a device file.

L A mismatch occurs in a link.

U The file ownership differs.

G The file group owner differs.

T The file time (mtime) differs.

The rpm -qf or dpkg -S command can be used to determine which package a particular file belongs to. For example the following commands determines which package the /bin/bash file belongs to:

# rpm -qf /bin/bash

bash-4.1.2-29.el6.x86_64

# dpkg -S /bin/bash

bash: /bin/bash




To verify the settings for the package that controls the /bin/bash file, run the following:

# rpm -V bash-4.1.2-29.el6.x86_64

.M....... /bin/bash

# dpkg --verify bash

??5?????? c /etc/bash.bashrc

Note that you can feed the output of the rpm -qf command to the rpm -V command:

# rpm -V 'rpm -qf /etc/passwd'

.M...... c /etc/passwd

S.5....T c /etc/printcap

Rationale:

It is important to confirm that packaged system files and directories are maintained with the permissions they were intended to have from the OS vendor.

Solution

Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted.

References:

http://docs.fedoraproject.org/en-US/Fedora_Draft_Documentation/0.1/html/RPM_Guide/index.html




Notes:

Since packages and important files may change with new updates and releases, it is recommended to verify everything, not just a finite list of files. This can be a time consuming task and results may depend on site policy therefore it is not a scorable benchmark item, but is provided for those interested in additional security measures.

Some of the recommendations of this benchmark alter the state of files audited by this recommendation. The audit command will alert for all changes to a file permissions even if the new state is more secure than the default.

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-71849

Rule ID: SV-86473r3_rule

STIG ID: RHEL-07-010010

Severity: CAT I



Vul ID: V-71855

Rule ID: SV-86479r3_rule

STIG ID: RHEL-07-010020

Severity: CAT I

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-7(1)

Plugin: Unix

Control ID: 2cb59ab952aa27340efa8e7ad27861111cafa4d8cdacac03cda0a3e0cb640a55