- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions of system files and commands match vendor values. Check the file permissions with the following command:
$ sudo rpm -Va | grep '^.M'
Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it:
$ rpm -qf FILENAME
Next, run the following command to reset its permissions to the correct values:
$ sudo rpm --quiet --setperms PACKAGENAME
Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Declare array to hold list of RPM packages we need to correct permissions for
declare -a SETPERMS_RPM_LIST
# Create a list of files on the system having permissions different from what
# is expected by the RPM database
FILES_WITH_INCORRECT_PERMS=($(rpm -Va --nofiledigest | grep '^.M' | cut -d ' ' -f4-))
# For each file path from that list:
# * Determine the RPM package the file path is shipped by,
# * Include it into SETPERMS_RPM_LIST array
for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
do
RPM_PACKAGE=$(rpm -qf "$FILE_PATH")
SETPERMS_RPM_LIST=("${SETPERMS_RPM_LIST[@]}" "$RPM_PACKAGE")
done
# Remove duplicate mention of same RPM in $SETPERMS_RPM_LIST (if any)
SETPERMS_RPM_LIST=( $(echo "${SETPERMS_RPM_LIST[@]}" | tr ' ' '\n' | sort -u | tr '\n' ' ') )
# For each of the RPM packages left in the list -- reset its permissions to the
# correct values
for RPM_PACKAGE in "${SETPERMS_RPM_LIST[@]}"
do
rpm --quiet --setperms "${RPM_PACKAGE}"
done
The following playbook can be run with Ansible to remediate the issue.
- name: "Read list of files with incorrect permissions"
shell: "rpm -Va | grep '^.M' | cut -d ' ' -f5- | sed -r 's;^.*\\s+(.+);\\1;g'"
register: files_with_incorrect_permissions
failed_when: False
changed_when: False
check_mode: no
tags:
- rpm_verify_permissions
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- NIST-800-53-AC-6
- NIST-800-53-AU-9(1)
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(d)
- NIST-800-53-CM-6(3)
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- PCI-DSS-Req-11.5
- CJIS-5.10.4.1
- DISA-STIG-RHEL-07-010010
- name: "Correct file permissions with RPM"
shell: "rpm --quiet --setperms $(rpm -qf '{{item}}')"
with_items: "{{ files_with_incorrect_permissions.stdout_lines }}"
when: files_with_incorrect_permissions.stdout_lines | length > 0
tags:
- rpm_verify_permissions
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- NIST-800-53-AC-6
- NIST-800-53-AU-9(1)
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(d)
- NIST-800-53-CM-6(3)
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- PCI-DSS-Req-11.5
- CJIS-5.10.4.1
- DISA-STIG-RHEL-07-010010
Note: Due to a bug in the gdm
package,
the RPM verify command may continue to fail even after file permissions have
been correctly set on /var/log/gdm
. This is being tracked in Red Hat
Bugzilla #1277603.