Review rpm_verify_permissions rule

[marcusburghardt]

Description:

This PR extract the commits related to rpm_verify_permissions from #11319

It:

• Updates the rule description and includes a warning about performance in some specific scenarios
• Improve the OVAL readability without changing its logic

Rationale:

Better description and awareness of possible performance issues in the rule.
Better OVAL readability.

Review Hints:

Automatus tests should be enough.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_permissions'.
--- xccdf_org.ssgproject.content_rule_rpm_verify_permissions
+++ xccdf_org.ssgproject.content_rule_rpm_verify_permissions
@@ -3,27 +3,32 @@
 Verify and Correct File Permissions with RPM
 
 [description]:
-The RPM package management system can check file access permissions
-of installed software packages, including many that are important
-to system security.
-Verify that the file permissions of system files
-and commands match vendor values. Check the file permissions
-with the following command:
+The RPM package management system can check file access permissions of installed software
+packages, including many that are important to system security. Verify that the file
+permissions of system files and commands match vendor values. Check the file permissions with
+the following command:
 $ sudo rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'
 Output indicates files that do not match vendor defaults.
-After locating a file with incorrect permissions,
-run the following command to determine which package owns it:
+
+After locating a file with incorrect permissions, run the following command to determine which
+package owns it:
 $ rpm -qf FILENAME
 
-Next, run the following command to reset its permissions to
-the correct values:
+Next, run the following command to reset its permissions to the correct values:
 $ sudo rpm --setperms PACKAGENAME
 
 [warning]:
-Profiles may require that specific files have stricter file permissions than defined by the
-vendor.
-Such files will be reported as a finding and need to be evaluated according to your policy
-and deployment environment.
+Profiles may require that specific files have stricter file permissions than defined by
+the vendor. Such files will be reported as a finding and need to be evaluated according to
+your policy and deployment environment.
+
+[warning]:
+This rule can take a long time to perform the check and might consume a considerable
+amount of resources depending on the number of packages present on the system. It is not a
+problem in most cases, but especially systems with a large number of installed packages
+can be affected.
+
+See https://access.redhat.com/articles/6999111.
 
 [reference]:
 1
@@ -386,10 +391,9 @@
 6.1.9
 
 [rationale]:
-Permissions on system binaries and configuration files that are too generous
-could allow an unauthorized user to gain privileges that they should not have.
-The permissions set by the vendor should be maintained. Any deviations from
-this baseline should be investigated.
+Permissions on system binaries and configuration files that are too generous could allow an
+unauthorized user to gain privileges that they should not have. The permissions set by the
+vendor should be maintained. Any deviations from this baseline should be investigated.
 
 [ident]:
 CCE-80858-4

OVAL for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_permissions' differs.
--- oval:ssg-rpm_verify_permissions:def:1
+++ oval:ssg-rpm_verify_permissions:def:1
@@ -1,2 +1,2 @@
 criteria AND
-criterion oval:ssg-test_verify_all_rpms_mode:tst:1
+criterion oval:ssg-test_rpm_verify_permissions:tst:1

[jan-cerny]

I think that the link to the article should be present only in RHEL products because users who aren't Red Hat customers can't access this page.

[marcusburghardt]

Done

[codeclimate]

Code Climate has analyzed commit ddb6efb and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.5%.

View more on Code Climate.

[jan-cerny]

I think that the fail of SLE15 can be ignored because it happens due to a problematic file not because of the rule.