Detections
Analytics

6.1.14 Audit system file permissions

Information

The RPM Package Manager has a number of useful options. One of these, the -V for RPM option, can be used to verify that system packages are correctly installed. The -V option can be used to verify a particular package or to verify all system packages. If no output is returned, the package is installed correctly. The following table describes the meaning of output from the verify option:

Code Meaning
S File size differs.
M File mode differs (includes permissions and file type).
5 digest (formerly MD5 sum) differs.
D Device file major/minor number mismatch.
L readLink(2) path mismatch.
U User ownership differs.
G Group ownership differs.
T The file time (mtime) differs.
P Capabilities differ.

The rpm -qf command can be used to determine which package a particular file belongs to. For example, the following commands determines which package the /bin/bash file belongs to:

# rpm -qf /bin/bash
bash-4.4.19-2.fc28.x86_64

To verify the settings for the package that controls the /bin/bash file, run the following:

# rpm -V bash-4.4.19-2.fc28.x86_64
.M....... /bin/bash
# rpm --verify bash
??5?????? c /etc/bash.bashrc

Note that you can feed the output of the rpm -qf command to the rpm -V command:

# rpm -V `rpm -qf /etc/passwd`
.M...... c /etc/passwd
S.5....T c /etc/printcap

The rpm -qi command can be used to display package information, including name, version, and description. Following example displays information for bash package:

# rpm -qi bash
Name : bash
Version : 4.4.19
Release : 2.fc28
Architecture: x86_64
Install Date: Tue 15 Aug 2023 10:27:28 AM EDT
Group : Unspecified
Size : 6910653
License : GPLv3+
Signature : RSA/SHA256, Thu 15 Mar 2018 10:10:10 AM EDT, Key ID e08e7e629db62fb1
Source RPM : bash-4.4.19-2.fc28.src.rpm
Build Date : Thu 15 Mar 2018 10:01:10 AM EDT
Build Host : buildhw-07.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager : Fedora Project
Vendor : Fedora Project
URL : https://www.gnu.org/software/bash
Bug URL : https://bugz.fedoraproject.org/bash
Summary : The GNU Bourne Again shell
Description :
The GNU Bourne Again shell (Bash) is a shell or command language
interpreter that is compatible with the Bourne shell (sh). Bash
incorporates useful features from the Korn shell (ksh) and the C shell
(csh). Most sh scripts can be run by bash without modification.

It is important to confirm that packaged system files and directories are maintained with the permissions they were intended to have from the OS vendor.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted.

See Also

https://workbench.cisecurity.org/benchmarks/15962

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 401cd2fb4818c452505a33e671662a122f2db9dc82759112b989b2c7cdc54188