8.5.1.3. Verify and Correct File Permissions with RPM¶
Rule ID: xccdf_org.ssgproject.content_rule_rpm_verify_permissions
Type: Mixed - Mostly False Positives
Recommend SSG Feedback: Permissions that are obviously more restrictive should not be flagged
Identifier: V-71849
Most files have more restrictive permissions than provided by the RPMs. Some
services, like openldap
, run as a service specific system user.
The following exceptions are a combination of running the above command on an EL 7 SIMP system:
File |
Puppet log |
|
---|---|---|
|
/etc/audit/auditd.conf |
mode changed ‘0640’ to ‘0600’ |
|
/etc/default/nss |
mode changed ‘0644’ to ‘0640’ |
|
/etc/default/useradd |
mode changed ‘0644’ to ‘0600’ |
|
/etc/hosts.allow |
mode changed ‘0644’ to ‘0444’ |
|
/etc/init/control-alt-delete.conf |
mode changed ‘0644’ to ‘0640’ |
|
/etc/login.defs |
mode changed ‘0644’ to ‘0640’ |
|
/etc/ntp.conf |
group changed ‘root’ to ‘ntp’ ; mode changed ‘0644’ to ‘0600’ |
|
/etc/openldap/schema/dyngroup.ldif |
group changed ‘root’ to ‘ldap’ ; mode changed ‘0444’ to ‘0644’ |
|
/etc/openldap/schema/dyngroup.schema |
group changed ‘root’ to ‘ldap’ ; mode changed ‘0444’ to ‘0644’ |
|
/etc/openldap/schema/inetorgperson.ldif |
group changed ‘root’ to ‘ldap’ ; mode changed ‘0444’ to ‘0644’ |
|
/etc/openldap/schema/inetorgperson.schema |
group changed ‘root’ to ‘ldap’ ; mode changed ‘0444’ to ‘0644’ |
|
/etc/openldap/schema/java.ldif |
group changed ‘root’ to ‘ldap’ ; mode changed ‘0444’ to ‘0644’ |
|
/etc/openldap/schema/java.schema |
group changed ‘root’ to ‘ldap’ ; mode changed ‘0444’ to ‘0644’ |
|
/etc/openldap/schema/misc.ldif |
group changed ‘root’ to ‘ldap’ ; mode changed ‘0444’ to ‘0644’ |
|
/etc/openldap/schema/misc.schema |
group changed ‘root’ to ‘ldap’ ; mode changed ‘0444’ to ‘0644’ |
|
/etc/openldap/schema/nis.ldif |
group changed ‘root’ to ‘ldap’ ; mode changed ‘0444’ to ‘0644’ |
|
/etc/openldap/schema/nis.schema |
group changed ‘root’ to ‘ldap’ ; mode changed ‘0444’ to ‘0644’ |
|
/etc/openldap/schema/openldap.ldif |
group changed ‘root’ to ‘ldap’ ; mode changed ‘0444’ to ‘0644’ |
|
/etc/openldap/schema/openldap.schema |
group changed ‘root’ to ‘ldap’ ; mode changed ‘0444’ to ‘0644’ |
|
/etc/openldap/schema/pmi.ldif |
group changed ‘root’ to ‘ldap’ ; mode changed ‘0444’ to ‘0644’ |
|
/etc/openldap/schema/pmi.schema |
group changed ‘root’ to ‘ldap’ ; mode changed ‘0444’ to ‘0644’ |
|
/etc/openldap/schema/ppolicy.ldif |
group changed ‘root’ to ‘ldap’ ; mode changed ‘0444’ to ‘0644’ |
|
/etc/openldap/schema/ppolicy.schema |
group changed ‘root’ to ‘ldap’ ; mode changed ‘0444’ to ‘0644’ |
|
/etc/puppetlabs/code |
group changed ‘root’ to ‘puppet’ ; mode changed ‘0755’ to ‘0750’ |
|
/etc/puppetlabs/code/environments |
group changed ‘root’ to ‘puppet’ ; mode changed ‘0755’ to ‘0770’ (u=rwx,g=rwx,o-rwx) |
|
/etc/puppetlabs/code/environments/production |
group changed ‘root’ to ‘puppet’ ; mode changed ‘0755’ to ‘0770’ (u=rwx,g=rwx,o-rwx) |
|
/etc/puppetlabs/puppet |
group changed ‘root’ to ‘puppet’ ; mode changed ‘0755’ to ‘0750’ |
|
/etc/puppetlabs/puppet/puppet.conf |
group changed ‘root’ to ‘puppet’ ; mode changed ‘0644’ to ‘0640’ |
|
/etc/puppetlabs/puppetserver/conf.d |
group changed ‘root’ to ‘puppet’ ; mode changed ‘0755’ to ‘0750’ |
|
/etc/puppetlabs/puppetserver/conf.d/puppetserver.conf |
group changed ‘root’ to ‘puppet’ ; mode changed ‘0644’ to ‘0640’ |
|
/etc/puppetlabs/puppetserver/conf.d/web-routes.conf |
group changed ‘root’ to ‘puppet’ ; mode changed ‘0644’ to ‘0640’ |
|
/etc/puppetlabs/puppetserver/conf.d/webserver.conf |
group changed ‘root’ to ‘puppet’ ; mode changed ‘0644’ to ‘0640’ |
|
/etc/puppetlabs/puppetserver/logback.xml |
group changed ‘root’ to ‘puppet’ ; mode changed ‘0644’ to ‘0640’ |
|
/etc/puppetlabs/puppetserver/services.d/ca.cfg |
group changed ‘root’ to ‘puppet’ ; mode changed ‘0644’ to ‘0640’ |
|
/etc/rsyncd.conf |
mode changed ‘0644’ to ‘0400’ |
|
/etc/rsyslog.conf |
mode changed ‘0644’ to ‘0600’ |
|
/etc/securetty |
mode changed ‘0600’ to ‘0400’ |
|
/etc/security/limits.conf |
mode changed ‘0644’ to ‘0640’ |
|
/etc/sysconfig/ktune |
mode changed ‘0777’ to ‘0640’ |
|
/etc/sysconfig/ntpd |
mode changed ‘0644’ to ‘0640’ |
|
/etc/sysconfig/ntpdate |
mode changed ‘0644’ to ‘0640’ |
|
/etc/sysconfig/puppetserver |
group changed ‘root’ to ‘puppet’ ; mode changed ‘0644’ to ‘0640’ |
|
/etc/sysconfig/rsyslog |
mode changed ‘0644’ to ‘0640’ |
|
/etc/sysconfig/slapd |
mode changed ‘0644’ to ‘0640’ |
|
/etc/tuned.conf |
mode changed ‘0777’ to ‘0640’ |
|
/var/lib/ntp |
mode changed ‘0755’ to ‘0750’ |