Bug 2083864

Summary: DISA-STIG Scan for RHEL8 changes permissions for postfix binaries
Product: Red Hat Enterprise Linux 8 Reporter: cweather
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED CANTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.5CC: ccheney, ggasparb, mhaicman, mlysonek, wsato
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-03 14:17:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description cweather 2022-05-10 20:30:02 UTC
Description of problem:

[root@localhost ~]# rpm -V postfix
S.5....T.  c /etc/postfix/main.cf
.M....G..    /usr/sbin/postdrop
.M....G..    /usr/sbin/postqueue

These files have 'set group ID (2)' set on them by default.

   -rwxr-sr-x. 1 root postdrop 20920 Feb 23 09:10 /usr/sbin/postdrop
   -rwxr-sr-x. 1 root postdrop 25048 Feb 23 09:10 /usr/sbin/postqueue

Version-Release number of selected component (if applicable):
openscap-1.3.5-6.el8.x86_64                                
openscap-scanner-1.3.5-6.el8.x86_64                                                
scap-security-guide-0.1.57-5.el8.noarch 

How reproducible:
Always

Steps to Reproduce:
1. Scan and remediate system with DISA-STIG profile
2. STIG automatically changes permissions on postdrop and postqueue

Actual results:
The profile remediates the postdrop and postqueue files to be owned by the root user.

Expected results:

-rwxr-sr-x    1 root    postdrop                25048 Feb 17 18:06 /usr/sbin/postqueue

-rwxr-sr-x    1 root    postdrop                20920 Feb 17 18:06 /usr/sbin/postdrop

Additional info:
This behavior breaks postfix and likely breaks other sgid binaries as well, since it resets everything.

These are the details related to that rule: 
------------------------
Verify that system commands files are group owned by root
Rule ID	xccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs
Result	
fixed
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupownership_system_commands_dirs:def:1
Time	2022-05-03T16:48:54-05:00
Severity	medium
Identifiers and References	
Identifiers:  CCE-86519-6
...

Description	
System commands files are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin

All files in these directories should be owned by the root group. If the directory, or any file in these directories, is found to be owned by a group other than root correct its ownership with the following command:

$ sudo chgrp root FILE
...
Following items have been found on the system:
Path	Type	UID	GID	Size (B)	Permissions
/sbin/postqueue	regular	0	90	25064	rwxr-sr-x 
/usr/sbin/postqueue	regular	0	90	25064	rwxr-sr-x 
...
/usr/sbin/postdrop	regular	0	90	20920	rwxr-sr-x 
...
/sbin/postdrop	regular	0	90	20920	rwxr-sr-x 
------------------------