Bug 2275532

Summary: Nagios installs certain files against DISA-STIG permission settings.
Product: [Fedora] Fedora EPEL Reporter: Brad Viviano <viviano.brad>
Component: nagiosAssignee: Guido Aulisi <guido.aulisi>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: epel9CC: guido.aulisi, shawn.starr
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: nagios-4.4.14-4.el9 nagios-4.4.14-3.el8 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-05-07 02:46:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brad Viviano 2024-04-17 14:09:05 UTC 
Description of problem:
The Nagios RPM is installing several files and directories under /usr that have permissions 0775, which violates DISA-STIG rules

RHEL-09-232010
RHEL-09-232015
RHEL-09-232020

Version-Release number of selected component (if applicable):
4.4.14

How reproducible:
Very

Steps to Reproduce:
1. yum install nagios
2. RHEL-09-232010 - find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin -perm /022 -exec /bin/echo {} \;
2. RHEL-09-232015 - find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec /bin/echo {} \;
3. RHEL-09-232020 - find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec /bin/echo {} \;

Actual results:
# find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin -perm /022 -exec /bin/echo {} \;
/sbin/convertcfg
/usr/sbin/convertcfg
#

# find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec /bin/echo {} \;
/lib64/nagios/cgi-bin
/lib64/nagios/cgi
/usr/lib64/nagios/cgi-bin
/usr/lib64/nagios/cgi
#

# find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec /bin/echo {} \;
/lib/.build-id/8a/54b4ad6f89bb642700e3907ef674772217ae63
/lib/.build-id/a5/86a250def3964b936748702913c479a27825c5
/lib/.build-id/fb/23703128615f226138241c87a763b741814343
/lib/.build-id/0c/a5127150ed86de833e1f0892cc40d18ad58c66
/lib/.build-id/19/afca33debed84fcf7d2c8a9136d399726d1b73
/lib/.build-id/52/d9fcc5cfecfcd129cd318ecde90f7f1ffdb7f2
/lib/.build-id/9d/4307972bcb1e24d0c86e6501dd2d8a16e66e95
/lib/.build-id/ba/53803a2ca88238ba66099ea864e638d3d1ae8b
/lib/.build-id/db/f75010180ea107488ae91610918ab47c3519c0
/lib/.build-id/f0/1184d4eb7bb5014f64f052d0ec638610fee2a7
/lib/.build-id/fd/e6b9fa56e9aedbb6b4450cc6045352659d9b3a
/lib/.build-id/83/64ddb405bb392ab681efa20d24465c5e9cfd4b
/lib/.build-id/5c/69d0e2298690389849db25ecb84a9ac98fd8da
/lib/.build-id/ec/81c82761175cbcc31819c45994e9ee33803697
/lib/.build-id/a9/7b7e571e352e4ca548363ea227a9d09bd7545a
/lib/.build-id/d7/3783b685c2540977a80edab57758f38b9baa13
/lib/.build-id/b5/4eeb2ae6c1db15c78bf6e038e47c79c47b76f7
/lib/.build-id/1a/5b48d9cc502a2a54254f3bb7d6cb83274a4af0
/lib/.build-id/40/18f59c275ca53f24f5107765d76e340309b283
/lib/.build-id/e3/fcc0dbf55f44f23d26682e670674979ea6c961
/lib64/nagios/cgi-bin/archivejson.cgi
/lib64/nagios/cgi-bin/avail.cgi
/lib64/nagios/cgi-bin/cmd.cgi
/lib64/nagios/cgi-bin/config.cgi
/lib64/nagios/cgi-bin/extinfo.cgi
/lib64/nagios/cgi-bin/histogram.cgi
/lib64/nagios/cgi-bin/history.cgi
/lib64/nagios/cgi-bin/notifications.cgi
/lib64/nagios/cgi-bin/objectjson.cgi
/lib64/nagios/cgi-bin/outages.cgi
/lib64/nagios/cgi-bin/showlog.cgi
/lib64/nagios/cgi-bin/status.cgi
/lib64/nagios/cgi-bin/statusjson.cgi
/lib64/nagios/cgi-bin/statusmap.cgi
/lib64/nagios/cgi-bin/statuswml.cgi
/lib64/nagios/cgi-bin/statuswrl.cgi
/lib64/nagios/cgi-bin/summary.cgi
/lib64/nagios/cgi-bin/tac.cgi
/lib64/nagios/cgi-bin/trends.cgi
/lib64/nagios/cgi/daemonchk.cgi
/lib64/nagios/cgi/traceroute.cgi
/usr/lib/.build-id/8a/54b4ad6f89bb642700e3907ef674772217ae63
/usr/lib/.build-id/a5/86a250def3964b936748702913c479a27825c5
/usr/lib/.build-id/fb/23703128615f226138241c87a763b741814343
/usr/lib/.build-id/0c/a5127150ed86de833e1f0892cc40d18ad58c66
/usr/lib/.build-id/19/afca33debed84fcf7d2c8a9136d399726d1b73
/usr/lib/.build-id/52/d9fcc5cfecfcd129cd318ecde90f7f1ffdb7f2
/usr/lib/.build-id/9d/4307972bcb1e24d0c86e6501dd2d8a16e66e95
/usr/lib/.build-id/ba/53803a2ca88238ba66099ea864e638d3d1ae8b
/usr/lib/.build-id/db/f75010180ea107488ae91610918ab47c3519c0
/usr/lib/.build-id/f0/1184d4eb7bb5014f64f052d0ec638610fee2a7
/usr/lib/.build-id/fd/e6b9fa56e9aedbb6b4450cc6045352659d9b3a
/usr/lib/.build-id/83/64ddb405bb392ab681efa20d24465c5e9cfd4b
/usr/lib/.build-id/5c/69d0e2298690389849db25ecb84a9ac98fd8da
/usr/lib/.build-id/ec/81c82761175cbcc31819c45994e9ee33803697
/usr/lib/.build-id/a9/7b7e571e352e4ca548363ea227a9d09bd7545a
/usr/lib/.build-id/d7/3783b685c2540977a80edab57758f38b9baa13
/usr/lib/.build-id/b5/4eeb2ae6c1db15c78bf6e038e47c79c47b76f7
/usr/lib/.build-id/1a/5b48d9cc502a2a54254f3bb7d6cb83274a4af0
/usr/lib/.build-id/40/18f59c275ca53f24f5107765d76e340309b283
/usr/lib/.build-id/e3/fcc0dbf55f44f23d26682e670674979ea6c961
/usr/lib64/nagios/cgi-bin/archivejson.cgi
/usr/lib64/nagios/cgi-bin/avail.cgi
/usr/lib64/nagios/cgi-bin/cmd.cgi
/usr/lib64/nagios/cgi-bin/config.cgi
/usr/lib64/nagios/cgi-bin/extinfo.cgi
/usr/lib64/nagios/cgi-bin/histogram.cgi
/usr/lib64/nagios/cgi-bin/history.cgi
/usr/lib64/nagios/cgi-bin/notifications.cgi
/usr/lib64/nagios/cgi-bin/objectjson.cgi
/usr/lib64/nagios/cgi-bin/outages.cgi
/usr/lib64/nagios/cgi-bin/showlog.cgi
/usr/lib64/nagios/cgi-bin/status.cgi
/usr/lib64/nagios/cgi-bin/statusjson.cgi
/usr/lib64/nagios/cgi-bin/statusmap.cgi
/usr/lib64/nagios/cgi-bin/statuswml.cgi
/usr/lib64/nagios/cgi-bin/statuswrl.cgi
/usr/lib64/nagios/cgi-bin/summary.cgi
/usr/lib64/nagios/cgi-bin/tac.cgi
/usr/lib64/nagios/cgi-bin/trends.cgi
/usr/lib64/nagios/cgi/daemonchk.cgi
/usr/lib64/nagios/cgi/traceroute.cgi
#

Expected results:

# find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin -perm /022 -exec /bin/echo {} \;
#

# find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec /bin/echo {} \;
#

# find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec /bin/echo {} \;
#

Additional info:

All files in question are root.root so changing the default install permissions to 0755 in the SPEC file should not have an impact on anyone, but will resolve a DISA-STIG issue.
Comment 1 Fedora Update System 2024-04-28 11:27:43 UTC 
FEDORA-EPEL-2024-65a6ff8c53 (nagios-4.4.14-4.el9) has been submitted as an update to Fedora EPEL 9.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-65a6ff8c53
Comment 2 Fedora Update System 2024-04-29 02:39:30 UTC 
FEDORA-EPEL-2024-65a6ff8c53 has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-65a6ff8c53

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 3 Fedora Update System 2024-05-07 02:46:44 UTC 
FEDORA-EPEL-2024-65a6ff8c53 (nagios-4.4.14-4.el9) has been pushed to the Fedora EPEL 9 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 4 Fedora Update System 2025-01-16 21:39:28 UTC 
FEDORA-EPEL-2025-bbaa00be72 (nagios-4.4.14-3.el8) has been submitted as an update to Fedora EPEL 8.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-bbaa00be72
Comment 5 Fedora Update System 2025-01-17 02:03:21 UTC 
FEDORA-EPEL-2025-bbaa00be72 has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-bbaa00be72

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2025-01-25 06:22:20 UTC 
FEDORA-EPEL-2025-bbaa00be72 (nagios-4.4.14-3.el8) has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.