2083864 – DISA-STIG Scan for RHEL8 changes permissions for postfix binaries

Bug 2083864 - DISA-STIG Scan for RHEL8 changes permissions for postfix binaries

Summary: DISA-STIG Scan for RHEL8 changes permissions for postfix binaries

Keywords:
Status:	CLOSED CANTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	8.5
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Vojtech Polasek
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-05-10 20:30 UTC by cweather
Modified:	2023-08-03 01:42 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-06-03 14:17:36 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-121650	0	None	None	None	2022-05-10 20:32:23 UTC

Description cweather 2022-05-10 20:30:02 UTC

Description of problem:

[root@localhost ~]# rpm -V postfix
S.5....T. c /etc/postfix/main.cf
.M....G.. /usr/sbin/postdrop
.M....G.. /usr/sbin/postqueue

These files have 'set group ID (2)' set on them by default.

-rwxr-sr-x. 1 root postdrop 20920 Feb 23 09:10 /usr/sbin/postdrop
-rwxr-sr-x. 1 root postdrop 25048 Feb 23 09:10 /usr/sbin/postqueue

Version-Release number of selected component (if applicable):
openscap-1.3.5-6.el8.x86_64
openscap-scanner-1.3.5-6.el8.x86_64
scap-security-guide-0.1.57-5.el8.noarch

How reproducible:
Always

Steps to Reproduce:
1. Scan and remediate system with DISA-STIG profile
2. STIG automatically changes permissions on postdrop and postqueue

Actual results:
The profile remediates the postdrop and postqueue files to be owned by the root user.

Expected results:

-rwxr-sr-x 1 root postdrop 25048 Feb 17 18:06 /usr/sbin/postqueue

-rwxr-sr-x 1 root postdrop 20920 Feb 17 18:06 /usr/sbin/postdrop

Additional info:
This behavior breaks postfix and likely breaks other sgid binaries as well, since it resets everything.

These are the details related to that rule:
------------------------
Verify that system commands files are group owned by root
Rule ID xccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs
Result
fixed
Multi-check rule no
OVAL Definition ID oval:ssg-file_groupownership_system_commands_dirs:def:1
Time 2022-05-03T16:48:54-05:00
Severity medium
Identifiers and References
Identifiers: CCE-86519-6
...

Description
System commands files are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin

All files in these directories should be owned by the root group. If the directory, or any file in these directories, is found to be owned by a group other than root correct its ownership with the following command:

$ sudo chgrp root FILE
...
Following items have been found on the system:
Path Type UID GID Size (B) Permissions
/sbin/postqueue regular 0 90 25064 rwxr-sr-x
/usr/sbin/postqueue regular 0 90 25064 rwxr-sr-x
...
/usr/sbin/postdrop regular 0 90 20920 rwxr-sr-x
...
/sbin/postdrop regular 0 90 20920 rwxr-sr-x
------------------------

Note You need to log in before you can comment on or make changes to this bug.