{"description": "The RPM package management system can check file ownership permissions of installed software\npackages, including many that are important to system security. After locating a file with\nincorrect permissions, which can be found with:\nrpm -Va | awk '{ if (substr($0,6,1)==\"U\" || substr($0,7,1)==\"G\") print $NF }'\nrun the following command to determine which package owns it:\n$ rpm -qf FILENAME
\nNext, run the following command to reset its permissions to the correct values:\n$ sudo rpm --restore PACKAGENAME
", "rationale": "Ownership of binaries and configuration files that is incorrect could allow an unauthorized\nuser to gain privileges that they should not have. The ownership set by the vendor should be\nmaintained. Any deviations from this baseline should be investigated.", "severity": "high", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "18", "3", "5", "6", "9"], "cjis": ["5.10.4.1"], "cobit5": ["APO01.06", "APO11.04", "BAI03.05", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS05.04", "DSS05.07", "DSS06.02", "MEA02.01"], "cui": ["3.3.8", "3.4.1"], "isa-62443-2009": ["4.3.3.3.9", "4.3.3.5.8", "4.3.3.7.3", "4.3.4.3.2", "4.3.4.3.3", "4.3.4.4.7", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 2.1", "SR 2.10", "SR 2.11", "SR 2.12", "SR 2.8", "SR 2.9", "SR 5.2", "SR 7.6"], "iso27001-2013": ["A.10.1.1", "A.11.1.4", "A.11.1.5", "A.11.2.1", "A.12.1.2", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.5.1", "A.12.6.2", "A.12.7.1", "A.13.1.1", "A.13.1.3", "A.13.2.1", "A.13.2.3", "A.13.2.4", "A.14.1.2", "A.14.1.3", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.6.1.2", "A.7.1.1", "A.7.1.2", "A.7.3.1", "A.8.2.2", "A.8.2.3", "A.9.1.1", "A.9.1.2", "A.9.2.3", "A.9.4.1", "A.9.4.4", "A.9.4.5"], "nerc-cip": ["CIP-003-8 R4.2", "CIP-003-8 R6", "CIP-007-3 R4", "CIP-007-3 R4.1", "CIP-007-3 R4.2"], "nist": ["CM-6(d)", "CM-6(c)", "SI-7", "SI-7(1)", "SI-7(6)", "AU-9(3)"], "nist-csf": ["PR.AC-4", "PR.DS-5", "PR.IP-1", "PR.PT-1"], "pcidss": ["Req-11.5"], "srg": ["SRG-OS-000256-GPOS-00097", "SRG-OS-000257-GPOS-00098", "SRG-OS-000278-GPOS-00108"], "ism": ["1409"], "pcidss4": ["11.5.2"]}, "control_references": {"ism": ["1409"], "pcidss4": ["11.5.2"]}, "components": [], "identifiers": {}, "ocil_clause": "there is output", "ocil": "The following command will list which files on the system have ownership different from what\nis expected by the RPM database:\n$ rpm -Va | rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)==\"U\" || substr($0,7,1)==\"G\") print $NF }'", "oval_external_content": null, "fixtext": "Run the following command to determine which package owns the file:\n\n$ sudo rpm -qf [path to file]\n\nReset the user and group ownership of files within a package with the following command:\n\n$ sudo rpm --restore [package]", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must be configured so that the file ownership and group membership of system files and commands match the vendor values.", "warnings": [{"general": "Profiles may require that specific files be owned by root while the default owner defined\nby the vendor is different. Such files will be reported as a finding and need to be\nevaluated according to your policy and deployment environment."}, {"general": "This rule can take a long time to perform the check and might consume a considerable\namount of resources depending on the number of packages present on the system. It is not a\nproblem in most cases, but especially systems with a large number of installed packages\ncan be affected."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["not bootc"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["not_bootc"], "bash_conditional": null, "fixes": {}, "title": "Verify and Correct Ownership with RPM", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml", "template": null}