Title: Message Title
James Ralston commented on PUP-4661
Re: Puppet agent fights with RPM package over owner/group of certain directories
And yes, this might seem like a trivial issue.
But some people operate Linux hosts that must conform to the United States Government Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs). And the RHEL6 STIG contains this rule (among many others):
Group ID (Vulid): V-38454 Group Title: SRG-OS-99 Rule ID: SV-50254r1_rule Severity: CAT III Rule Version (STIG-ID): RHEL-06-000516 Rule Title: The system package management tool must verify ownership on all files and directories associated with packages.
Vulnerability Discussion: Ownership of system binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.
Check Content: The following command will list which files on the system have ownership different from what is expected by the RPM database:
# rpm -Va | grep '^.U'
If there is output, this is a finding.
Fix Text: The RPM package management system can restore ownership of package files and directories. The following command will update files and directories with ownership different from what is expected by the RPM database:
# rpm -qf \[file or directory name\]
# rpm --setugids \[package\]
Whether one agrees with this rule is irrelevant: if you are required to comply with the STIG, you will be regularly audited on your compliance. And the behavior of the Puppet
