Uploaded image for project: 'Red Hat Insights Engineering'
  1. Red Hat Insights Engineering
  2. RHINENG-15302

False positive for "Systemd unit files with insecure permissions or ownership" advisory.

XMLWordPrintable

    • 1
    • Insights Rule Dev 202501

      ** Note that this is a public ticket, please refrain from adding any sensitive data. **

      Description of Problem

      Insights is reporting "Privilege Escalation: Systemd unit files with insecure permissions or ownership" for over half of our servers.  When I run the command to find insecure files nothing is returned so I am wondering why Insights is reporting this issue when it appears to not be an issue.

      Example system:
      Insights is reporting on our server tstbdvrhel08 that the following are insecure.

      The following systemd unit files have insecure execute or others write permissions:

      /etc/systemd/system/dbus-org.freedesktop.nm-dispatcher.service
/etc/systemd/system/dbus-org.freedesktop.timedate1.service
/etc/systemd/system/default.target
/etc/systemd/system/syslog.service
/etc/systemd/system/systemd-timedated.service
/run/systemd/generator.late/AMPWatchDog.service
/run/systemd/generator.late/konea.service
/usr/lib/systemd/system/autovt@.service
/usr/lib/systemd/system/ctrl-alt-del.target
/usr/lib/systemd/system/dbus-org.freedesktop.hostname1.service, and more

      When I run the following per the Insight recommendations, nothing is returned on the system.

      [root@test ~]# find -L '/etc/systemd/system' '/run/systemd/generator.late' '/usr/lib/systemd/system' -maxdepth 1 -type f \( -perm /a=x -o -perm -o=w -o \( ! -group root -perm -g=w \) \) \( -name '*.service' -o -name '*.socket' -o -name '*.device' -o -name '*.mount' -o -name '*.automount' -o -name '*.swap' -o -name '*.target' -o -name '*.path' -o -name '*.timer' -o -name '*.slice' -o -name '*.scope' \)
[root@test ~]# 

      I found this article too and when searching for systemd messages related to "marked exectutable" nothing is returned as well.

      https://access.redhat.com/solutions/4345951

      [root@test~]# cat /var/log/messages |grep -i "marked executable"
[root@test ~]# 

      How reproducible

      Always

      Steps to Reproduce

      1. Register RHEL 8 host with Insights
      2. Run `insights-client` command 

      Actual Behavior

      False positive for "Systemd unit files with insecure permissions or ownership" advisory.

      Expected Behavior

      False positive should not be there.

      Business Impact / Additional info

      False positive recommendation.

              rhn-support-jiazhang Jiajun Zhang
              rhn-support-ngupta Nikhil Gupta
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: