Never mind.
-----Original Message-----
From: Packard, Scott E [US] (AS) <Scott.Packard(a)ngc.com>
Sent: Tuesday, March 17, 2020 11:04 AM
To: scap-security-guide(a)lists.fedorahosted.org
Subject: EXT :xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed bash
remediation script
For the Rule ID: xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
bash remediation script
Seen here (among other places):
http://people.redhat.com/swells/ComplianceAsCode-build-01082020/guides/ss...
On the "readarray" line, shouldn't that be:
readarray -t GPG_OUT < $(gpg --with-fingerprint --with-colons
"$REDHAT_RELEASE_KEY" | grep "^fpr" | cut -d ":" -f 10)
So, $(stmt) instead of <(stmt)?
Full original script follows
--
# The two fingerprints below are retrieved from
https://access.redhat.com/security/team/key
readonly REDHAT_RELEASE_FINGERPRINT="567E347AD0044ADE55BA8A5F199E2F91FD431D51"
readonly
REDHAT_AUXILIARY_FINGERPRINT="43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
# Location of the key we would like to import (once it's integrity verified) readonly
REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$REDHAT_RELEASE_KEY")")
# Verify /etc/pki/rpm-gpg directory permissions are safe if [
"${RPM_GPG_DIR_PERMS}" -le "755" ] then
# If they are safe, try to obtain fingerprints from the key file
# (to ensure there won't be e.g. CRC error).
readarray -t GPG_OUT < <(gpg --with-fingerprint --with-colons
"$REDHAT_RELEASE_KEY" | grep "^fpr" | cut -d ":" -f 10)
GPG_RESULT=$?
# No CRC error, safe to proceed
if [ "${GPG_RESULT}" -eq "0" ]
then
echo "${GPG_OUT[*]}" | grep -vE
"${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || {
# If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint,
import it
rpm --import "${REDHAT_RELEASE_KEY}"
}
fi
fi
--
Regards, Scott
--
Scott Packard | Sr Principal Engr Comm Systems Northrop Grumman Corporation | Aerospace
Systems
O: 626-812-1703 | scott.packard(a)ngc.com | email2text: 6262200032(a)usamobility.net
_______________________________________________
scap-security-guide mailing list -- scap-security-guide(a)lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...