xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed bash remediation script
For the Rule ID: xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed bash remediation script Seen here (among other places): http://people.redhat.com/swells/ComplianceAsCode-build-01082020/guides/ssg-r...
On the "readarray" line, shouldn't that be: readarray -t GPG_OUT < $(gpg --with-fingerprint --with-colons "$REDHAT_RELEASE_KEY" | grep "^fpr" | cut -d ":" -f 10)
So, $(stmt) instead of <(stmt)?
Full original script follows -- # The two fingerprints below are retrieved from https://access.redhat.com/security/team/key readonly REDHAT_RELEASE_FINGERPRINT="567E347AD0044ADE55BA8A5F199E2F91FD431D51" readonly REDHAT_AUXILIARY_FINGERPRINT="43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
# Location of the key we would like to import (once it's integrity verified) readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$REDHAT_RELEASE_KEY")")
# Verify /etc/pki/rpm-gpg directory permissions are safe if [ "${RPM_GPG_DIR_PERMS}" -le "755" ] then # If they are safe, try to obtain fingerprints from the key file # (to ensure there won't be e.g. CRC error).
readarray -t GPG_OUT < <(gpg --with-fingerprint --with-colons "$REDHAT_RELEASE_KEY" | grep "^fpr" | cut -d ":" -f 10)
GPG_RESULT=$? # No CRC error, safe to proceed if [ "${GPG_RESULT}" -eq "0" ] then echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || { # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it rpm --import "${REDHAT_RELEASE_KEY}" } fi fi --
Regards, Scott -- Scott Packard | Sr Principal Engr Comm Systems Northrop Grumman Corporation | Aerospace Systems O: 626-812-1703 | scott.packard@ngc.com | email2text: 6262200032@usamobility.net
Never mind.
-----Original Message----- From: Packard, Scott E [US] (AS) Scott.Packard@ngc.com Sent: Tuesday, March 17, 2020 11:04 AM To: scap-security-guide@lists.fedorahosted.org Subject: EXT :xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed bash remediation script
For the Rule ID: xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed bash remediation script Seen here (among other places): http://people.redhat.com/swells/ComplianceAsCode-build-01082020/guides/ssg-r...
On the "readarray" line, shouldn't that be: readarray -t GPG_OUT < $(gpg --with-fingerprint --with-colons "$REDHAT_RELEASE_KEY" | grep "^fpr" | cut -d ":" -f 10)
So, $(stmt) instead of <(stmt)?
Full original script follows -- # The two fingerprints below are retrieved from https://access.redhat.com/security/team/key readonly REDHAT_RELEASE_FINGERPRINT="567E347AD0044ADE55BA8A5F199E2F91FD431D51" readonly REDHAT_AUXILIARY_FINGERPRINT="43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
# Location of the key we would like to import (once it's integrity verified) readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$REDHAT_RELEASE_KEY")")
# Verify /etc/pki/rpm-gpg directory permissions are safe if [ "${RPM_GPG_DIR_PERMS}" -le "755" ] then # If they are safe, try to obtain fingerprints from the key file # (to ensure there won't be e.g. CRC error).
readarray -t GPG_OUT < <(gpg --with-fingerprint --with-colons "$REDHAT_RELEASE_KEY" | grep "^fpr" | cut -d ":" -f 10)
GPG_RESULT=$? # No CRC error, safe to proceed if [ "${GPG_RESULT}" -eq "0" ] then echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || { # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it rpm --import "${REDHAT_RELEASE_KEY}" } fi fi --
Regards, Scott -- Scott Packard | Sr Principal Engr Comm Systems Northrop Grumman Corporation | Aerospace Systems O: 626-812-1703 | scott.packard@ngc.com | email2text: 6262200032@usamobility.net
_______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
scap-security-guide@lists.fedorahosted.org
-
Packard, Scott E [US] (AS)