Observing security DISA STIG compliance vulnerabilities while using the custom Dataproc Image versions [378643674]

Assigned

Feature Request

Status Update

No update yet.

Description

ch...@google.com

created issue #1

Nov 12, 2024 11:34AM

We have Dataproc DISA STIG compliance vulnerability issues. We are trying to resolve these 2 vulnerabilities (V-230261 and V-230262) from our side. The core problem lies in the software packaging: some packages include soft links from the /usr/lib directory to the /var/lib directory.

For instance: /usr/lib/kafka/logs -> /var/log/kafka

These soft links cause STIG control failures, even though the files are correctly located and permissioned. This is a vendor-specific packaging issue.

There are three vulnerabilities open FRs, we would like to fix these 3 vulnerabilities.

1. V-230258: system commands are not owned by root and not group-owned by root (/usr/local/bin/bdconfig, /usr/local/bin/tinkey, /usr/local/bin/tinkey_deploy.jar ????)
command to find issue: sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec ls -ld {} \;
2. V-230260: world writable library files in /lib/ and /usr/lib/
command to find issue: sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec ls -ld {} \;
3. V-230326: some files in /usr/local are owned by invalid user/group
command to find issue: sudo find / -fstype xfs -nouser

If the required fix is minor, could we please get a rough estimate of the effort involved?

Comments

va...@google.com <va...@google.com> Nov 14, 2024 07:43AM

Assigned to si...@google.com.

si...@google.com <si...@google.com> #2Nov 19, 2024 05:42AM

Reassigned to gc...@google.com.

Apologies, I intended to create a feature request not a bug. I will create a feature request instead.

Issue 378643674

Description

Issue summary

Comments

va...@google.com <va...@google.com> Nov 14, 2024 07:43AM

si...@google.com <si...@google.com> #2Nov 19, 2024 05:42AM

Add comment

Issue metadata