|
|
38a2c0 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml
|
|
|
38a2c0 |
new file mode 100644
|
|
|
38a2c0 |
index 00000000000..de85c892704
|
|
|
38a2c0 |
--- /dev/null
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml
|
|
|
38a2c0 |
@@ -0,0 +1,38 @@
|
|
|
38a2c0 |
+documentation_complete: true
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+title: 'Audit Configuration Files Must Be Owned By Group root'
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+description: |-
|
|
|
38a2c0 |
+ All audit configuration files must be owned by group root.
|
|
|
38a2c0 |
+ chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+rationale: |-
|
|
|
38a2c0 |
+ Without the capability to restrict which roles and individuals can
|
|
|
38a2c0 |
+ select which events are audited, unauthorized personnel may be able
|
|
|
38a2c0 |
+ to prevent the auditing of critical events.
|
|
|
38a2c0 |
+ Misconfigured audits may degrade the system's performance by
|
|
|
38a2c0 |
+ overwhelming the audit log. Misconfigured audits may also make it more
|
|
|
38a2c0 |
+ difficult to establish, correlate, and investigate the events relating
|
|
|
38a2c0 |
+ to an incident or identify those responsible for one.
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+severity: medium
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+references:
|
|
|
38a2c0 |
+ disa: CCI-000171
|
|
|
38a2c0 |
+ srg: SRG-OS-000063-GPOS-00032
|
|
|
38a2c0 |
+ stigid@ubuntu2004: UBTU-20-010135
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ocil: |-
|
|
|
38a2c0 |
+ {{{ describe_file_group_owner(file="/etc/audit/", group="root") }}}
|
|
|
38a2c0 |
+ {{{ describe_file_group_owner(file="/etc/audit/rules.d/", group="root") }}}
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+template:
|
|
|
38a2c0 |
+ name: file_groupowner
|
|
|
38a2c0 |
+ vars:
|
|
|
38a2c0 |
+ filepath:
|
|
|
38a2c0 |
+ - /etc/audit/
|
|
|
38a2c0 |
+ - /etc/audit/rules.d/
|
|
|
38a2c0 |
+ file_regex:
|
|
|
38a2c0 |
+ - ^audit(\.rules|d\.conf)$
|
|
|
38a2c0 |
+ - ^.*\.rules$
|
|
|
38a2c0 |
+ filegid: '0'
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh
|
|
|
38a2c0 |
new file mode 100644
|
|
|
38a2c0 |
index 00000000000..5235e0d05a3
|
|
|
38a2c0 |
--- /dev/null
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh
|
|
|
38a2c0 |
@@ -0,0 +1,9 @@
|
|
|
38a2c0 |
+#!/bin/bash
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+export TESTFILE=/etc/audit/rules.d/test_rule.rules
|
|
|
38a2c0 |
+export AUDITFILE=/etc/audit/auditd.conf
|
|
|
38a2c0 |
+mkdir -p /etc/audit/rules.d/
|
|
|
38a2c0 |
+touch $TESTFILE
|
|
|
38a2c0 |
+touch $AUDITFILE
|
|
|
38a2c0 |
+chgrp root $TESTFILE
|
|
|
38a2c0 |
+chgrp root $AUDITFILE
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh
|
|
|
38a2c0 |
new file mode 100644
|
|
|
38a2c0 |
index 00000000000..52378d810a5
|
|
|
38a2c0 |
--- /dev/null
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh
|
|
|
38a2c0 |
@@ -0,0 +1,10 @@
|
|
|
38a2c0 |
+#!/bin/bash
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+groupadd group_test
|
|
|
38a2c0 |
+export TESTFILLE=/etc/audit/rules.d/test_rule.rules
|
|
|
38a2c0 |
+export AUDITFILE=/etc/audit/auditd.conf
|
|
|
38a2c0 |
+mkdir -p /etc/audit/rules.d/
|
|
|
38a2c0 |
+touch $TESTFILLE
|
|
|
38a2c0 |
+touch $AUDITFILE
|
|
|
38a2c0 |
+chgrp group_test $TESTFILLE
|
|
|
38a2c0 |
+chgrp group_test $AUDITFILE
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
|
|
|
38a2c0 |
index 5e2cabafc34..927d08d03d4 100644
|
|
|
38a2c0 |
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
|
|
|
38a2c0 |
@@ -1,8 +1,15 @@
|
|
|
38a2c0 |
+{{% if 'ubuntu' in product %}}
|
|
|
38a2c0 |
+{{% set gid = 'syslog' %}}
|
|
|
38a2c0 |
+{{% else %}}
|
|
|
38a2c0 |
+{{% set gid = 'root' %}}
|
|
|
38a2c0 |
+{{% endif %}}
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
documentation_complete: true
|
|
|
38a2c0 |
|
|
|
38a2c0 |
title: 'Verify Group Who Owns /var/log Directory'
|
|
|
38a2c0 |
|
|
|
38a2c0 |
-description: '{{{ describe_file_group_owner(file="/var/log", group="root") }}}'
|
|
|
38a2c0 |
+description: '{{{ describe_file_group_owner(file="/var/log", group=gid) }}}'
|
|
|
38a2c0 |
|
|
|
38a2c0 |
rationale: |-
|
|
|
38a2c0 |
The <tt>/var/log</tt> directory contains files with logs of error
|
|
|
38a2c0 |
@@ -22,13 +29,16 @@ references:
|
|
|
38a2c0 |
stigid@rhel8: RHEL-08-010260
|
|
|
38a2c0 |
stigid@ubuntu2004: UBTU-20-010417
|
|
|
38a2c0 |
|
|
|
38a2c0 |
-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log", group="root") }}}'
|
|
|
38a2c0 |
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log", group=gid) }}}'
|
|
|
38a2c0 |
|
|
|
38a2c0 |
ocil: |-
|
|
|
38a2c0 |
- {{{ ocil_file_group_owner(file="/var/log", group="root") }}}
|
|
|
38a2c0 |
+ {{{ ocil_file_group_owner(file="/var/log", group=gid) }}}
|
|
|
38a2c0 |
|
|
|
38a2c0 |
template:
|
|
|
38a2c0 |
name: file_groupowner
|
|
|
38a2c0 |
vars:
|
|
|
38a2c0 |
filepath: /var/log/
|
|
|
38a2c0 |
filegid: '0'
|
|
|
38a2c0 |
+ filegid@ubuntu1604: '110'
|
|
|
38a2c0 |
+ filegid@ubuntu1804: '110'
|
|
|
38a2c0 |
+ filegid@ubuntu2004: '110'
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml
|
|
|
38a2c0 |
new file mode 100644
|
|
|
38a2c0 |
index 00000000000..f654279fe54
|
|
|
38a2c0 |
--- /dev/null
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml
|
|
|
38a2c0 |
@@ -0,0 +1,27 @@
|
|
|
38a2c0 |
+documentation_complete: true
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+title: 'Verify Group Who Owns /var/log/syslog File'
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+description: '{{{ describe_file_group_owner(file="/var/log/syslog", group="adm") }}}'
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+rationale: |-
|
|
|
38a2c0 |
+ The <tt>/var/log/syslog</tt> file contains logs of error messages in
|
|
|
38a2c0 |
+ the system and should only be accessed by authorized personnel.
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+severity: medium
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+references:
|
|
|
38a2c0 |
+ disa: CCI-001314
|
|
|
38a2c0 |
+ srg: SRG-OS-000206-GPOS-00084
|
|
|
38a2c0 |
+ stigid@ubuntu2004: UBTU-20-010420
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/syslog", group="adm") }}}'
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ocil: |-
|
|
|
38a2c0 |
+ {{{ ocil_file_group_owner(file="/var/log/syslog", group="adm") }}}
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+template:
|
|
|
38a2c0 |
+ name: file_groupowner
|
|
|
38a2c0 |
+ vars:
|
|
|
38a2c0 |
+ filepath: /var/log/syslog
|
|
|
38a2c0 |
+ filegid: '4'
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml
|
|
|
38a2c0 |
new file mode 100644
|
|
|
38a2c0 |
index 00000000000..655b2cd1aef
|
|
|
38a2c0 |
--- /dev/null
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml
|
|
|
38a2c0 |
@@ -0,0 +1,65 @@
|
|
|
38a2c0 |
+documentation_complete: true
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+prodtype: ubuntu2004
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+title: 'Verify that system commands directories are group owned by root'
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+description: |-
|
|
|
38a2c0 |
+ System commands files are stored in the following directories by default:
|
|
|
38a2c0 |
+ /bin
|
|
|
38a2c0 |
+ /sbin
|
|
|
38a2c0 |
+ /usr/bin
|
|
|
38a2c0 |
+ /usr/sbin
|
|
|
38a2c0 |
+ /usr/local/bin
|
|
|
38a2c0 |
+ /usr/local/sbin
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ All these directories should be owned by the <tt>root</tt> group.
|
|
|
38a2c0 |
+ If the directory is found to be owned by a group other than root correct
|
|
|
38a2c0 |
+ its ownership with the following command:
|
|
|
38a2c0 |
+ $ sudo chgrp root DIR
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+rationale: |-
|
|
|
38a2c0 |
+ If the operating system allows any user to make changes to software
|
|
|
38a2c0 |
+ libraries, then those changes might be implemented without undergoing the
|
|
|
38a2c0 |
+ appropriate testing and approvals that are part of a robust change management
|
|
|
38a2c0 |
+ process.
|
|
|
38a2c0 |
+ This requirement applies to operating systems with software libraries
|
|
|
38a2c0 |
+ that are accessible and configurable, as in the case of interpreted languages.
|
|
|
38a2c0 |
+ Software libraries also include privileged programs which execute with
|
|
|
38a2c0 |
+ escalated privileges. Only qualified and authorized individuals must be
|
|
|
38a2c0 |
+ allowed to obtain access to information system components for purposes
|
|
|
38a2c0 |
+ of initiating changes, including upgrades and modifications.
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+severity: medium
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+references:
|
|
|
38a2c0 |
+ disa: CCI-001495
|
|
|
38a2c0 |
+ srg: SRG-OS-000258-GPOS-00099
|
|
|
38a2c0 |
+ stigid@ubuntu2004: UBTU-20-010425
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ocil_clause: 'any of these directories are not owned by root group'
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ocil: |-
|
|
|
38a2c0 |
+ System commands are stored in the following directories:
|
|
|
38a2c0 |
+ /bin
|
|
|
38a2c0 |
+ /sbin
|
|
|
38a2c0 |
+ /usr/bin
|
|
|
38a2c0 |
+ /usr/sbin
|
|
|
38a2c0 |
+ /usr/local/bin
|
|
|
38a2c0 |
+ /usr/local/sbin
|
|
|
38a2c0 |
+ For each of these directories, run the following command to find files not
|
|
|
38a2c0 |
+ owned by root group:
|
|
|
38a2c0 |
+ $ sudo find -L $DIR ! -group root -type d \;
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+template:
|
|
|
38a2c0 |
+ name: file_groupowner
|
|
|
38a2c0 |
+ vars:
|
|
|
38a2c0 |
+ filepath:
|
|
|
38a2c0 |
+ - /bin/
|
|
|
38a2c0 |
+ - /sbin/
|
|
|
38a2c0 |
+ - /usr/bin/
|
|
|
38a2c0 |
+ - /usr/sbin/
|
|
|
38a2c0 |
+ - /usr/local/bin/
|
|
|
38a2c0 |
+ - /usr/local/sbin/
|
|
|
38a2c0 |
+ recursive: 'true'
|
|
|
38a2c0 |
+ filegid: '0'
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml
|
|
|
38a2c0 |
deleted file mode 100644
|
|
|
38a2c0 |
index 28df7839430..00000000000
|
|
|
38a2c0 |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml
|
|
|
38a2c0 |
+++ /dev/null
|
|
|
38a2c0 |
@@ -1,23 +0,0 @@
|
|
|
38a2c0 |
-# platform = multi_platform_sle
|
|
|
38a2c0 |
-# reboot = false
|
|
|
38a2c0 |
-# strategy = restrict
|
|
|
38a2c0 |
-# complexity = medium
|
|
|
38a2c0 |
-# disruption = medium
|
|
|
38a2c0 |
-- name: "Read list libraries without root ownership"
|
|
|
38a2c0 |
- find:
|
|
|
38a2c0 |
- paths:
|
|
|
38a2c0 |
- - "/usr/lib"
|
|
|
38a2c0 |
- - "/usr/lib64"
|
|
|
38a2c0 |
- - "/lib"
|
|
|
38a2c0 |
- - "/lib64"
|
|
|
38a2c0 |
- file_type: "directory"
|
|
|
38a2c0 |
- register: library_dirs_not_owned_by_root
|
|
|
38a2c0 |
-
|
|
|
38a2c0 |
-- name: "Set ownership of system library dirs to root"
|
|
|
38a2c0 |
- file:
|
|
|
38a2c0 |
- path: "{{ item.path }}"
|
|
|
38a2c0 |
- owner: "root"
|
|
|
38a2c0 |
- state: "directory"
|
|
|
38a2c0 |
- mode: "{{ item.mode }}"
|
|
|
38a2c0 |
- with_items: "{{ library_dirs_not_owned_by_root.files }}"
|
|
|
38a2c0 |
- when: library_dirs_not_owned_by_root.matched > 0
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml
|
|
|
38a2c0 |
new file mode 100644
|
|
|
38a2c0 |
index 00000000000..f61a5f988dc
|
|
|
38a2c0 |
--- /dev/null
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml
|
|
|
38a2c0 |
@@ -0,0 +1,77 @@
|
|
|
38a2c0 |
+documentation_complete: true
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+prodtype: ubuntu2004
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+title: 'Verify that audit tools are owned by group root'
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+description: |-
|
|
|
38a2c0 |
+ The {{{ full_name }}} operating system audit tools must have the proper
|
|
|
38a2c0 |
+ ownership configured to protected against unauthorized access.
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ Verify it by running the following command:
|
|
|
38a2c0 |
+ $ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ /sbin/auditctl root
|
|
|
38a2c0 |
+ /sbin/aureport root
|
|
|
38a2c0 |
+ /sbin/ausearch root
|
|
|
38a2c0 |
+ /sbin/autrace root
|
|
|
38a2c0 |
+ /sbin/auditd root
|
|
|
38a2c0 |
+ /sbin/audispd root
|
|
|
38a2c0 |
+ /sbin/augenrules root
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ Audit tools needed to successfully view and manipulate audit information
|
|
|
38a2c0 |
+ system activity and records. Audit tools include custom queries and report
|
|
|
38a2c0 |
+ generators
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+rationale: |-
|
|
|
38a2c0 |
+ Protecting audit information also includes identifying and protecting the
|
|
|
38a2c0 |
+ tools used to view and manipulate log data. Therefore, protecting audit
|
|
|
38a2c0 |
+ tools is necessary to prevent unauthorized operation on audit information.
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ Operating systems providing tools to interface with audit information
|
|
|
38a2c0 |
+ will leverage user permissions and roles identifying the user accessing the
|
|
|
38a2c0 |
+ tools and the corresponding rights the user enjoys to make access decisions
|
|
|
38a2c0 |
+ regarding the access to audit tools.
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+severity: medium
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+references:
|
|
|
38a2c0 |
+ disa: CCI-001493,CCI-001494
|
|
|
38a2c0 |
+ srg: SRG-OS-000256-GPiOS-00097,SRG-OS-000257-GPOS-00098
|
|
|
38a2c0 |
+ stigid@ubuntu2004: UBTU-20-010201
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ocil: |-
|
|
|
38a2c0 |
+ Verify it by running the following command:
|
|
|
38a2c0 |
+ $ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ /sbin/auditctl root
|
|
|
38a2c0 |
+ /sbin/aureport root
|
|
|
38a2c0 |
+ /sbin/ausearch root
|
|
|
38a2c0 |
+ /sbin/autrace root
|
|
|
38a2c0 |
+ /sbin/auditd root
|
|
|
38a2c0 |
+ /sbin/audispd root
|
|
|
38a2c0 |
+ /sbin/augenrules root
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ If the command does not return all the above lines, the missing ones
|
|
|
38a2c0 |
+ need to be added.
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ Run the following command to correct the permissions of the missing
|
|
|
38a2c0 |
+ entries:
|
|
|
38a2c0 |
+ $ sudo chown :root [audit_tool]
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ Replace "[audit_tool]" with each audit tool not group-owned by root.
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+template:
|
|
|
38a2c0 |
+ name: file_groupowner
|
|
|
38a2c0 |
+ vars:
|
|
|
38a2c0 |
+ filepath:
|
|
|
38a2c0 |
+ - /sbin/auditctl
|
|
|
38a2c0 |
+ - /sbin/aureport
|
|
|
38a2c0 |
+ - /sbin/ausearch
|
|
|
38a2c0 |
+ - /sbin/autrace
|
|
|
38a2c0 |
+ - /sbin/auditd
|
|
|
38a2c0 |
+ - /sbin/audispd
|
|
|
38a2c0 |
+ - /sbin/augenrules
|
|
|
38a2c0 |
+ filegid: '0'
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
|
|
|
38a2c0 |
index bb7c72550e9..a9e8c7d8e25 100644
|
|
|
38a2c0 |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
|
|
|
38a2c0 |
@@ -1,4 +1,4 @@
|
|
|
38a2c0 |
-# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
38a2c0 |
+# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
|
|
|
38a2c0 |
|
|
|
38a2c0 |
for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
|
|
|
38a2c0 |
do
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh
|
|
|
38a2c0 |
index 7cf507ca5f4..33a0c85d35b 100644
|
|
|
38a2c0 |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh
|
|
|
38a2c0 |
@@ -1,10 +1,12 @@
|
|
|
38a2c0 |
#!/bin/bash
|
|
|
38a2c0 |
|
|
|
38a2c0 |
+groupadd group_test
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
for TESTFILE in /bin/test_me /sbin/test_me /usr/bin/test_me /usr/sbin/test_me /usr/local/bin/test_me /usr/local/sbin/test_me
|
|
|
38a2c0 |
do
|
|
|
38a2c0 |
if [[ ! -f $TESTFILE ]]
|
|
|
38a2c0 |
then
|
|
|
38a2c0 |
touch $TESTFILE
|
|
|
38a2c0 |
fi
|
|
|
38a2c0 |
- chown nobody.nobody $TESTFILE
|
|
|
38a2c0 |
+ chgrp group_test $TESTFILE
|
|
|
38a2c0 |
done
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
|
|
|
38a2c0 |
deleted file mode 100644
|
|
|
38a2c0 |
index 08019fd48bb..00000000000
|
|
|
38a2c0 |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
|
|
|
38a2c0 |
+++ /dev/null
|
|
|
38a2c0 |
@@ -1,26 +0,0 @@
|
|
|
38a2c0 |
-# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
38a2c0 |
-# reboot = false
|
|
|
38a2c0 |
-# strategy = restrict
|
|
|
38a2c0 |
-# complexity = high
|
|
|
38a2c0 |
-# disruption = medium
|
|
|
38a2c0 |
-
|
|
|
38a2c0 |
-- name: "Read list libraries without root ownership"
|
|
|
38a2c0 |
- find:
|
|
|
38a2c0 |
- paths:
|
|
|
38a2c0 |
- - "/usr/lib"
|
|
|
38a2c0 |
- - "/usr/lib64"
|
|
|
38a2c0 |
- - "/lib"
|
|
|
38a2c0 |
- - "/lib64"
|
|
|
38a2c0 |
- file_type: "file"
|
|
|
38a2c0 |
- register: library_files_not_group_owned_by_root
|
|
|
38a2c0 |
-
|
|
|
38a2c0 |
-- name: "Set group ownership of system library files to root"
|
|
|
38a2c0 |
- file:
|
|
|
38a2c0 |
- path: "{{ item.path }}"
|
|
|
38a2c0 |
- group: "root"
|
|
|
38a2c0 |
- state: "file"
|
|
|
38a2c0 |
- mode: "{{ item.mode }}"
|
|
|
38a2c0 |
- with_items: "{{ library_files_not_group_owned_by_root.files }}"
|
|
|
38a2c0 |
- when:
|
|
|
38a2c0 |
- - library_files_not_group_owned_by_root.matched > 0
|
|
|
38a2c0 |
- - item.gid != 0
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh
|
|
|
38a2c0 |
deleted file mode 100644
|
|
|
38a2c0 |
index 3a42beafb8a..00000000000
|
|
|
38a2c0 |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh
|
|
|
38a2c0 |
+++ /dev/null
|
|
|
38a2c0 |
@@ -1,7 +0,0 @@
|
|
|
38a2c0 |
-# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
38a2c0 |
-
|
|
|
38a2c0 |
-find /lib \
|
|
|
38a2c0 |
-/lib64 \
|
|
|
38a2c0 |
-/usr/lib \
|
|
|
38a2c0 |
-/usr/lib64 \
|
|
|
38a2c0 |
-\! -group root -type f -exec chgrp root '{}' \;
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
|
|
|
38a2c0 |
deleted file mode 100644
|
|
|
38a2c0 |
index f5ca9380b55..00000000000
|
|
|
38a2c0 |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
|
|
|
38a2c0 |
+++ /dev/null
|
|
|
38a2c0 |
@@ -1,27 +0,0 @@
|
|
|
38a2c0 |
-<def-group>
|
|
|
38a2c0 |
- <definition class="compliance" id="root_permissions_syslibrary_files" version="2">
|
|
|
38a2c0 |
- {{{ oval_metadata("
|
|
|
38a2c0 |
- Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
|
|
|
38a2c0 |
- are owned by root.
|
|
|
38a2c0 |
- ") }}}
|
|
|
38a2c0 |
- <criteria >
|
|
|
38a2c0 |
- <criterion test_ref="test_root_permissions_for_syslibrary_files" />
|
|
|
38a2c0 |
- </criteria>
|
|
|
38a2c0 |
- </definition>
|
|
|
38a2c0 |
-
|
|
|
38a2c0 |
- <unix:file_test check="all" check_existence="none_exist" comment="test if system-wide files have root permissions" id="test_root_permissions_for_syslibrary_files" version="1">
|
|
|
38a2c0 |
- <unix:object object_ref="root_permissions_for_system_wide_library_files" />
|
|
|
38a2c0 |
- </unix:file_test>
|
|
|
38a2c0 |
-
|
|
|
38a2c0 |
- <unix:file_object comment="system-wide directories" id="root_permissions_for_system_wide_library_files" version="1">
|
|
|
38a2c0 |
-
|
|
|
38a2c0 |
- are owned by root. -->
|
|
|
38a2c0 |
- <unix:path operation="pattern match">^\/lib(|64)?$|^\/usr\/lib(|64)?$</unix:path>
|
|
|
38a2c0 |
- <unix:filename operation="pattern match">^.*$</unix:filename>
|
|
|
38a2c0 |
- <filter action="include">group_permissions_for_system_wide_files_are_not_root</filter>
|
|
|
38a2c0 |
- </unix:file_object>
|
|
|
38a2c0 |
-
|
|
|
38a2c0 |
- <unix:file_state id="group_permissions_for_system_wide_files_are_not_root" version="1" >
|
|
|
38a2c0 |
- <unix:group_id datatype="int" operation="not equal">0</unix:group_id>
|
|
|
38a2c0 |
- </unix:file_state>
|
|
|
38a2c0 |
-</def-group>
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
|
|
|
38a2c0 |
index 17923f52ea6..eaf04c8d36c 100644
|
|
|
38a2c0 |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
|
|
|
38a2c0 |
@@ -1,6 +1,6 @@
|
|
|
38a2c0 |
documentation_complete: true
|
|
|
38a2c0 |
|
|
|
38a2c0 |
-prodtype: fedora,ol8,rhel8,rhel9,sle12,sle15
|
|
|
38a2c0 |
+prodtype: fedora,ol8,rhel8,rhel9,sle12,sle15,ubuntu2004
|
|
|
38a2c0 |
|
|
|
38a2c0 |
title: |-
|
|
|
38a2c0 |
Verify the system-wide library files in directories
|
|
|
38a2c0 |
@@ -46,6 +46,7 @@ references:
|
|
|
38a2c0 |
stigid@rhel8: RHEL-08-010350
|
|
|
38a2c0 |
stigid@sle12: SLES-12-010875
|
|
|
38a2c0 |
stigid@sle15: SLES-15-010355
|
|
|
38a2c0 |
+ stigid@ubuntu2004: UBTU-20-01430
|
|
|
38a2c0 |
|
|
|
38a2c0 |
ocil_clause: 'system wide library files are not group owned by root'
|
|
|
38a2c0 |
|
|
|
38a2c0 |
@@ -59,3 +60,14 @@ ocil: |-
|
|
|
38a2c0 |
To find if system-wide library files stored in these directories are not group-owned by
|
|
|
38a2c0 |
root run the following command for each directory DIR:
|
|
|
38a2c0 |
$ sudo find -L DIR ! -group root -type f
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+template:
|
|
|
38a2c0 |
+ name: file_groupowner
|
|
|
38a2c0 |
+ vars:
|
|
|
38a2c0 |
+ filepath:
|
|
|
38a2c0 |
+ - /lib/
|
|
|
38a2c0 |
+ - /lib64/
|
|
|
38a2c0 |
+ - /usr/lib/
|
|
|
38a2c0 |
+ - /usr/lib64/
|
|
|
38a2c0 |
+ file_regex: ^.*$
|
|
|
38a2c0 |
+ filegid: '0'
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
|
|
|
38a2c0 |
similarity index 86%
|
|
|
38a2c0 |
rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
|
|
|
38a2c0 |
rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
|
|
|
38a2c0 |
index a4ae2854db1..0e982c3b8ca 100644
|
|
|
38a2c0 |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
|
|
|
38a2c0 |
@@ -1,4 +1,4 @@
|
|
|
38a2c0 |
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
38a2c0 |
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
|
|
|
38a2c0 |
|
|
|
38a2c0 |
for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
|
|
|
38a2c0 |
do
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
|
|
|
38a2c0 |
similarity index 70%
|
|
|
38a2c0 |
rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
|
|
|
38a2c0 |
rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
|
|
|
38a2c0 |
index c96f65b989c..23a7703f57d 100644
|
|
|
38a2c0 |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
|
|
|
38a2c0 |
@@ -1,10 +1,11 @@
|
|
|
38a2c0 |
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
38a2c0 |
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
|
|
|
38a2c0 |
|
|
|
38a2c0 |
+groupadd group_test
|
|
|
38a2c0 |
for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
|
|
|
38a2c0 |
do
|
|
|
38a2c0 |
if [[ ! -f $TESTFILE ]]
|
|
|
38a2c0 |
then
|
|
|
38a2c0 |
touch $TESTFILE
|
|
|
38a2c0 |
fi
|
|
|
38a2c0 |
- chown nobody.nobody $TESTFILE
|
|
|
38a2c0 |
+ chgrp group_test $TESTFILE
|
|
|
38a2c0 |
done
|
|
|
38a2c0 |
diff --git a/shared/templates/file_groupowner/tests/missing_file_test.pass.sh b/shared/templates/file_groupowner/tests/missing_file_test.pass.sh
|
|
|
38a2c0 |
index 938e6b30819..015ff98c99d 100644
|
|
|
38a2c0 |
--- a/shared/templates/file_groupowner/tests/missing_file_test.pass.sh
|
|
|
38a2c0 |
+++ b/shared/templates/file_groupowner/tests/missing_file_test.pass.sh
|
|
|
38a2c0 |
@@ -1,8 +1,20 @@
|
|
|
38a2c0 |
#!/bin/bash
|
|
|
38a2c0 |
#
|
|
|
38a2c0 |
|
|
|
38a2c0 |
-{{% if MISSING_FILE_PASS %}}
|
|
|
38a2c0 |
- rm -f {{{ FILEPATH }}}
|
|
|
38a2c0 |
-{{% else %}}
|
|
|
38a2c0 |
- true
|
|
|
38a2c0 |
-{{% endif %}}
|
|
|
38a2c0 |
+{{% for path in FILEPATH %}}
|
|
|
38a2c0 |
+ {{% if MISSING_FILE_PASS %}}
|
|
|
38a2c0 |
+ rm -f {{{ path }}}
|
|
|
38a2c0 |
+ {{% else %}}
|
|
|
38a2c0 |
+ {{% if IS_DIRECTORY and FILE_REGEX %}}
|
|
|
38a2c0 |
+ echo "Create specific tests for this rule because of regex"
|
|
|
38a2c0 |
+ {{% elif IS_DIRECTORY and RECURSIVE %}}
|
|
|
38a2c0 |
+ find -L {{{ path }}} -type d -exec chgrp {{{ FILEGID }}} {} \;
|
|
|
38a2c0 |
+ {{% else %}}
|
|
|
38a2c0 |
+ if [ ! -f {{{ path }}} ]; then
|
|
|
38a2c0 |
+ mkdir -p "$(dirname '{{{ path }}}')"
|
|
|
38a2c0 |
+ touch {{{ path }}}
|
|
|
38a2c0 |
+ fi
|
|
|
38a2c0 |
+ chgrp {{{ FILEGID }}} {{{ path }}}
|
|
|
38a2c0 |
+ {{% endif %}}
|
|
|
38a2c0 |
+ {{% endif %}}
|
|
|
38a2c0 |
+{{% endfor %}}
|