commit 3cd2b8efbf9d91967e3e65bd2029f7ab3d400314

Author: Gabriel Becker <ggasparb@redhat.com>

Date:   Thu Feb 24 18:22:28 2022 +0100

    Manual edited patch scap-security-guide-0.1.61-file_groupowner-PR_7791.patch.

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml

new file mode 100644

index 0000000..de85c89

--- /dev/null

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml

@@ -0,0 +1,38 @@

+documentation_complete: true

+

+title: 'Audit Configuration Files Must Be Owned By Group root'

+

+description: |-

+    All audit configuration files must be owned by group root.

+    
chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*

+

+rationale: |-

+    Without the capability to restrict which roles and individuals can

+    select which events are audited, unauthorized personnel may be able

+    to prevent the auditing of critical events.

+    Misconfigured audits may degrade the system's performance by

+    overwhelming the audit log. Misconfigured audits may also make it more

+    difficult to establish, correlate, and investigate the events relating

+    to an incident or identify those responsible for one.

+

+severity: medium

+

+references:

+    disa: CCI-000171

+    srg: SRG-OS-000063-GPOS-00032

+    stigid@ubuntu2004: UBTU-20-010135

+

+ocil: |-

+    {{{ describe_file_group_owner(file="/etc/audit/", group="root") }}}

+    {{{ describe_file_group_owner(file="/etc/audit/rules.d/", group="root") }}}

+

+template:

+    name: file_groupowner

+    vars:

+        filepath:

+            - /etc/audit/

+            - /etc/audit/rules.d/

+        file_regex:

+            - ^audit(\.rules|d\.conf)$

+            - ^.*\.rules$

+        filegid: '0'

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh

new file mode 100644

index 0000000..5235e0d

--- /dev/null

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh

@@ -0,0 +1,9 @@

+#!/bin/bash

+

+export TESTFILE=/etc/audit/rules.d/test_rule.rules

+export AUDITFILE=/etc/audit/auditd.conf

+mkdir -p /etc/audit/rules.d/

+touch $TESTFILE

+touch $AUDITFILE

+chgrp root $TESTFILE

+chgrp root $AUDITFILE

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh

new file mode 100644

index 0000000..52378d8

--- /dev/null

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh

@@ -0,0 +1,10 @@

+#!/bin/bash

+

+groupadd group_test

+export TESTFILLE=/etc/audit/rules.d/test_rule.rules

+export AUDITFILE=/etc/audit/auditd.conf

+mkdir -p /etc/audit/rules.d/

+touch $TESTFILLE

+touch $AUDITFILE

+chgrp group_test $TESTFILLE

+chgrp group_test $AUDITFILE

diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml

index 5ddaf9f..b99705d 100644

--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml

+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml

@@ -1,8 +1,15 @@

+{{% if 'ubuntu' in product %}}

+{{% set gid = 'syslog' %}}

+{{% else %}}

+{{% set gid = 'root' %}}

+{{% endif %}}

+

+

 documentation_complete: true

 title: 'Verify Group Who Owns /var/log Directory'

-description: '{{{ describe_file_group_owner(file="/var/log", group="root") }}}'

+description: '{{{ describe_file_group_owner(file="/var/log", group=gid) }}}'

 rationale: |-

     The <tt>/var/log</tt> directory contains files with logs of error

@@ -21,13 +28,16 @@ references:

     stigid@rhel8: RHEL-08-010260

     stigid@ubuntu2004: UBTU-20-010417

-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log", group="root") }}}'

+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log", group=gid) }}}'

 ocil: |-

-    {{{ ocil_file_group_owner(file="/var/log", group="root") }}}

+    {{{ ocil_file_group_owner(file="/var/log", group=gid) }}}

 template:

     name: file_groupowner

     vars:

         filepath: /var/log/

         filegid: '0'

+        filegid@ubuntu1604: '110'

+        filegid@ubuntu1804: '110'

+        filegid@ubuntu2004: '110'

diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml

new file mode 100644

index 0000000..f654279

--- /dev/null

+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml

@@ -0,0 +1,27 @@

+documentation_complete: true

+

+title: 'Verify Group Who Owns /var/log/syslog File'

+

+description: '{{{ describe_file_group_owner(file="/var/log/syslog", group="adm") }}}'

+

+rationale: |-

+    The <tt>/var/log/syslog</tt> file contains logs of error messages in

+    the system and should only be accessed by authorized personnel.

+

+severity: medium

+

+references:

+    disa: CCI-001314

+    srg: SRG-OS-000206-GPOS-00084

+    stigid@ubuntu2004: UBTU-20-010420

+

+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/syslog", group="adm") }}}'

+

+ocil: |-

+    {{{ ocil_file_group_owner(file="/var/log/syslog", group="adm") }}}

+

+template:

+    name: file_groupowner

+    vars:

+        filepath: /var/log/syslog

+        filegid: '4'

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml

new file mode 100644

index 0000000..655b2cd

--- /dev/null

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml

@@ -0,0 +1,65 @@

+documentation_complete: true

+

+prodtype: ubuntu2004

+

+title: 'Verify that system commands directories are group owned by root'

+

+description: |-

+    System commands files are stored in the following directories by default:

+    
/bin

+    /sbin

+    /usr/bin

+    /usr/sbin

+    /usr/local/bin

+    /usr/local/sbin

+    

+    All these directories should be owned by the <tt>root</tt> group.

+    If the directory is found to be owned by a group other than root correct

+    its ownership with the following command:

+    
$ sudo chgrp root DIR

+

+rationale: |-

+    If the operating system allows any user to make changes to software

+    libraries, then those changes might be implemented without undergoing the

+    appropriate testing and approvals that are part of a robust change management

+    process.

+    This requirement applies to operating systems with software libraries

+    that are accessible and configurable, as in the case of interpreted languages.

+    Software libraries also include privileged programs which execute with

+    escalated privileges. Only qualified and authorized individuals must be

+    allowed to obtain access to information system components for purposes

+    of initiating changes, including upgrades and modifications.

+

+severity: medium

+

+references:

+    disa: CCI-001495

+    srg: SRG-OS-000258-GPOS-00099

+    stigid@ubuntu2004: UBTU-20-010425

+

+ocil_clause: 'any of these directories are not owned by root group'

+ 

+ocil: |-

+    System commands are stored in the following directories:

+    
/bin

+    /sbin

+    /usr/bin

+    /usr/sbin

+    /usr/local/bin

+    /usr/local/sbin

+    For each of these directories, run the following command to find files not

+    owned by root group:

+    
$ sudo find -L $DIR ! -group root -type d \;

+

+template:

+    name: file_groupowner

+    vars:

+        filepath:

+            - /bin/

+            - /sbin/

+            - /usr/bin/

+            - /usr/sbin/

+            - /usr/local/bin/

+            - /usr/local/sbin/

+        recursive: 'true'

+        filegid: '0'

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml

deleted file mode 100644

index 28df783..0000000

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml

+++ /dev/null

@@ -1,23 +0,0 @@

-# platform = multi_platform_sle

-# reboot = false

-# strategy = restrict

-# complexity = medium

-# disruption = medium

-- name: "Read list libraries without root ownership"

-  find:

-    paths:

-      - "/usr/lib"

-      - "/usr/lib64"

-      - "/lib"

-      - "/lib64"

-    file_type: "directory"

-  register: library_dirs_not_owned_by_root

-

-- name: "Set ownership of system library dirs to root"

-  file:

-    path: "{{ item.path }}"

-    owner: "root"

-    state: "directory"

-    mode: "{{ item.mode }}"

-  with_items: "{{ library_dirs_not_owned_by_root.files }}"

-  when: library_dirs_not_owned_by_root.matched > 0

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml

new file mode 100644

index 0000000..f61a5f9

--- /dev/null

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml

@@ -0,0 +1,77 @@

+documentation_complete: true

+

+prodtype: ubuntu2004

+

+title: 'Verify that audit tools are owned by group root'

+

+description: |-

+    The {{{ full_name }}} operating system audit tools must have the proper

+    ownership configured to protected against unauthorized access.

+

+    Verify it by running the following command:

+    
$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules

+

+    /sbin/auditctl root

+    /sbin/aureport root

+    /sbin/ausearch root

+    /sbin/autrace root

+    /sbin/auditd root

+    /sbin/audispd root

+    /sbin/augenrules root

+    

+

+    Audit tools needed to successfully view and manipulate audit information

+    system activity and records. Audit tools include custom queries and report

+    generators

+

+rationale: |-

+    Protecting audit information also includes identifying and protecting the

+    tools used to view and manipulate log data. Therefore, protecting audit

+    tools is necessary to prevent unauthorized operation on audit information.

+ 

+    Operating systems providing tools to interface with audit information

+    will leverage user permissions and roles identifying the user accessing the

+    tools and the corresponding rights the user enjoys to make access decisions

+    regarding the access to audit tools.

+

+severity: medium

+

+references:

+    disa: CCI-001493,CCI-001494

+    srg: SRG-OS-000256-GPiOS-00097,SRG-OS-000257-GPOS-00098

+    stigid@ubuntu2004: UBTU-20-010201

+

+ocil: |-

+    Verify it by running the following command:

+    
$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules

+

+    /sbin/auditctl root

+    /sbin/aureport root

+    /sbin/ausearch root

+    /sbin/autrace root

+    /sbin/auditd root

+    /sbin/audispd root

+    /sbin/augenrules root

+    

+

+    If the command does not return all the above lines, the missing ones

+    need to be added.

+

+    Run the following command to correct the permissions of the missing

+    entries:

+    
$ sudo chown :root [audit_tool] 

+

+    Replace "[audit_tool]" with each audit tool not group-owned by root.

+

+template:

+    name: file_groupowner

+    vars:

+        filepath:

+            - /sbin/auditctl

+            - /sbin/aureport

+            - /sbin/ausearch

+            - /sbin/autrace

+            - /sbin/auditd

+            - /sbin/audispd

+            - /sbin/augenrules

+        filegid: '0'

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh

index 5598e47..a9e8c7d 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh

@@ -1,4 +1,4 @@

-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora

+# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu

 for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin

 do

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh

index 7cf507c..33a0c85 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh

@@ -1,10 +1,12 @@

 #!/bin/bash

+groupadd group_test

+

 for TESTFILE in /bin/test_me /sbin/test_me /usr/bin/test_me /usr/sbin/test_me /usr/local/bin/test_me /usr/local/sbin/test_me

 do

    if [[ ! -f $TESTFILE ]]

    then

      touch $TESTFILE

    fi

-   chown nobody.nobody $TESTFILE

+   chgrp group_test $TESTFILE

 done

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml

deleted file mode 100644

index f5ca938..0000000

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml

+++ /dev/null

@@ -1,27 +0,0 @@

-<def-group>

-  <definition class="compliance" id="root_permissions_syslibrary_files" version="2">

-    {{{ oval_metadata("

-        Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64

-        are owned by root.

-      ") }}}

-    <criteria >

-      <criterion test_ref="test_root_permissions_for_syslibrary_files" />

-    </criteria>

-  </definition>

-

-  <unix:file_test  check="all" check_existence="none_exist" comment="test if system-wide files have root permissions" id="test_root_permissions_for_syslibrary_files" version="1">

-    <unix:object object_ref="root_permissions_for_system_wide_library_files" />

-  </unix:file_test>

-

-  <unix:file_object comment="system-wide directories" id="root_permissions_for_system_wide_library_files" version="1">

-    

-        are owned by root. -->

-    <unix:path operation="pattern match">^\/lib(|64)?$|^\/usr\/lib(|64)?$</unix:path>

-    <unix:filename operation="pattern match">^.*$</unix:filename>

-    <filter action="include">group_permissions_for_system_wide_files_are_not_root</filter>

-  </unix:file_object>

-

-  <unix:file_state id="group_permissions_for_system_wide_files_are_not_root" version="1" >

-    <unix:group_id datatype="int" operation="not equal">0</unix:group_id>

-  </unix:file_state>

-</def-group>

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml

index 83371b8..3b983de 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml

@@ -1,6 +1,6 @@

 documentation_complete: true

-prodtype: sle12,sle15,rhel8,fedora

+prodtype: fedora,ol8,rhel8,rhel9,sle12,sle15,ubuntu2004

 title: |-

     Verify the system-wide library files in directories

@@ -44,6 +44,7 @@ references:

     stigid@rhel8: RHEL-08-010350

     stigid@sle12: SLES-12-010875

     stigid@sle15: SLES-15-010355

+    stigid@ubuntu2004: UBTU-20-01430

 ocil_clause: 'system wide library files are not group owned by root'

@@ -57,3 +58,14 @@ ocil: |-

     To find if system-wide library files stored in these directories are not group-owned by

     root run the following command for each directory DIR:

     
$ sudo find -L DIR ! -group root -type f 

+

+template:

+    name: file_groupowner

+    vars:

+        filepath:

+            - /lib/

+            - /lib64/

+            - /usr/lib/

+            - /usr/lib64/

+        file_regex: ^.*$

+        filegid: '0'

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh

index a4ae285..0e982c3 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh

@@ -1,4 +1,4 @@

-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora

+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu

 for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64

 do

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh

new file mode 100644

index 0000000..a4ae285

--- /dev/null

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh

@@ -0,0 +1,9 @@

+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora

+

+for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64

+do

+    if [[ -d $SYSLIBDIRS  ]]

+    then

+        find $SYSLIBDIRS ! -group root -type f -exec chgrp root '{}' \;

+    fi

+done

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh

index c96f65b..23a7703 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh

@@ -1,10 +1,11 @@

-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora

+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu

+groupadd group_test

 for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me

 do

    if [[ ! -f $TESTFILE ]]

    then

      touch $TESTFILE

    fi

-   chown nobody.nobody $TESTFILE

+   chgrp group_test $TESTFILE

 done

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh

new file mode 100644

index 0000000..c96f65b

--- /dev/null

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh

@@ -0,0 +1,10 @@

+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora

+

+for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me

+do

+   if [[ ! -f $TESTFILE ]]

+   then

+     touch $TESTFILE

+   fi

+   chown nobody.nobody $TESTFILE

+done