Blame SOURCES/scap-security-guide-0.1.61-file_owner-PR_7789.patch

07cb6b
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml
07cb6b
new file mode 100644
07cb6b
index 00000000000..968ef336148
07cb6b
--- /dev/null
07cb6b
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml
07cb6b
@@ -0,0 +1,39 @@
07cb6b
+documentation_complete: true
07cb6b
+
07cb6b
+title: 'Audit Configuration Files Must Be Owned By Root'
07cb6b
+
07cb6b
+description: |-
07cb6b
+    All audit configuration files must be owned by root user.
07cb6b
+    {{{ describe_file_owner(file="/etc/audit/", owner="root") }}}
07cb6b
+    {{{ describe_file_owner(file="/etc/audit/rules.d/", owner="root") }}}
07cb6b
+
07cb6b
+rationale: |-
07cb6b
+    Without the capability to restrict which roles and individuals can
07cb6b
+    select which events are audited, unauthorized personnel may be able
07cb6b
+    to prevent the auditing of critical events.
07cb6b
+    Misconfigured audits may degrade the system's performance by
07cb6b
+    overwhelming the audit log. Misconfigured audits may also make it more
07cb6b
+    difficult to establish, correlate, and investigate the events relating
07cb6b
+    to an incident or identify those responsible for one.
07cb6b
+
07cb6b
+severity: medium
07cb6b
+
07cb6b
+references:
07cb6b
+    disa: CCI-000171
07cb6b
+    srg: SRG-OS-000063-GPOS-00032
07cb6b
+    stigid@ubuntu2004: UBTU-20-010134
07cb6b
+
07cb6b
+ocil: |-
07cb6b
+    {{{ describe_file_owner(file="/etc/audit/", owner="root") }}}
07cb6b
+    {{{ describe_file_owner(file="/etc/audit/rules.d/", owner="root") }}}
07cb6b
+
07cb6b
+template:
07cb6b
+    name: file_owner
07cb6b
+    vars:
07cb6b
+        filepath:
07cb6b
+            - /etc/audit/
07cb6b
+            - /etc/audit/rules.d/
07cb6b
+        file_regex:
07cb6b
+            - ^audit(\.rules|d\.conf)$
07cb6b
+            - ^.*\.rules$
07cb6b
+        fileuid: '0'
07cb6b
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh
07cb6b
new file mode 100644
07cb6b
index 00000000000..4d67307a1ef
07cb6b
--- /dev/null
07cb6b
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh
07cb6b
@@ -0,0 +1,6 @@
07cb6b
+#!/bin/bash
07cb6b
+# packages = audit
07cb6b
+
07cb6b
+chown 0 /etc/audit/audit.rules
07cb6b
+chown 0 /etc/audit/auditd.conf
07cb6b
+chown 0 -R /etc/audit/rules.d/
07cb6b
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh
07cb6b
new file mode 100644
07cb6b
index 00000000000..337074fab92
07cb6b
--- /dev/null
07cb6b
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh
07cb6b
@@ -0,0 +1,7 @@
07cb6b
+#!/bin/bash
07cb6b
+# packages = audit
07cb6b
+
07cb6b
+useradd testuser_123
07cb6b
+chown testuser_123 /etc/audit/audit.rules
07cb6b
+chown testuser_123 /etc/audit/auditd.conf
07cb6b
+chown testuser_123 -R /etc/audit/rules.d/
07cb6b
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml
07cb6b
new file mode 100644
07cb6b
index 00000000000..f1bf515455d
07cb6b
--- /dev/null
07cb6b
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml
07cb6b
@@ -0,0 +1,27 @@
07cb6b
+documentation_complete: true
07cb6b
+
07cb6b
+title: 'Verify User Who Owns /var/log/syslog File'
07cb6b
+
07cb6b
+description: '{{{ describe_file_owner(file="/var/log/syslog", owner="syslog") }}}'
07cb6b
+
07cb6b
+rationale: |-
07cb6b
+    The <tt>/var/log/syslog</tt> file contains logs of error messages in
07cb6b
+    the system and should only be accessed by authorized personnel.
07cb6b
+
07cb6b
+severity: medium
07cb6b
+
07cb6b
+references:
07cb6b
+    disa: CCI-001314
07cb6b
+    srg: SRG-OS-000206-GPOS-00084
07cb6b
+    stigid@ubuntu2004: UBTU-20-010421
07cb6b
+
07cb6b
+ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/syslog", owner="syslog") }}}'
07cb6b
+
07cb6b
+ocil: |-
07cb6b
+    {{{ ocil_file_owner(file="/var/log/syslog", owner="syslog") }}}
07cb6b
+
07cb6b
+template:
07cb6b
+    name: file_owner
07cb6b
+    vars:
07cb6b
+        filepath: /var/log/syslog
07cb6b
+        fileuid: '104'
07cb6b
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
07cb6b
new file mode 100644
07cb6b
index 00000000000..e2362388678
07cb6b
--- /dev/null
07cb6b
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
07cb6b
@@ -0,0 +1,55 @@
07cb6b
+documentation_complete: true
07cb6b
+
07cb6b
+title: 'Verify that System Executable Have Root Ownership'
07cb6b
+
07cb6b
+description: |-
07cb6b
+    
/bin
07cb6b
+    /sbin
07cb6b
+    /usr/bin
07cb6b
+    /usr/sbin
07cb6b
+    /usr/local/bin
07cb6b
+    /usr/local/sbin
07cb6b
+    All these directories should be owned by the <tt>root</tt> user.
07cb6b
+    If any directory DIR in these directories is found
07cb6b
+    to be owned by a user other than root, correct its ownership with the
07cb6b
+    following command:
07cb6b
+    
$ sudo chown root DIR
07cb6b
+
07cb6b
+rationale: |-
07cb6b
+    System binaries are executed by privileged users as well as system services,
07cb6b
+    and restrictive permissions are necessary to ensure that their
07cb6b
+    execution of these programs cannot be co-opted.
07cb6b
+
07cb6b
+severity: medium
07cb6b
+
07cb6b
+references:
07cb6b
+    disa: CCI-001495
07cb6b
+    srg: SRG-OS-000258-GPOS-00099
07cb6b
+    stigid@ubuntu2004: UBTU-20-010424
07cb6b
+
07cb6b
+ocil_clause: 'any system exectables directories are found to not be owned by root'
07cb6b
+
07cb6b
+ocil: |-
07cb6b
+    System executables are stored in the following directories by default:
07cb6b
+    
/bin
07cb6b
+    /sbin
07cb6b
+    /usr/bin
07cb6b
+    /usr/local/bin
07cb6b
+    /usr/local/sbin
07cb6b
+    /usr/sbin
07cb6b
+    For each of these directories, run the following command to find files
07cb6b
+    not owned by root:
07cb6b
+    
$ sudo find -L DIR/ ! -user root -type d -exec chown root {} \;
07cb6b
+
07cb6b
+template:
07cb6b
+    name: file_owner
07cb6b
+    vars:
07cb6b
+        filepath:
07cb6b
+            - /bin/
07cb6b
+            - /sbin/
07cb6b
+            - /usr/bin/
07cb6b
+            - /usr/sbin/
07cb6b
+            - /usr/local/bin/
07cb6b
+            - /usr/local/sbin/
07cb6b
+        recursive: 'true'
07cb6b
+        fileuid: '0'
07cb6b
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml
07cb6b
new file mode 100644
07cb6b
index 00000000000..0c7d9b313d5
07cb6b
--- /dev/null
07cb6b
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml
07cb6b
@@ -0,0 +1,77 @@
07cb6b
+documentation_complete: true
07cb6b
+
07cb6b
+prodtype: ubuntu2004
07cb6b
+
07cb6b
+title: 'Verify that audit tools are owned by root'
07cb6b
+
07cb6b
+description: |-
07cb6b
+    The {{{ full_name }}} operating system audit tools must have the proper
07cb6b
+    ownership configured to protected against unauthorized access.
07cb6b
+
07cb6b
+    Verify it by running the following command:
07cb6b
+    
$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
07cb6b
+
07cb6b
+    /sbin/auditctl root
07cb6b
+    /sbin/aureport root
07cb6b
+    /sbin/ausearch root
07cb6b
+    /sbin/autrace root
07cb6b
+    /sbin/auditd root
07cb6b
+    /sbin/audispd root
07cb6b
+    /sbin/augenrules root
07cb6b
+    
07cb6b
+
07cb6b
+    Audit tools needed to successfully view and manipulate audit information
07cb6b
+    system activity and records. Audit tools include custom queries and report
07cb6b
+    generators
07cb6b
+
07cb6b
+rationale: |-
07cb6b
+    Protecting audit information also includes identifying and protecting the
07cb6b
+    tools used to view and manipulate log data. Therefore, protecting audit
07cb6b
+    tools is necessary to prevent unauthorized operation on audit information.
07cb6b
+ 
07cb6b
+    Operating systems providing tools to interface with audit information
07cb6b
+    will leverage user permissions and roles identifying the user accessing the
07cb6b
+    tools and the corresponding rights the user enjoys to make access decisions
07cb6b
+    regarding the access to audit tools.
07cb6b
+
07cb6b
+severity: medium
07cb6b
+
07cb6b
+references:
07cb6b
+    disa: CCI-001493,CCI-001494
07cb6b
+    srg: SRG-OS-000256-GPiOS-00097,SRG-OS-000257-GPOS-00098
07cb6b
+    stigid@ubuntu2004: UBTU-20-010200
07cb6b
+
07cb6b
+ocil: |-
07cb6b
+    Verify it by running the following command:
07cb6b
+    
$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
07cb6b
+
07cb6b
+    /sbin/auditctl root
07cb6b
+    /sbin/aureport root
07cb6b
+    /sbin/ausearch root
07cb6b
+    /sbin/autrace root
07cb6b
+    /sbin/auditd root
07cb6b
+    /sbin/audispd root
07cb6b
+    /sbin/augenrules root
07cb6b
+    
07cb6b
+
07cb6b
+    If the command does not return all the above lines, the missing ones
07cb6b
+    need to be added.
07cb6b
+
07cb6b
+    Run the following command to correct the permissions of the missing
07cb6b
+    entries:
07cb6b
+    
$ sudo chown root [audit_tool] 
07cb6b
+
07cb6b
+    Replace "[audit_tool]" with each audit tool not owned by root.
07cb6b
+
07cb6b
+template:
07cb6b
+    name: file_owner
07cb6b
+    vars:
07cb6b
+        filepath:
07cb6b
+            - /sbin/auditctl
07cb6b
+            - /sbin/aureport
07cb6b
+            - /sbin/ausearch
07cb6b
+            - /sbin/autrace
07cb6b
+            - /sbin/auditd
07cb6b
+            - /sbin/audispd
07cb6b
+            - /sbin/augenrules
07cb6b
+        fileuid: '0'
07cb6b
diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template
07cb6b
index 80eaae8d50b..590c9fc6055 100644
07cb6b
--- a/shared/templates/file_owner/ansible.template
07cb6b
+++ b/shared/templates/file_owner/ansible.template
07cb6b
@@ -25,7 +25,7 @@
07cb6b
 
07cb6b
 - name: Ensure owner on {{{ path }}} recursively
07cb6b
   file:
07cb6b
-    paths "{{{ path }}}"
07cb6b
+    path: "{{{ path }}}"
07cb6b
     state: directory
07cb6b
     recurse: yes
07cb6b
     owner: "{{{ FILEUID }}}"
07cb6b
diff --git a/shared/templates/file_owner/tests/missing_file_test.pass.sh b/shared/templates/file_owner/tests/missing_file_test.pass.sh
07cb6b
index 938e6b30819..4e3683f9dcf 100644
07cb6b
--- a/shared/templates/file_owner/tests/missing_file_test.pass.sh
07cb6b
+++ b/shared/templates/file_owner/tests/missing_file_test.pass.sh
07cb6b
@@ -1,8 +1,18 @@
07cb6b
 #!/bin/bash
07cb6b
 #
07cb6b
 
07cb6b
-{{% if MISSING_FILE_PASS %}}
07cb6b
-    rm -f {{{ FILEPATH }}}
07cb6b
-{{% else %}}
07cb6b
-    true
07cb6b
-{{% endif %}}
07cb6b
+{{% for path in FILEPATH %}}
07cb6b
+    {{% if MISSING_FILE_PASS %}}
07cb6b
+        rm -f {{{ path }}}
07cb6b
+    {{% else %}}
07cb6b
+        {{% if IS_DIRECTORY and RECURSIVE %}}
07cb6b
+        find -L {{{ path }}} -type d -exec chown {{{ FILEUID }}} {} \;
07cb6b
+        {{% else %}}
07cb6b
+        if [ ! -f {{{ path }}} ]; then
07cb6b
+            mkdir -p "$(dirname '{{{ path }}}')"
07cb6b
+            touch {{{ path }}}
07cb6b
+        fi
07cb6b
+        chown {{{ FILEUID }}} {{{ path }}}
07cb6b
+        {{% endif %}}
07cb6b
+    {{% endif %}}
07cb6b
+{{% endfor %}}