|
 |
ff1465 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml
|
|
|
ff1465 |
new file mode 100644
|
|
|
5fd106 |
index 00000000000..968ef336148
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml
|
|
|
ff1465 |
@@ -0,0 +1,39 @@
|
|
|
ff1465 |
+documentation_complete: true
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+title: 'Audit Configuration Files Must Be Owned By Root'
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+description: |-
|
|
|
ff1465 |
+ All audit configuration files must be owned by root user.
|
|
|
ff1465 |
+ {{{ describe_file_owner(file="/etc/audit/", owner="root") }}}
|
|
|
ff1465 |
+ {{{ describe_file_owner(file="/etc/audit/rules.d/", owner="root") }}}
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+rationale: |-
|
|
|
ff1465 |
+ Without the capability to restrict which roles and individuals can
|
|
|
ff1465 |
+ select which events are audited, unauthorized personnel may be able
|
|
|
ff1465 |
+ to prevent the auditing of critical events.
|
|
|
ff1465 |
+ Misconfigured audits may degrade the system's performance by
|
|
|
ff1465 |
+ overwhelming the audit log. Misconfigured audits may also make it more
|
|
|
ff1465 |
+ difficult to establish, correlate, and investigate the events relating
|
|
|
ff1465 |
+ to an incident or identify those responsible for one.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+severity: medium
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+references:
|
|
|
ff1465 |
+ disa: CCI-000171
|
|
|
ff1465 |
+ srg: SRG-OS-000063-GPOS-00032
|
|
|
ff1465 |
+ stigid@ubuntu2004: UBTU-20-010134
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ocil: |-
|
|
|
ff1465 |
+ {{{ describe_file_owner(file="/etc/audit/", owner="root") }}}
|
|
|
ff1465 |
+ {{{ describe_file_owner(file="/etc/audit/rules.d/", owner="root") }}}
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+template:
|
|
|
ff1465 |
+ name: file_owner
|
|
|
ff1465 |
+ vars:
|
|
|
ff1465 |
+ filepath:
|
|
|
ff1465 |
+ - /etc/audit/
|
|
|
ff1465 |
+ - /etc/audit/rules.d/
|
|
|
ff1465 |
+ file_regex:
|
|
|
ff1465 |
+ - ^audit(\.rules|d\.conf)$
|
|
|
ff1465 |
+ - ^.*\.rules$
|
|
|
ff1465 |
+ fileuid: '0'
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
5fd106 |
index 00000000000..4d67307a1ef
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,6 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+# packages = audit
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+chown 0 /etc/audit/audit.rules
|
|
|
ff1465 |
+chown 0 /etc/audit/auditd.conf
|
|
|
ff1465 |
+chown 0 -R /etc/audit/rules.d/
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
5fd106 |
index 00000000000..337074fab92
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh
|
|
|
ff1465 |
@@ -0,0 +1,7 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+# packages = audit
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+useradd testuser_123
|
|
|
ff1465 |
+chown testuser_123 /etc/audit/audit.rules
|
|
|
ff1465 |
+chown testuser_123 /etc/audit/auditd.conf
|
|
|
ff1465 |
+chown testuser_123 -R /etc/audit/rules.d/
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml
|
|
|
ff1465 |
new file mode 100644
|
|
|
5fd106 |
index 00000000000..f1bf515455d
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml
|
|
|
ff1465 |
@@ -0,0 +1,27 @@
|
|
|
ff1465 |
+documentation_complete: true
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+title: 'Verify User Who Owns /var/log/syslog File'
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+description: '{{{ describe_file_owner(file="/var/log/syslog", owner="syslog") }}}'
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+rationale: |-
|
|
|
ff1465 |
+ The <tt>/var/log/syslog</tt> file contains logs of error messages in
|
|
|
ff1465 |
+ the system and should only be accessed by authorized personnel.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+severity: medium
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+references:
|
|
|
ff1465 |
+ disa: CCI-001314
|
|
|
ff1465 |
+ srg: SRG-OS-000206-GPOS-00084
|
|
|
ff1465 |
+ stigid@ubuntu2004: UBTU-20-010421
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/syslog", owner="syslog") }}}'
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ocil: |-
|
|
|
ff1465 |
+ {{{ ocil_file_owner(file="/var/log/syslog", owner="syslog") }}}
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+template:
|
|
|
ff1465 |
+ name: file_owner
|
|
|
ff1465 |
+ vars:
|
|
|
ff1465 |
+ filepath: /var/log/syslog
|
|
|
ff1465 |
+ fileuid: '104'
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
|
|
|
ff1465 |
new file mode 100644
|
|
|
5fd106 |
index 00000000000..e2362388678
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
|
|
|
ff1465 |
@@ -0,0 +1,55 @@
|
|
|
ff1465 |
+documentation_complete: true
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+title: 'Verify that System Executable Have Root Ownership'
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+description: |-
|
|
|
ff1465 |
+ /bin
|
|
|
ff1465 |
+ /sbin
|
|
|
ff1465 |
+ /usr/bin
|
|
|
ff1465 |
+ /usr/sbin
|
|
|
ff1465 |
+ /usr/local/bin
|
|
|
ff1465 |
+ /usr/local/sbin
|
|
|
ff1465 |
+ All these directories should be owned by the <tt>root</tt> user.
|
|
|
ff1465 |
+ If any directory DIR in these directories is found
|
|
|
ff1465 |
+ to be owned by a user other than root, correct its ownership with the
|
|
|
ff1465 |
+ following command:
|
|
|
ff1465 |
+ $ sudo chown root DIR
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+rationale: |-
|
|
|
ff1465 |
+ System binaries are executed by privileged users as well as system services,
|
|
|
ff1465 |
+ and restrictive permissions are necessary to ensure that their
|
|
|
ff1465 |
+ execution of these programs cannot be co-opted.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+severity: medium
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+references:
|
|
|
ff1465 |
+ disa: CCI-001495
|
|
|
ff1465 |
+ srg: SRG-OS-000258-GPOS-00099
|
|
|
ff1465 |
+ stigid@ubuntu2004: UBTU-20-010424
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ocil_clause: 'any system exectables directories are found to not be owned by root'
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ocil: |-
|
|
|
ff1465 |
+ System executables are stored in the following directories by default:
|
|
|
ff1465 |
+ /bin
|
|
|
ff1465 |
+ /sbin
|
|
|
ff1465 |
+ /usr/bin
|
|
|
ff1465 |
+ /usr/local/bin
|
|
|
ff1465 |
+ /usr/local/sbin
|
|
|
ff1465 |
+ /usr/sbin
|
|
|
ff1465 |
+ For each of these directories, run the following command to find files
|
|
|
ff1465 |
+ not owned by root:
|
|
|
ff1465 |
+ $ sudo find -L DIR/ ! -user root -type d -exec chown root {} \;
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+template:
|
|
|
ff1465 |
+ name: file_owner
|
|
|
ff1465 |
+ vars:
|
|
|
ff1465 |
+ filepath:
|
|
|
ff1465 |
+ - /bin/
|
|
|
ff1465 |
+ - /sbin/
|
|
|
ff1465 |
+ - /usr/bin/
|
|
|
ff1465 |
+ - /usr/sbin/
|
|
|
ff1465 |
+ - /usr/local/bin/
|
|
|
ff1465 |
+ - /usr/local/sbin/
|
|
|
ff1465 |
+ recursive: 'true'
|
|
|
ff1465 |
+ fileuid: '0'
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml
|
|
|
ff1465 |
new file mode 100644
|
|
|
5fd106 |
index 00000000000..0c7d9b313d5
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml
|
|
|
ff1465 |
@@ -0,0 +1,77 @@
|
|
|
ff1465 |
+documentation_complete: true
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+prodtype: ubuntu2004
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+title: 'Verify that audit tools are owned by root'
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+description: |-
|
|
|
ff1465 |
+ The {{{ full_name }}} operating system audit tools must have the proper
|
|
|
ff1465 |
+ ownership configured to protected against unauthorized access.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ Verify it by running the following command:
|
|
|
ff1465 |
+ $ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ /sbin/auditctl root
|
|
|
ff1465 |
+ /sbin/aureport root
|
|
|
ff1465 |
+ /sbin/ausearch root
|
|
|
ff1465 |
+ /sbin/autrace root
|
|
|
ff1465 |
+ /sbin/auditd root
|
|
|
ff1465 |
+ /sbin/audispd root
|
|
|
ff1465 |
+ /sbin/augenrules root
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ Audit tools needed to successfully view and manipulate audit information
|
|
|
ff1465 |
+ system activity and records. Audit tools include custom queries and report
|
|
|
ff1465 |
+ generators
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+rationale: |-
|
|
|
ff1465 |
+ Protecting audit information also includes identifying and protecting the
|
|
|
ff1465 |
+ tools used to view and manipulate log data. Therefore, protecting audit
|
|
|
ff1465 |
+ tools is necessary to prevent unauthorized operation on audit information.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ Operating systems providing tools to interface with audit information
|
|
|
ff1465 |
+ will leverage user permissions and roles identifying the user accessing the
|
|
|
ff1465 |
+ tools and the corresponding rights the user enjoys to make access decisions
|
|
|
ff1465 |
+ regarding the access to audit tools.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+severity: medium
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+references:
|
|
|
ff1465 |
+ disa: CCI-001493,CCI-001494
|
|
|
ff1465 |
+ srg: SRG-OS-000256-GPiOS-00097,SRG-OS-000257-GPOS-00098
|
|
|
ff1465 |
+ stigid@ubuntu2004: UBTU-20-010200
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ocil: |-
|
|
|
ff1465 |
+ Verify it by running the following command:
|
|
|
ff1465 |
+ $ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ /sbin/auditctl root
|
|
|
ff1465 |
+ /sbin/aureport root
|
|
|
ff1465 |
+ /sbin/ausearch root
|
|
|
ff1465 |
+ /sbin/autrace root
|
|
|
ff1465 |
+ /sbin/auditd root
|
|
|
ff1465 |
+ /sbin/audispd root
|
|
|
ff1465 |
+ /sbin/augenrules root
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ If the command does not return all the above lines, the missing ones
|
|
|
ff1465 |
+ need to be added.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ Run the following command to correct the permissions of the missing
|
|
|
ff1465 |
+ entries:
|
|
|
ff1465 |
+ $ sudo chown root [audit_tool]
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ Replace "[audit_tool]" with each audit tool not owned by root.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+template:
|
|
|
ff1465 |
+ name: file_owner
|
|
|
ff1465 |
+ vars:
|
|
|
ff1465 |
+ filepath:
|
|
|
ff1465 |
+ - /sbin/auditctl
|
|
|
ff1465 |
+ - /sbin/aureport
|
|
|
ff1465 |
+ - /sbin/ausearch
|
|
|
ff1465 |
+ - /sbin/autrace
|
|
|
ff1465 |
+ - /sbin/auditd
|
|
|
ff1465 |
+ - /sbin/audispd
|
|
|
ff1465 |
+ - /sbin/augenrules
|
|
|
ff1465 |
+ fileuid: '0'
|
|
|
ff1465 |
diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template
|
|
|
5fd106 |
index 80eaae8d50b..590c9fc6055 100644
|
|
|
ff1465 |
--- a/shared/templates/file_owner/ansible.template
|
|
|
ff1465 |
+++ b/shared/templates/file_owner/ansible.template
|
|
|
ff1465 |
@@ -25,7 +25,7 @@
|
|
|
ff1465 |
|
|
|
ff1465 |
- name: Ensure owner on {{{ path }}} recursively
|
|
|
ff1465 |
file:
|
|
|
ff1465 |
- paths "{{{ path }}}"
|
|
|
ff1465 |
+ path: "{{{ path }}}"
|
|
|
ff1465 |
state: directory
|
|
|
ff1465 |
recurse: yes
|
|
|
ff1465 |
owner: "{{{ FILEUID }}}"
|
|
|
5fd106 |
diff --git a/shared/templates/file_owner/tests/missing_file_test.pass.sh b/shared/templates/file_owner/tests/missing_file_test.pass.sh
|
|
|
5fd106 |
index 938e6b30819..4e3683f9dcf 100644
|
|
|
5fd106 |
--- a/shared/templates/file_owner/tests/missing_file_test.pass.sh
|
|
|
5fd106 |
+++ b/shared/templates/file_owner/tests/missing_file_test.pass.sh
|
|
|
5fd106 |
@@ -1,8 +1,18 @@
|
|
|
5fd106 |
#!/bin/bash
|
|
|
5fd106 |
#
|
|
|
5fd106 |
|
|
|
5fd106 |
-{{% if MISSING_FILE_PASS %}}
|
|
|
5fd106 |
- rm -f {{{ FILEPATH }}}
|
|
|
5fd106 |
-{{% else %}}
|
|
|
5fd106 |
- true
|
|
|
5fd106 |
-{{% endif %}}
|
|
|
5fd106 |
+{{% for path in FILEPATH %}}
|
|
|
5fd106 |
+ {{% if MISSING_FILE_PASS %}}
|
|
|
5fd106 |
+ rm -f {{{ path }}}
|
|
|
5fd106 |
+ {{% else %}}
|
|
|
5fd106 |
+ {{% if IS_DIRECTORY and RECURSIVE %}}
|
|
|
5fd106 |
+ find -L {{{ path }}} -type d -exec chown {{{ FILEUID }}} {} \;
|
|
|
5fd106 |
+ {{% else %}}
|
|
|
5fd106 |
+ if [ ! -f {{{ path }}} ]; then
|
|
|
5fd106 |
+ mkdir -p "$(dirname '{{{ path }}}')"
|
|
|
5fd106 |
+ touch {{{ path }}}
|
|
|
5fd106 |
+ fi
|
|
|
5fd106 |
+ chown {{{ FILEUID }}} {{{ path }}}
|
|
|
5fd106 |
+ {{% endif %}}
|
|
|
5fd106 |
+ {{% endif %}}
|
|
|
5fd106 |
+{{% endfor %}}
|