commit 74bab352f4bb5b52beaf70c6f23f60d4af4f9518
Author: Gabriel Becker <ggasparb@redhat.com>
Date: Thu Feb 24 18:42:09 2022 +0100
Manual edited scap-security-guide-0.1.61-file_owner-PR_7789.patch.
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml
new file mode 100644
index 0000000..968ef33
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml
@@ -0,0 +1,39 @@
+documentation_complete: true
+
+title: 'Audit Configuration Files Must Be Owned By Root'
+
+description: |-
+ All audit configuration files must be owned by root user.
+ {{{ describe_file_owner(file="/etc/audit/", owner="root") }}}
+ {{{ describe_file_owner(file="/etc/audit/rules.d/", owner="root") }}}
+
+rationale: |-
+ Without the capability to restrict which roles and individuals can
+ select which events are audited, unauthorized personnel may be able
+ to prevent the auditing of critical events.
+ Misconfigured audits may degrade the system's performance by
+ overwhelming the audit log. Misconfigured audits may also make it more
+ difficult to establish, correlate, and investigate the events relating
+ to an incident or identify those responsible for one.
+
+severity: medium
+
+references:
+ disa: CCI-000171
+ srg: SRG-OS-000063-GPOS-00032
+ stigid@ubuntu2004: UBTU-20-010134
+
+ocil: |-
+ {{{ describe_file_owner(file="/etc/audit/", owner="root") }}}
+ {{{ describe_file_owner(file="/etc/audit/rules.d/", owner="root") }}}
+
+template:
+ name: file_owner
+ vars:
+ filepath:
+ - /etc/audit/
+ - /etc/audit/rules.d/
+ file_regex:
+ - ^audit(\.rules|d\.conf)$
+ - ^.*\.rules$
+ fileuid: '0'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh
new file mode 100644
index 0000000..4d67307
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = audit
+
+chown 0 /etc/audit/audit.rules
+chown 0 /etc/audit/auditd.conf
+chown 0 -R /etc/audit/rules.d/
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh
new file mode 100644
index 0000000..337074f
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = audit
+
+useradd testuser_123
+chown testuser_123 /etc/audit/audit.rules
+chown testuser_123 /etc/audit/auditd.conf
+chown testuser_123 -R /etc/audit/rules.d/
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml
new file mode 100644
index 0000000..f1bf515
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+title: 'Verify User Who Owns /var/log/syslog File'
+
+description: '{{{ describe_file_owner(file="/var/log/syslog", owner="syslog") }}}'
+
+rationale: |-
+ The <tt>/var/log/syslog</tt> file contains logs of error messages in
+ the system and should only be accessed by authorized personnel.
+
+severity: medium
+
+references:
+ disa: CCI-001314
+ srg: SRG-OS-000206-GPOS-00084
+ stigid@ubuntu2004: UBTU-20-010421
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/syslog", owner="syslog") }}}'
+
+ocil: |-
+ {{{ ocil_file_owner(file="/var/log/syslog", owner="syslog") }}}
+
+template:
+ name: file_owner
+ vars:
+ filepath: /var/log/syslog
+ fileuid: '104'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
new file mode 100644
index 0000000..e236238
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
@@ -0,0 +1,55 @@
+documentation_complete: true
+
+title: 'Verify that System Executable Have Root Ownership'
+
+description: |-
+ <pre>/bin
+ /sbin
+ /usr/bin
+ /usr/sbin
+ /usr/local/bin
+ /usr/local/sbin</pre>
+ All these directories should be owned by the <tt>root</tt> user.
+ If any directory <i>DIR</i> in these directories is found
+ to be owned by a user other than root, correct its ownership with the
+ following command:
+ <pre>$ sudo chown root <i>DIR</i></pre>
+
+rationale: |-
+ System binaries are executed by privileged users as well as system services,
+ and restrictive permissions are necessary to ensure that their
+ execution of these programs cannot be co-opted.
+
+severity: medium
+
+references:
+ disa: CCI-001495
+ srg: SRG-OS-000258-GPOS-00099
+ stigid@ubuntu2004: UBTU-20-010424
+
+ocil_clause: 'any system exectables directories are found to not be owned by root'
+
+ocil: |-
+ System executables are stored in the following directories by default:
+ <pre>/bin
+ /sbin
+ /usr/bin
+ /usr/local/bin
+ /usr/local/sbin
+ /usr/sbin</pre>
+ For each of these directories, run the following command to find files
+ not owned by root:
+ <pre>$ sudo find -L <i>DIR/</i> ! -user root -type d -exec chown root {} \;</pre>
+
+template:
+ name: file_owner
+ vars:
+ filepath:
+ - /bin/
+ - /sbin/
+ - /usr/bin/
+ - /usr/sbin/
+ - /usr/local/bin/
+ - /usr/local/sbin/
+ recursive: 'true'
+ fileuid: '0'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml
new file mode 100644
index 0000000..0c7d9b3
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml
@@ -0,0 +1,77 @@
+documentation_complete: true
+
+prodtype: ubuntu2004
+
+title: 'Verify that audit tools are owned by root'
+
+description: |-
+ The {{{ full_name }}} operating system audit tools must have the proper
+ ownership configured to protected against unauthorized access.
+
+ Verify it by running the following command:
+ <pre>$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
+
+ /sbin/auditctl root
+ /sbin/aureport root
+ /sbin/ausearch root
+ /sbin/autrace root
+ /sbin/auditd root
+ /sbin/audispd root
+ /sbin/augenrules root
+ </pre>
+
+ Audit tools needed to successfully view and manipulate audit information
+ system activity and records. Audit tools include custom queries and report
+ generators
+
+rationale: |-
+ Protecting audit information also includes identifying and protecting the
+ tools used to view and manipulate log data. Therefore, protecting audit
+ tools is necessary to prevent unauthorized operation on audit information.
+
+ Operating systems providing tools to interface with audit information
+ will leverage user permissions and roles identifying the user accessing the
+ tools and the corresponding rights the user enjoys to make access decisions
+ regarding the access to audit tools.
+
+severity: medium
+
+references:
+ disa: CCI-001493,CCI-001494
+ srg: SRG-OS-000256-GPiOS-00097,SRG-OS-000257-GPOS-00098
+ stigid@ubuntu2004: UBTU-20-010200
+
+ocil: |-
+ Verify it by running the following command:
+ <pre>$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
+
+ /sbin/auditctl root
+ /sbin/aureport root
+ /sbin/ausearch root
+ /sbin/autrace root
+ /sbin/auditd root
+ /sbin/audispd root
+ /sbin/augenrules root
+ </pre>
+
+ If the command does not return all the above lines, the missing ones
+ need to be added.
+
+ Run the following command to correct the permissions of the missing
+ entries:
+ <pre>$ sudo chown root [audit_tool] </pre>
+
+ Replace "[audit_tool]" with each audit tool not owned by root.
+
+template:
+ name: file_owner
+ vars:
+ filepath:
+ - /sbin/auditctl
+ - /sbin/aureport
+ - /sbin/ausearch
+ - /sbin/autrace
+ - /sbin/auditd
+ - /sbin/audispd
+ - /sbin/augenrules
+ fileuid: '0'
diff --git a/products/ubuntu2004/profiles/stig.profile b/products/ubuntu2004/profiles/stig.profile
index 4c76824..487de82 100644
--- a/products/ubuntu2004/profiles/stig.profile
+++ b/products/ubuntu2004/profiles/stig.profile
@@ -452,6 +452,7 @@ selections:
# UBTU-20-010423 The Ubuntu operating system must have directories that contain system commands set to a mode of 0755 or less permissive.
# UBTU-20-010424 The Ubuntu operating system must have directories that contain system commands owned by root.
+ - dir_ownership_binary_dirs
# UBTU-20-010425 The Ubuntu operating system must have directories that contain system commands group-owned by root.
diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template
index 80eaae8..590c9fc 100644
--- a/shared/templates/file_owner/ansible.template
+++ b/shared/templates/file_owner/ansible.template
@@ -25,7 +25,7 @@
- name: Ensure owner on {{{ path }}} recursively
file:
- paths "{{{ path }}}"
+ path: "{{{ path }}}"
state: directory
recurse: yes
owner: "{{{ FILEUID }}}"