From 1dcdad51a48c17dd5dbb7eb9bbb8cef23cf00e29 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Mon, 23 Aug 2021 10:26:39 +0200 Subject: [PATCH] Fix remaining audit rule files permissions. --- .../audit_rules_immutable/ansible/shared.yml | 1 + .../audit_rules_immutable/bash/shared.sh | 1 + shared/templates/audit_file_contents/ansible.template | 5 +++++ shared/templates/audit_file_contents/bash.template | 2 ++ 4 files changed, 9 insertions(+) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml index 1cafb744cc3..736d4c333e4 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml @@ -22,6 +22,7 @@ path: "{{ item }}" create: True line: "-e 2" + mode: o-rwx loop: - "/etc/audit/audit.rules" - "/etc/audit/rules.d/immutable.rules" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh index 29cd4a5de6f..36e0691493f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh @@ -20,4 +20,5 @@ do echo '# Set the audit.rules configuration immutable per security requirements' >> $AUDIT_FILE echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_FILE echo '-e 2' >> $AUDIT_FILE + chmod o-rwx $AUDIT_FILE done diff --git a/shared/templates/audit_file_contents/ansible.template b/shared/templates/audit_file_contents/ansible.template index c2852745451..a262386cfbf 100644 --- a/shared/templates/audit_file_contents/ansible.template +++ b/shared/templates/audit_file_contents/ansible.template @@ -9,3 +9,8 @@ contents=CONTENTS, ) }}} + +- name: Remove any permissions from other group + file: + path: {{{ FILEPATH }}} + mode: o-rwx diff --git a/shared/templates/audit_file_contents/bash.template b/shared/templates/audit_file_contents/bash.template index f264be6f14d..d6277167892 100644 --- a/shared/templates/audit_file_contents/bash.template +++ b/shared/templates/audit_file_contents/bash.template @@ -11,4 +11,6 @@ ) }}} +chmod o-rwx {{{ FILEPATH }}} + augenrules --load