From ad2267a48db738fe69bed6cc009d8be7bbc61c87 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Thu, 17 Jun 2021 17:46:26 +0200 Subject: [PATCH] Add /var/log/audit individual ownership rules. --- .../bash/shared.sh | 12 +++++ .../oval/shared.xml | 44 +++++++++++++++++++ .../rule.yml | 39 ++++++++++++++++ .../tests/correct_value.pass.sh | 5 +++ .../correct_value_non-root_group.pass.sh | 8 ++++ .../tests/wrong_value.fail.sh | 6 +++ .../bash/shared.sh | 3 ++ .../oval/shared.xml | 24 ++++++++++ .../rule.yml | 37 ++++++++++++++++ .../tests/correct_value.pass.sh | 3 ++ .../tests/wrong_value.fail.sh | 4 ++ .../bash/shared.sh | 12 +++++ .../oval/shared.xml | 44 +++++++++++++++++++ .../rule.yml | 39 ++++++++++++++++ .../tests/correct_value.pass.sh | 5 +++ .../correct_value_non-root_group.pass.sh | 8 ++++ .../tests/wrong_value.fail.sh | 7 +++ .../bash/shared.sh | 3 ++ .../oval/shared.xml | 24 ++++++++++ .../rule.yml | 36 +++++++++++++++ .../tests/correct_value.pass.sh | 3 ++ .../tests/wrong_value.fail.sh | 5 +++ products/rhel8/profiles/stig.profile | 15 +++++-- .../oval/auditd_conf_log_group_not_root.xml | 20 ++++++++- shared/references/cce-redhat-avail.txt | 4 -- .../data/profile_stability/rhel8/stig.profile | 5 ++- .../profile_stability/rhel8/stig_gui.profile | 5 ++- 27 files changed, 409 insertions(+), 11 deletions(-) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/bash/shared.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/oval/shared.xml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value.pass.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/wrong_value.fail.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/bash/shared.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/oval/shared.xml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/correct_value.pass.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/wrong_value.fail.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/bash/shared.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/oval/shared.xml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value.pass.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/wrong_value.fail.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/bash/shared.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/oval/shared.xml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/correct_value.pass.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/wrong_value.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/bash/shared.sh new file mode 100644 index 00000000000..685aa0cf3f2 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/bash/shared.sh @@ -0,0 +1,12 @@ +# platform = multi_platform_all + +if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then + GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') + if ! [ "${GROUP}" == 'root' ] ; then + chgrp ${GROUP} /var/log/audit + else + chgrp root /var/log/audit + fi +else + chgrp root /var/log/audit +fi diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/oval/shared.xml new file mode 100644 index 00000000000..4d6eee02a30 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/oval/shared.xml @@ -0,0 +1,44 @@ + + + {{{ oval_metadata("Checks that all /var/log/audit directories are group owned by the root user.") }}} + + + + + + + + + + + + + + + + /var/log/audit + + state_group_owner_not_root_var_log_audit_directories + + + + 0 + + + + + + + + + /var/log/audit + + state_group_owner_not_root_var_log_audit_directories-non_root + + + + 0 + + + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/rule.yml new file mode 100644 index 00000000000..3915300c106 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/rule.yml @@ -0,0 +1,39 @@ +documentation_complete: true + +prodtype: rhel8 + +title: 'System Audit Directories Must Be Group Owned By Root' + +description: |- + All audit directories must be group owned by root user. By default, the path for audit log is
/var/log/audit/
. + {{{ describe_file_group_owner(file="/var/log/audit", group="root") }}} + If log_group in /etc/audit/auditd.conf is set to a group other than the root + group account, change the group ownership of the audit directories to this specific group. + +rationale: |- + Unauthorized disclosure of audit records can reveal system and configuration data to + attackers, thus compromising its confidentiality. + +severity: medium + +identifiers: + cce@rhel8: CCE-88225-8 + +references: + cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8 + cjis: 5.4.1.1 + cobit5: APO01.06,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA02.01 + cui: 3.3.1 + disa: CCI-000162,CCI-000163,CCI-000164,CCI-001314 + isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.3.7.3,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 5.2,SR 6.1' + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + nist: CM-6(a),AC-6(1),AU-9(4) + nist-csf: DE.AE-3,DE.AE-5,PR.AC-4,PR.DS-5,PR.PT-1,RS.AN-1,RS.AN-4 + pcidss: Req-10.5.1 + srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000206-GPOS-00084 + stigid@rhel8: RHEL-08-030110 + +ocil: |- + {{{ describe_file_group_owner(file="/var/log/audit", group="root") }}} + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value.pass.sh new file mode 100644 index 00000000000..4e68a450c3d --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +sed -i "/\s*log_group.*/d" /etc/audit/auditd.conf +echo "log_group = root" >> /etc/audit/auditd.conf +chgrp root /var/log/audit diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh new file mode 100644 index 00000000000..89995b11954 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +groupadd group_test + +sed -i "/\s*log_group.*/d" /etc/audit/auditd.conf +echo "log_group = group_test" >> /etc/audit/auditd.conf + +chgrp group_test /var/log/audit diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/wrong_value.fail.sh new file mode 100644 index 00000000000..13d22ca8361 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/wrong_value.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +sed -i "/\s*log_group.*/d" /etc/audit/auditd.conf +echo "log_group = root" >> /etc/audit/auditd.conf +groupadd group_test +chgrp group_test /var/log/audit diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/bash/shared.sh new file mode 100644 index 00000000000..de63152c410 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/bash/shared.sh @@ -0,0 +1,3 @@ +# platform = multi_platform_all + +chown root /var/log/audit diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/oval/shared.xml new file mode 100644 index 00000000000..fad17abe39a --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/oval/shared.xml @@ -0,0 +1,24 @@ + + + {{{ oval_metadata("Checks that all /var/log/audit directories are owned by the root user.") }}} + + + + + + + + + + + + /var/log/audit + + state_owner_not_root_var_log_audit_directories + + + + 0 + + + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/rule.yml new file mode 100644 index 00000000000..cd6c45e249b --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/rule.yml @@ -0,0 +1,37 @@ +documentation_complete: true + +prodtype: rhel8 + +title: 'System Audit Directories Must Be Owned By Root' + +description: |- + All audit directories must be owned by root user. By default, the path for audit log is
/var/log/audit/
. + {{{ describe_file_owner(file="/var/log/audit", owner="root") }}} + +rationale: |- + Unauthorized disclosure of audit records can reveal system and configuration data to + attackers, thus compromising its confidentiality. + +severity: medium + +identifiers: + cce@rhel8: CCE-88226-6 + +references: + cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8 + cjis: 5.4.1.1 + cobit5: APO01.06,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA02.01 + cui: 3.3.1 + disa: CCI-000162,CCI-000163,CCI-000164,CCI-001314 + isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.3.7.3,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 5.2,SR 6.1' + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + nist: CM-6(a),AC-6(1),AU-9(4) + nist-csf: DE.AE-3,DE.AE-5,PR.AC-4,PR.DS-5,PR.PT-1,RS.AN-1,RS.AN-4 + pcidss: Req-10.5.1 + srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000206-GPOS-00084 + stigid@rhel8: RHEL-08-030100 + +ocil: |- + {{{ describe_file_owner(file="/var/log/audit", owner="root") }}} + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/correct_value.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/correct_value.pass.sh new file mode 100644 index 00000000000..fa70fdc9494 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/correct_value.pass.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +chown root /var/log/audit diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/wrong_value.fail.sh new file mode 100644 index 00000000000..f65a1e67241 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/wrong_value.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +useradd testuser_123 +chown testuser_123 /var/log/audit diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/bash/shared.sh new file mode 100644 index 00000000000..3f53de5ba26 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/bash/shared.sh @@ -0,0 +1,12 @@ +# platform = multi_platform_all + +if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then + GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') + if ! [ "${GROUP}" == 'root' ] ; then + chgrp ${GROUP} /var/log/audit/audit.log* + else + chgrp root /var/log/audit/audit.log* + fi +else + chgrp root /var/log/audit/audit.log* +fi diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/oval/shared.xml new file mode 100644 index 00000000000..af5414a6c9c --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/oval/shared.xml @@ -0,0 +1,44 @@ + + + {{{ oval_metadata("Checks that all /var/log/audit files are group owned by the root user.") }}} + + + + + + + + + + + + + + + + /var/log/audit + ^.*$ + state_group_owner_not_root_var_log_audit + + + + 0 + + + + + + + + + /var/log/audit + ^.*$ + state_group_owner_not_root_var_log_audit-non_root + + + + 0 + + + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/rule.yml new file mode 100644 index 00000000000..767c8c89bf7 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/rule.yml @@ -0,0 +1,39 @@ +documentation_complete: true + +prodtype: rhel8 + +title: 'System Audit Logs Must Be Group Owned By Root' + +description: |- + All audit logs must be group owned by root user. By default, the path for audit log is
/var/log/audit/
. + {{{ describe_file_group_owner(file="/var/log/audit/*", group="root") }}} + If log_group in /etc/audit/auditd.conf is set to a group other than the root + group account, change the group ownership of the audit logs to this specific group. + +rationale: |- + Unauthorized disclosure of audit records can reveal system and configuration data to + attackers, thus compromising its confidentiality. + +severity: medium + +identifiers: + cce@rhel8: CCE-88227-4 + +references: + cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8 + cjis: 5.4.1.1 + cobit5: APO01.06,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA02.01 + cui: 3.3.1 + disa: CCI-000162,CCI-000163,CCI-000164,CCI-001314 + isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.3.7.3,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 5.2,SR 6.1' + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + nist: CM-6(a),AC-6(1),AU-9(4) + nist-csf: DE.AE-3,DE.AE-5,PR.AC-4,PR.DS-5,PR.PT-1,RS.AN-1,RS.AN-4 + pcidss: Req-10.5.1 + srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000206-GPOS-00084 + stigid@rhel8: RHEL-08-030090 + +ocil: |- + {{{ describe_file_group_owner(file="/var/log/audit/*", group="root") }}} + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value.pass.sh new file mode 100644 index 00000000000..e4e69bff538 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +sed -i "/\s*log_group.*/d" /etc/audit/auditd.conf +echo "log_group = root" >> /etc/audit/auditd.conf +chgrp root /var/log/audit/audit.log* diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh new file mode 100644 index 00000000000..89995b11954 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +groupadd group_test + +sed -i "/\s*log_group.*/d" /etc/audit/auditd.conf +echo "log_group = group_test" >> /etc/audit/auditd.conf + +chgrp group_test /var/log/audit diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/wrong_value.fail.sh new file mode 100644 index 00000000000..37c0f070ae1 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/wrong_value.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +sed -i "/\s*log_group.*/d" /etc/audit/auditd.conf +echo "log_group = root" >> /etc/audit/auditd.conf +touch /var/log/audit/audit.log.1 +groupadd group_test +chgrp group_test /var/log/audit/audit.log.1 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/bash/shared.sh new file mode 100644 index 00000000000..ee2364a4a69 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/bash/shared.sh @@ -0,0 +1,3 @@ +# platform = multi_platform_all + +chown root /var/log/audit/audit.log* diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/oval/shared.xml new file mode 100644 index 00000000000..c20353b5926 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/oval/shared.xml @@ -0,0 +1,24 @@ + + + {{{ oval_metadata("Checks that all /var/log/audit files are owned by the root user.") }}} + + + + + + + + + + + + /var/log/audit + ^.*$ + state_group_user_owner_not_root_var_log_audit + + + + 0 + + + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/rule.yml new file mode 100644 index 00000000000..7f895759486 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/rule.yml @@ -0,0 +1,36 @@ +documentation_complete: true + +prodtype: rhel8 + +title: 'System Audit Logs Must Be Owned By Root' + +description: |- + All audit logs must be owned by root user. By default, the path for audit log is
/var/log/audit/
. + {{{ describe_file_owner(file="/var/log/audit/*", owner="root") }}} + +rationale: |- + Unauthorized disclosure of audit records can reveal system and configuration data to + attackers, thus compromising its confidentiality. + +severity: medium + +identifiers: + cce@rhel8: CCE-88228-2 + +references: + cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8 + cjis: 5.4.1.1 + cobit5: APO01.06,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA02.01 + cui: 3.3.1 + disa: CCI-000162,CCI-000163,CCI-000164,CCI-001314 + isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.3.7.3,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 5.2,SR 6.1' + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + nist: CM-6(a),AC-6(1),AU-9(4) + nist-csf: DE.AE-3,DE.AE-5,PR.AC-4,PR.DS-5,PR.PT-1,RS.AN-1,RS.AN-4 + pcidss: Req-10.5.1 + srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000206-GPOS-00084 + stigid@rhel8: RHEL-08-030080 + +ocil: |- + {{{ describe_file_owner(file="/var/log/audit/*", owner="root") }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/correct_value.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/correct_value.pass.sh new file mode 100644 index 00000000000..eed3164eb31 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/correct_value.pass.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +chown root /var/log/audit/audit.log* diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/wrong_value.fail.sh new file mode 100644 index 00000000000..32a678562cf --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/wrong_value.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +touch /var/log/audit/audit.log.1 +useradd testuser_123 +chown testuser_123 /var/log/audit/audit.log.1 diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 7270a8f91f2..7d2d386604e 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -625,10 +625,17 @@ selections: # RHEL-08-030070 - file_permissions_var_log_audit - # RHEL-08-030080, RHEL-08-030090, RHEL-08-030100, RHEL-08-030110 - ### NOTE: These might get broken up, but currently the following - ### rule accounts for these STIG ID's - - file_ownership_var_log_audit + # RHEL-08-030080 + - file_ownership_var_log_audit_stig + + # RHEL-08-030090 + - file_group_ownership_var_log_audit + + # RHEL-08-030100 + - directory_ownership_var_log_audit + + # RHEL-08-030110 + - directory_group_ownership_var_log_audit # RHEL-08-030120 - directory_permissions_var_log_audit diff --git a/shared/checks/oval/auditd_conf_log_group_not_root.xml b/shared/checks/oval/auditd_conf_log_group_not_root.xml index 93e47d119ef..2871052796e 100644 --- a/shared/checks/oval/auditd_conf_log_group_not_root.xml +++ b/shared/checks/oval/auditd_conf_log_group_not_root.xml @@ -8,9 +8,11 @@ Verify 'log_group' is not set to 'root' in /etc/audit/auditd.conf. - + + @@ -26,4 +28,20 @@ 1 + + + + + + + /etc/audit/auditd.conf + ^[ ]*log_group[ ]+=.*$ + 1 + + diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 665f903ead4..b77e9abeb0b 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -2355,10 +2355,6 @@ CCE-88221-7 CCE-88222-5 CCE-88223-3 CCE-88224-1 -CCE-88225-8 -CCE-88226-6 -CCE-88227-4 -CCE-88228-2 CCE-88229-0 CCE-88230-8 CCE-88231-6 diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 7d59cfff625..6c97a5a8ca3 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -103,6 +103,8 @@ selections: - dir_group_ownership_library_dirs - dir_perms_world_writable_root_owned - dir_perms_world_writable_sticky_bits +- directory_group_ownership_var_log_audit +- directory_ownership_var_log_audit - directory_permissions_var_log_audit - disable_ctrlaltdel_burstaction - disable_ctrlaltdel_reboot @@ -113,6 +115,7 @@ selections: - encrypt_partitions - ensure_gpgcheck_globally_activated - ensure_gpgcheck_local_packages +- file_group_ownership_var_log_audit - file_groupowner_var_log - file_groupowner_var_log_messages - file_groupownership_home_directories @@ -121,7 +124,7 @@ selections: - file_owner_var_log_messages - file_ownership_binary_dirs - file_ownership_library_dirs -- file_ownership_var_log_audit +- file_ownership_var_log_audit_stig - file_permission_user_init_files - file_permissions_binary_dirs - file_permissions_etc_audit_auditd diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 2c2daad6f6d..d026a40a02b 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -114,6 +114,8 @@ selections: - dir_group_ownership_library_dirs - dir_perms_world_writable_root_owned - dir_perms_world_writable_sticky_bits +- directory_group_ownership_var_log_audit +- directory_ownership_var_log_audit - directory_permissions_var_log_audit - disable_ctrlaltdel_burstaction - disable_ctrlaltdel_reboot @@ -124,6 +126,7 @@ selections: - encrypt_partitions - ensure_gpgcheck_globally_activated - ensure_gpgcheck_local_packages +- file_group_ownership_var_log_audit - file_groupowner_var_log - file_groupowner_var_log_messages - file_groupownership_home_directories @@ -132,7 +135,7 @@ selections: - file_owner_var_log_messages - file_ownership_binary_dirs - file_ownership_library_dirs -- file_ownership_var_log_audit +- file_ownership_var_log_audit_stig - file_permission_user_init_files - file_permissions_binary_dirs - file_permissions_etc_audit_auditd