diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml new file mode 100644 index 00000000000..de85c892704 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml @@ -0,0 +1,38 @@ +documentation_complete: true + +title: 'Audit Configuration Files Must Be Owned By Group root' + +description: |- + All audit configuration files must be owned by group root. +
chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*
+ +rationale: |- + Without the capability to restrict which roles and individuals can + select which events are audited, unauthorized personnel may be able + to prevent the auditing of critical events. + Misconfigured audits may degrade the system's performance by + overwhelming the audit log. Misconfigured audits may also make it more + difficult to establish, correlate, and investigate the events relating + to an incident or identify those responsible for one. + +severity: medium + +references: + disa: CCI-000171 + srg: SRG-OS-000063-GPOS-00032 + stigid@ubuntu2004: UBTU-20-010135 + +ocil: |- + {{{ describe_file_group_owner(file="/etc/audit/", group="root") }}} + {{{ describe_file_group_owner(file="/etc/audit/rules.d/", group="root") }}} + +template: + name: file_groupowner + vars: + filepath: + - /etc/audit/ + - /etc/audit/rules.d/ + file_regex: + - ^audit(\.rules|d\.conf)$ + - ^.*\.rules$ + filegid: '0' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh new file mode 100644 index 00000000000..5235e0d05a3 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +export TESTFILE=/etc/audit/rules.d/test_rule.rules +export AUDITFILE=/etc/audit/auditd.conf +mkdir -p /etc/audit/rules.d/ +touch $TESTFILE +touch $AUDITFILE +chgrp root $TESTFILE +chgrp root $AUDITFILE diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh new file mode 100644 index 00000000000..52378d810a5 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +groupadd group_test +export TESTFILLE=/etc/audit/rules.d/test_rule.rules +export AUDITFILE=/etc/audit/auditd.conf +mkdir -p /etc/audit/rules.d/ +touch $TESTFILLE +touch $AUDITFILE +chgrp group_test $TESTFILLE +chgrp group_test $AUDITFILE diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml index 5e2cabafc34..927d08d03d4 100644 --- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml @@ -1,8 +1,15 @@ +{{% if 'ubuntu' in product %}} +{{% set gid = 'syslog' %}} +{{% else %}} +{{% set gid = 'root' %}} +{{% endif %}} + + documentation_complete: true title: 'Verify Group Who Owns /var/log Directory' -description: '{{{ describe_file_group_owner(file="/var/log", group="root") }}}' +description: '{{{ describe_file_group_owner(file="/var/log", group=gid) }}}' rationale: |- The /var/log directory contains files with logs of error @@ -22,13 +29,16 @@ references: stigid@rhel8: RHEL-08-010260 stigid@ubuntu2004: UBTU-20-010417 -ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log", group="root") }}}' +ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log", group=gid) }}}' ocil: |- - {{{ ocil_file_group_owner(file="/var/log", group="root") }}} + {{{ ocil_file_group_owner(file="/var/log", group=gid) }}} template: name: file_groupowner vars: filepath: /var/log/ filegid: '0' + filegid@ubuntu1604: '110' + filegid@ubuntu1804: '110' + filegid@ubuntu2004: '110' diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml new file mode 100644 index 00000000000..f654279fe54 --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml @@ -0,0 +1,27 @@ +documentation_complete: true + +title: 'Verify Group Who Owns /var/log/syslog File' + +description: '{{{ describe_file_group_owner(file="/var/log/syslog", group="adm") }}}' + +rationale: |- + The /var/log/syslog file contains logs of error messages in + the system and should only be accessed by authorized personnel. + +severity: medium + +references: + disa: CCI-001314 + srg: SRG-OS-000206-GPOS-00084 + stigid@ubuntu2004: UBTU-20-010420 + +ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/syslog", group="adm") }}}' + +ocil: |- + {{{ ocil_file_group_owner(file="/var/log/syslog", group="adm") }}} + +template: + name: file_groupowner + vars: + filepath: /var/log/syslog + filegid: '4' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml new file mode 100644 index 00000000000..655b2cd1aef --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml @@ -0,0 +1,65 @@ +documentation_complete: true + +prodtype: ubuntu2004 + +title: 'Verify that system commands directories are group owned by root' + +description: |- + System commands files are stored in the following directories by default: +
/bin
+    /sbin
+    /usr/bin
+    /usr/sbin
+    /usr/local/bin
+    /usr/local/sbin
+    
+ All these directories should be owned by the root group. + If the directory is found to be owned by a group other than root correct + its ownership with the following command: +
$ sudo chgrp root DIR
+ +rationale: |- + If the operating system allows any user to make changes to software + libraries, then those changes might be implemented without undergoing the + appropriate testing and approvals that are part of a robust change management + process. + This requirement applies to operating systems with software libraries + that are accessible and configurable, as in the case of interpreted languages. + Software libraries also include privileged programs which execute with + escalated privileges. Only qualified and authorized individuals must be + allowed to obtain access to information system components for purposes + of initiating changes, including upgrades and modifications. + +severity: medium + +references: + disa: CCI-001495 + srg: SRG-OS-000258-GPOS-00099 + stigid@ubuntu2004: UBTU-20-010425 + +ocil_clause: 'any of these directories are not owned by root group' + +ocil: |- + System commands are stored in the following directories: +
/bin
+    /sbin
+    /usr/bin
+    /usr/sbin
+    /usr/local/bin
+    /usr/local/sbin
+ For each of these directories, run the following command to find files not + owned by root group: +
$ sudo find -L $DIR ! -group root -type d \;
+ +template: + name: file_groupowner + vars: + filepath: + - /bin/ + - /sbin/ + - /usr/bin/ + - /usr/sbin/ + - /usr/local/bin/ + - /usr/local/sbin/ + recursive: 'true' + filegid: '0' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml deleted file mode 100644 index 28df7839430..00000000000 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml +++ /dev/null @@ -1,23 +0,0 @@ -# platform = multi_platform_sle -# reboot = false -# strategy = restrict -# complexity = medium -# disruption = medium -- name: "Read list libraries without root ownership" - find: - paths: - - "/usr/lib" - - "/usr/lib64" - - "/lib" - - "/lib64" - file_type: "directory" - register: library_dirs_not_owned_by_root - -- name: "Set ownership of system library dirs to root" - file: - path: "{{ item.path }}" - owner: "root" - state: "directory" - mode: "{{ item.mode }}" - with_items: "{{ library_dirs_not_owned_by_root.files }}" - when: library_dirs_not_owned_by_root.matched > 0 diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml new file mode 100644 index 00000000000..f61a5f988dc --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml @@ -0,0 +1,77 @@ +documentation_complete: true + +prodtype: ubuntu2004 + +title: 'Verify that audit tools are owned by group root' + +description: |- + The {{{ full_name }}} operating system audit tools must have the proper + ownership configured to protected against unauthorized access. + + Verify it by running the following command: +
$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
+
+    /sbin/auditctl root
+    /sbin/aureport root
+    /sbin/ausearch root
+    /sbin/autrace root
+    /sbin/auditd root
+    /sbin/audispd root
+    /sbin/augenrules root
+    
+ + Audit tools needed to successfully view and manipulate audit information + system activity and records. Audit tools include custom queries and report + generators + +rationale: |- + Protecting audit information also includes identifying and protecting the + tools used to view and manipulate log data. Therefore, protecting audit + tools is necessary to prevent unauthorized operation on audit information. + + Operating systems providing tools to interface with audit information + will leverage user permissions and roles identifying the user accessing the + tools and the corresponding rights the user enjoys to make access decisions + regarding the access to audit tools. + +severity: medium + +references: + disa: CCI-001493,CCI-001494 + srg: SRG-OS-000256-GPiOS-00097,SRG-OS-000257-GPOS-00098 + stigid@ubuntu2004: UBTU-20-010201 + +ocil: |- + Verify it by running the following command: +
$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
+
+    /sbin/auditctl root
+    /sbin/aureport root
+    /sbin/ausearch root
+    /sbin/autrace root
+    /sbin/auditd root
+    /sbin/audispd root
+    /sbin/augenrules root
+    
+ + If the command does not return all the above lines, the missing ones + need to be added. + + Run the following command to correct the permissions of the missing + entries: +
$ sudo chown :root [audit_tool] 
+ + Replace "[audit_tool]" with each audit tool not group-owned by root. + +template: + name: file_groupowner + vars: + filepath: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/audispd + - /sbin/augenrules + filegid: '0' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh index bb7c72550e9..a9e8c7d8e25 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora +# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin do diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh index 7cf507ca5f4..33a0c85d35b 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh @@ -1,10 +1,12 @@ #!/bin/bash +groupadd group_test + for TESTFILE in /bin/test_me /sbin/test_me /usr/bin/test_me /usr/sbin/test_me /usr/local/bin/test_me /usr/local/sbin/test_me do if [[ ! -f $TESTFILE ]] then touch $TESTFILE fi - chown nobody.nobody $TESTFILE + chgrp group_test $TESTFILE done diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml deleted file mode 100644 index 08019fd48bb..00000000000 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml +++ /dev/null @@ -1,26 +0,0 @@ -# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora -# reboot = false -# strategy = restrict -# complexity = high -# disruption = medium - -- name: "Read list libraries without root ownership" - find: - paths: - - "/usr/lib" - - "/usr/lib64" - - "/lib" - - "/lib64" - file_type: "file" - register: library_files_not_group_owned_by_root - -- name: "Set group ownership of system library files to root" - file: - path: "{{ item.path }}" - group: "root" - state: "file" - mode: "{{ item.mode }}" - with_items: "{{ library_files_not_group_owned_by_root.files }}" - when: - - library_files_not_group_owned_by_root.matched > 0 - - item.gid != 0 diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh deleted file mode 100644 index 3a42beafb8a..00000000000 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh +++ /dev/null @@ -1,7 +0,0 @@ -# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora - -find /lib \ -/lib64 \ -/usr/lib \ -/usr/lib64 \ -\! -group root -type f -exec chgrp root '{}' \; diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml deleted file mode 100644 index f5ca9380b55..00000000000 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml +++ /dev/null @@ -1,27 +0,0 @@ - - - {{{ oval_metadata(" - Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64 - are owned by root. - ") }}} - - - - - - - - - - - - ^\/lib(|64)?$|^\/usr\/lib(|64)?$ - ^.*$ - group_permissions_for_system_wide_files_are_not_root - - - - 0 - - diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml index 17923f52ea6..eaf04c8d36c 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol8,rhel8,rhel9,sle12,sle15 +prodtype: fedora,ol8,rhel8,rhel9,sle12,sle15,ubuntu2004 title: |- Verify the system-wide library files in directories @@ -46,6 +46,7 @@ references: stigid@rhel8: RHEL-08-010350 stigid@sle12: SLES-12-010875 stigid@sle15: SLES-15-010355 + stigid@ubuntu2004: UBTU-20-01430 ocil_clause: 'system wide library files are not group owned by root' @@ -59,3 +60,14 @@ ocil: |- To find if system-wide library files stored in these directories are not group-owned by root run the following command for each directory DIR:
$ sudo find -L DIR ! -group root -type f 
+ +template: + name: file_groupowner + vars: + filepath: + - /lib/ + - /lib64/ + - /usr/lib/ + - /usr/lib64/ + file_regex: ^.*$ + filegid: '0' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh similarity index 86% rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh index a4ae2854db1..0e982c3b8ca 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora +# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64 do diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh similarity index 70% rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh index c96f65b989c..23a7703f57d 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh @@ -1,10 +1,11 @@ -# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora +# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu +groupadd group_test for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me do if [[ ! -f $TESTFILE ]] then touch $TESTFILE fi - chown nobody.nobody $TESTFILE + chgrp group_test $TESTFILE done diff --git a/shared/templates/file_groupowner/tests/missing_file_test.pass.sh b/shared/templates/file_groupowner/tests/missing_file_test.pass.sh index 938e6b30819..015ff98c99d 100644 --- a/shared/templates/file_groupowner/tests/missing_file_test.pass.sh +++ b/shared/templates/file_groupowner/tests/missing_file_test.pass.sh @@ -1,8 +1,20 @@ #!/bin/bash # -{{% if MISSING_FILE_PASS %}} - rm -f {{{ FILEPATH }}} -{{% else %}} - true -{{% endif %}} +{{% for path in FILEPATH %}} + {{% if MISSING_FILE_PASS %}} + rm -f {{{ path }}} + {{% else %}} + {{% if IS_DIRECTORY and FILE_REGEX %}} + echo "Create specific tests for this rule because of regex" + {{% elif IS_DIRECTORY and RECURSIVE %}} + find -L {{{ path }}} -type d -exec chgrp {{{ FILEGID }}} {} \; + {{% else %}} + if [ ! -f {{{ path }}} ]; then + mkdir -p "$(dirname '{{{ path }}}')" + touch {{{ path }}} + fi + chgrp {{{ FILEGID }}} {{{ path }}} + {{% endif %}} + {{% endif %}} +{{% endfor %}}