|
|
76240a |
From ad2267a48db738fe69bed6cc009d8be7bbc61c87 Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
76240a |
Date: Thu, 17 Jun 2021 17:46:26 +0200
|
|
|
76240a |
Subject: [PATCH] Add /var/log/audit individual ownership rules.
|
|
|
76240a |
|
|
|
76240a |
---
|
|
|
76240a |
.../bash/shared.sh | 12 +++++
|
|
|
76240a |
.../oval/shared.xml | 44 +++++++++++++++++++
|
|
|
76240a |
.../rule.yml | 39 ++++++++++++++++
|
|
|
76240a |
.../tests/correct_value.pass.sh | 5 +++
|
|
|
76240a |
.../correct_value_non-root_group.pass.sh | 8 ++++
|
|
|
76240a |
.../tests/wrong_value.fail.sh | 6 +++
|
|
|
76240a |
.../bash/shared.sh | 3 ++
|
|
|
76240a |
.../oval/shared.xml | 24 ++++++++++
|
|
|
76240a |
.../rule.yml | 37 ++++++++++++++++
|
|
|
76240a |
.../tests/correct_value.pass.sh | 3 ++
|
|
|
76240a |
.../tests/wrong_value.fail.sh | 4 ++
|
|
|
76240a |
.../bash/shared.sh | 12 +++++
|
|
|
76240a |
.../oval/shared.xml | 44 +++++++++++++++++++
|
|
|
76240a |
.../rule.yml | 39 ++++++++++++++++
|
|
|
76240a |
.../tests/correct_value.pass.sh | 5 +++
|
|
|
76240a |
.../correct_value_non-root_group.pass.sh | 8 ++++
|
|
|
76240a |
.../tests/wrong_value.fail.sh | 7 +++
|
|
|
76240a |
.../bash/shared.sh | 3 ++
|
|
|
76240a |
.../oval/shared.xml | 24 ++++++++++
|
|
|
76240a |
.../rule.yml | 36 +++++++++++++++
|
|
|
76240a |
.../tests/correct_value.pass.sh | 3 ++
|
|
|
76240a |
.../tests/wrong_value.fail.sh | 5 +++
|
|
|
76240a |
products/rhel8/profiles/stig.profile | 15 +++++--
|
|
|
76240a |
.../oval/auditd_conf_log_group_not_root.xml | 20 ++++++++-
|
|
|
76240a |
shared/references/cce-redhat-avail.txt | 4 --
|
|
|
76240a |
.../data/profile_stability/rhel8/stig.profile | 5 ++-
|
|
|
76240a |
.../profile_stability/rhel8/stig_gui.profile | 5 ++-
|
|
|
76240a |
27 files changed, 409 insertions(+), 11 deletions(-)
|
|
|
76240a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/bash/shared.sh
|
|
|
76240a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/oval/shared.xml
|
|
|
76240a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/rule.yml
|
|
|
76240a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value.pass.sh
|
|
|
76240a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh
|
|
|
76240a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/wrong_value.fail.sh
|
|
|
76240a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/bash/shared.sh
|
|
|
76240a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/oval/shared.xml
|
|
|
76240a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/rule.yml
|
|
|
76240a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/correct_value.pass.sh
|
|
|
76240a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/wrong_value.fail.sh
|
|
|
76240a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/bash/shared.sh
|
|
|
76240a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/oval/shared.xml
|
|
|
76240a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/rule.yml
|
|
|
76240a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value.pass.sh
|
|
|
76240a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh
|
|
|
76240a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/wrong_value.fail.sh
|
|
|
76240a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/bash/shared.sh
|
|
|
76240a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/oval/shared.xml
|
|
|
76240a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/rule.yml
|
|
|
76240a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/correct_value.pass.sh
|
|
|
76240a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/wrong_value.fail.sh
|
|
|
76240a |
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/bash/shared.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..685aa0cf3f2
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/bash/shared.sh
|
|
|
76240a |
@@ -0,0 +1,12 @@
|
|
|
76240a |
+# platform = multi_platform_all
|
|
|
76240a |
+
|
|
|
76240a |
+if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then
|
|
|
76240a |
+ GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
|
|
|
76240a |
+ if ! [ "${GROUP}" == 'root' ] ; then
|
|
|
76240a |
+ chgrp ${GROUP} /var/log/audit
|
|
|
76240a |
+ else
|
|
|
76240a |
+ chgrp root /var/log/audit
|
|
|
76240a |
+ fi
|
|
|
76240a |
+else
|
|
|
76240a |
+ chgrp root /var/log/audit
|
|
|
76240a |
+fi
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/oval/shared.xml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..4d6eee02a30
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/oval/shared.xml
|
|
|
76240a |
@@ -0,0 +1,44 @@
|
|
|
76240a |
+<def-group>
|
|
|
76240a |
+ <definition class="compliance" id="directory_group_ownership_var_log_audit" version="1">
|
|
|
76240a |
+ {{{ oval_metadata("Checks that all /var/log/audit directories are group owned by the root user.") }}}
|
|
|
76240a |
+ <criteria operator="OR">
|
|
|
76240a |
+ <criterion test_ref="test_group_ownership_var_log_audit_directories" />
|
|
|
76240a |
+ <criteria operator="AND" comment="log_group in auditd.conf is not root">
|
|
|
76240a |
+
|
|
|
76240a |
+ definition_ref="auditd_conf_log_group_not_root" />
|
|
|
76240a |
+ <criterion test_ref="test_group_ownership_var_log_audit_directories-non_root" />
|
|
|
76240a |
+ </criteria>
|
|
|
76240a |
+ </criteria>
|
|
|
76240a |
+ </definition>
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:file_test check="all" check_existence="none_exist" comment="/var/log/audit directories uid root gid root" id="test_group_ownership_var_log_audit_directories" version="1">
|
|
|
76240a |
+ <unix:object object_ref="object_group_ownership_var_log_audit_directories" />
|
|
|
76240a |
+ </unix:file_test>
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:file_object comment="/var/log/audit directories" id="object_group_ownership_var_log_audit_directories" version="1">
|
|
|
76240a |
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
|
|
|
76240a |
+ <unix:path operation="equals">/var/log/audit</unix:path>
|
|
|
76240a |
+ <unix:filename xsi:nil="true" />
|
|
|
76240a |
+ <filter action="include">state_group_owner_not_root_var_log_audit_directories</filter>
|
|
|
76240a |
+ </unix:file_object>
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:file_state id="state_group_owner_not_root_var_log_audit_directories" version="1" operator="OR">
|
|
|
76240a |
+ <unix:group_id datatype="int" operation="not equal">0</unix:group_id>
|
|
|
76240a |
+ </unix:file_state>
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:file_test check="all" check_existence="all_exist" comment="/var/log/audit directories uid root gid root" id="test_group_ownership_var_log_audit_directories-non_root" version="1">
|
|
|
76240a |
+ <unix:object object_ref="object_group_ownership_var_log_audit_directories-non_root" />
|
|
|
76240a |
+ </unix:file_test>
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:file_object comment="/var/log/audit directories" id="object_group_ownership_var_log_audit_directories-non_root" version="1">
|
|
|
76240a |
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
|
|
|
76240a |
+ <unix:path operation="equals">/var/log/audit</unix:path>
|
|
|
76240a |
+ <unix:filename xsi:nil="true" />
|
|
|
76240a |
+ <filter action="include">state_group_owner_not_root_var_log_audit_directories-non_root</filter>
|
|
|
76240a |
+ </unix:file_object>
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:file_state id="state_group_owner_not_root_var_log_audit_directories-non_root" version="1" operator="OR">
|
|
|
76240a |
+ <unix:group_id datatype="int" operation="not equal">0</unix:group_id>
|
|
|
76240a |
+ </unix:file_state>
|
|
|
76240a |
+
|
|
|
76240a |
+</def-group>
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/rule.yml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..3915300c106
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/rule.yml
|
|
|
76240a |
@@ -0,0 +1,39 @@
|
|
|
76240a |
+documentation_complete: true
|
|
|
76240a |
+
|
|
|
76240a |
+prodtype: rhel8
|
|
|
76240a |
+
|
|
|
76240a |
+title: 'System Audit Directories Must Be Group Owned By Root'
|
|
|
76240a |
+
|
|
|
76240a |
+description: |-
|
|
|
76240a |
+ All audit directories must be group owned by root user. By default, the path for audit log is /var/log/audit/ .
|
|
|
76240a |
+ {{{ describe_file_group_owner(file="/var/log/audit", group="root") }}}
|
|
|
76240a |
+ If <tt>log_group</tt> in <tt>/etc/audit/auditd.conf</tt> is set to a group other than the <tt>root</tt>
|
|
|
76240a |
+ group account, change the group ownership of the audit directories to this specific group.
|
|
|
76240a |
+
|
|
|
76240a |
+rationale: |-
|
|
|
76240a |
+ Unauthorized disclosure of audit records can reveal system and configuration data to
|
|
|
76240a |
+ attackers, thus compromising its confidentiality.
|
|
|
76240a |
+
|
|
|
76240a |
+severity: medium
|
|
|
76240a |
+
|
|
|
76240a |
+identifiers:
|
|
|
76240a |
+ cce@rhel8: CCE-88225-8
|
|
|
76240a |
+
|
|
|
76240a |
+references:
|
|
|
76240a |
+ cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8
|
|
|
76240a |
+ cjis: 5.4.1.1
|
|
|
76240a |
+ cobit5: APO01.06,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA02.01
|
|
|
76240a |
+ cui: 3.3.1
|
|
|
76240a |
+ disa: CCI-000162,CCI-000163,CCI-000164,CCI-001314
|
|
|
76240a |
+ isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.3.7.3,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
|
|
|
76240a |
+ isa-62443-2013: 'SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 5.2,SR 6.1'
|
|
|
76240a |
+ iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
|
|
76240a |
+ nist: CM-6(a),AC-6(1),AU-9(4)
|
|
|
76240a |
+ nist-csf: DE.AE-3,DE.AE-5,PR.AC-4,PR.DS-5,PR.PT-1,RS.AN-1,RS.AN-4
|
|
|
76240a |
+ pcidss: Req-10.5.1
|
|
|
76240a |
+ srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000206-GPOS-00084
|
|
|
76240a |
+ stigid@rhel8: RHEL-08-030110
|
|
|
76240a |
+
|
|
|
76240a |
+ocil: |-
|
|
|
76240a |
+ {{{ describe_file_group_owner(file="/var/log/audit", group="root") }}}
|
|
|
76240a |
+
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value.pass.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..4e68a450c3d
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value.pass.sh
|
|
|
76240a |
@@ -0,0 +1,5 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+
|
|
|
76240a |
+sed -i "/\s*log_group.*/d" /etc/audit/auditd.conf
|
|
|
76240a |
+echo "log_group = root" >> /etc/audit/auditd.conf
|
|
|
76240a |
+chgrp root /var/log/audit
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..89995b11954
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh
|
|
|
76240a |
@@ -0,0 +1,8 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+
|
|
|
76240a |
+groupadd group_test
|
|
|
76240a |
+
|
|
|
76240a |
+sed -i "/\s*log_group.*/d" /etc/audit/auditd.conf
|
|
|
76240a |
+echo "log_group = group_test" >> /etc/audit/auditd.conf
|
|
|
76240a |
+
|
|
|
76240a |
+chgrp group_test /var/log/audit
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/wrong_value.fail.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..13d22ca8361
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/wrong_value.fail.sh
|
|
|
76240a |
@@ -0,0 +1,6 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+
|
|
|
76240a |
+sed -i "/\s*log_group.*/d" /etc/audit/auditd.conf
|
|
|
76240a |
+echo "log_group = root" >> /etc/audit/auditd.conf
|
|
|
76240a |
+groupadd group_test
|
|
|
76240a |
+chgrp group_test /var/log/audit
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/bash/shared.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..de63152c410
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/bash/shared.sh
|
|
|
76240a |
@@ -0,0 +1,3 @@
|
|
|
76240a |
+# platform = multi_platform_all
|
|
|
76240a |
+
|
|
|
76240a |
+chown root /var/log/audit
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/oval/shared.xml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..fad17abe39a
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/oval/shared.xml
|
|
|
76240a |
@@ -0,0 +1,24 @@
|
|
|
76240a |
+<def-group>
|
|
|
76240a |
+ <definition class="compliance" id="directory_ownership_var_log_audit" version="1">
|
|
|
76240a |
+ {{{ oval_metadata("Checks that all /var/log/audit directories are owned by the root user.") }}}
|
|
|
76240a |
+ <criteria comment="directories are root owned">
|
|
|
76240a |
+ <criterion test_ref="test_user_ownership_var_log_audit_directories" />
|
|
|
76240a |
+ </criteria>
|
|
|
76240a |
+ </definition>
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:file_test check="all" check_existence="none_exist" comment="/var/log/audit directories uid root gid root" id="test_user_ownership_var_log_audit_directories" version="1">
|
|
|
76240a |
+ <unix:object object_ref="object_user_ownership_var_log_audit_directories" />
|
|
|
76240a |
+ </unix:file_test>
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:file_object comment="/var/log/audit directories" id="object_user_ownership_var_log_audit_directories" version="1">
|
|
|
76240a |
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
|
|
|
76240a |
+ <unix:path operation="equals">/var/log/audit</unix:path>
|
|
|
76240a |
+ <unix:filename xsi:nil="true" />
|
|
|
76240a |
+ <filter action="include">state_owner_not_root_var_log_audit_directories</filter>
|
|
|
76240a |
+ </unix:file_object>
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:file_state id="state_owner_not_root_var_log_audit_directories" version="1" operator="OR">
|
|
|
76240a |
+ <unix:user_id datatype="int" operation="not equal">0</unix:user_id>
|
|
|
76240a |
+ </unix:file_state>
|
|
|
76240a |
+
|
|
|
76240a |
+</def-group>
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/rule.yml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..cd6c45e249b
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/rule.yml
|
|
|
76240a |
@@ -0,0 +1,37 @@
|
|
|
76240a |
+documentation_complete: true
|
|
|
76240a |
+
|
|
|
76240a |
+prodtype: rhel8
|
|
|
76240a |
+
|
|
|
76240a |
+title: 'System Audit Directories Must Be Owned By Root'
|
|
|
76240a |
+
|
|
|
76240a |
+description: |-
|
|
|
76240a |
+ All audit directories must be owned by root user. By default, the path for audit log is /var/log/audit/ .
|
|
|
76240a |
+ {{{ describe_file_owner(file="/var/log/audit", owner="root") }}}
|
|
|
76240a |
+
|
|
|
76240a |
+rationale: |-
|
|
|
76240a |
+ Unauthorized disclosure of audit records can reveal system and configuration data to
|
|
|
76240a |
+ attackers, thus compromising its confidentiality.
|
|
|
76240a |
+
|
|
|
76240a |
+severity: medium
|
|
|
76240a |
+
|
|
|
76240a |
+identifiers:
|
|
|
76240a |
+ cce@rhel8: CCE-88226-6
|
|
|
76240a |
+
|
|
|
76240a |
+references:
|
|
|
76240a |
+ cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8
|
|
|
76240a |
+ cjis: 5.4.1.1
|
|
|
76240a |
+ cobit5: APO01.06,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA02.01
|
|
|
76240a |
+ cui: 3.3.1
|
|
|
76240a |
+ disa: CCI-000162,CCI-000163,CCI-000164,CCI-001314
|
|
|
76240a |
+ isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.3.7.3,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
|
|
|
76240a |
+ isa-62443-2013: 'SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 5.2,SR 6.1'
|
|
|
76240a |
+ iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
|
|
76240a |
+ nist: CM-6(a),AC-6(1),AU-9(4)
|
|
|
76240a |
+ nist-csf: DE.AE-3,DE.AE-5,PR.AC-4,PR.DS-5,PR.PT-1,RS.AN-1,RS.AN-4
|
|
|
76240a |
+ pcidss: Req-10.5.1
|
|
|
76240a |
+ srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000206-GPOS-00084
|
|
|
76240a |
+ stigid@rhel8: RHEL-08-030100
|
|
|
76240a |
+
|
|
|
76240a |
+ocil: |-
|
|
|
76240a |
+ {{{ describe_file_owner(file="/var/log/audit", owner="root") }}}
|
|
|
76240a |
+
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/correct_value.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/correct_value.pass.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..fa70fdc9494
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/correct_value.pass.sh
|
|
|
76240a |
@@ -0,0 +1,3 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+
|
|
|
76240a |
+chown root /var/log/audit
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/wrong_value.fail.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..f65a1e67241
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/wrong_value.fail.sh
|
|
|
76240a |
@@ -0,0 +1,4 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+
|
|
|
76240a |
+useradd testuser_123
|
|
|
76240a |
+chown testuser_123 /var/log/audit
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/bash/shared.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..3f53de5ba26
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/bash/shared.sh
|
|
|
76240a |
@@ -0,0 +1,12 @@
|
|
|
76240a |
+# platform = multi_platform_all
|
|
|
76240a |
+
|
|
|
76240a |
+if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then
|
|
|
76240a |
+ GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
|
|
|
76240a |
+ if ! [ "${GROUP}" == 'root' ] ; then
|
|
|
76240a |
+ chgrp ${GROUP} /var/log/audit/audit.log*
|
|
|
76240a |
+ else
|
|
|
76240a |
+ chgrp root /var/log/audit/audit.log*
|
|
|
76240a |
+ fi
|
|
|
76240a |
+else
|
|
|
76240a |
+ chgrp root /var/log/audit/audit.log*
|
|
|
76240a |
+fi
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/oval/shared.xml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..af5414a6c9c
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/oval/shared.xml
|
|
|
76240a |
@@ -0,0 +1,44 @@
|
|
|
76240a |
+<def-group>
|
|
|
76240a |
+ <definition class="compliance" id="file_group_ownership_var_log_audit" version="1">
|
|
|
76240a |
+ {{{ oval_metadata("Checks that all /var/log/audit files are group owned by the root user.") }}}
|
|
|
76240a |
+ <criteria operator="OR">
|
|
|
76240a |
+ <criterion comment="files are root group owned" test_ref="test_group_ownership_var_log_audit_files"/>
|
|
|
76240a |
+ <criteria operator="AND" comment="log_group in auditd.conf is not root">
|
|
|
76240a |
+
|
|
|
76240a |
+ definition_ref="auditd_conf_log_group_not_root" />
|
|
|
76240a |
+ <criterion test_ref="test_group_ownership_var_log_audit_files-non_root" />
|
|
|
76240a |
+ </criteria>
|
|
|
76240a |
+ </criteria>
|
|
|
76240a |
+ </definition>
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:file_test check="all" check_existence="none_exist" comment="/var/log/audit files gid root" id="test_group_ownership_var_log_audit_files" version="1">
|
|
|
76240a |
+ <unix:object object_ref="object_group_ownership_var_log_audit_files" />
|
|
|
76240a |
+ </unix:file_test>
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:file_object comment="/var/log/audit files" id="object_group_ownership_var_log_audit_files" version="1">
|
|
|
76240a |
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
|
|
|
76240a |
+ <unix:path operation="equals">/var/log/audit</unix:path>
|
|
|
76240a |
+ <unix:filename operation="pattern match">^.*$</unix:filename>
|
|
|
76240a |
+ <filter action="include">state_group_owner_not_root_var_log_audit</filter>
|
|
|
76240a |
+ </unix:file_object>
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:file_state id="state_group_owner_not_root_var_log_audit" version="1" operator="OR">
|
|
|
76240a |
+ <unix:group_id datatype="int" operation="not equal">0</unix:group_id>
|
|
|
76240a |
+ </unix:file_state>
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:file_test check="all" check_existence="all_exist" comment="/var/log/audit files uid root " id="test_group_ownership_var_log_audit_files-non_root" version="1">
|
|
|
76240a |
+ <unix:object object_ref="object_group_ownership_var_log_audit_files-non_root" />
|
|
|
76240a |
+ </unix:file_test>
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:file_object comment="/var/log/audit files" id="object_group_ownership_var_log_audit_files-non_root" version="1">
|
|
|
76240a |
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
|
|
|
76240a |
+ <unix:path operation="equals">/var/log/audit</unix:path>
|
|
|
76240a |
+ <unix:filename operation="pattern match">^.*$</unix:filename>
|
|
|
76240a |
+ <filter action="include">state_group_owner_not_root_var_log_audit-non_root</filter>
|
|
|
76240a |
+ </unix:file_object>
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:file_state id="state_group_owner_not_root_var_log_audit-non_root" version="1" operator="OR">
|
|
|
76240a |
+ <unix:group_id datatype="int" operation="not equal">0</unix:group_id>
|
|
|
76240a |
+ </unix:file_state>
|
|
|
76240a |
+
|
|
|
76240a |
+</def-group>
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/rule.yml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..767c8c89bf7
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/rule.yml
|
|
|
76240a |
@@ -0,0 +1,39 @@
|
|
|
76240a |
+documentation_complete: true
|
|
|
76240a |
+
|
|
|
76240a |
+prodtype: rhel8
|
|
|
76240a |
+
|
|
|
76240a |
+title: 'System Audit Logs Must Be Group Owned By Root'
|
|
|
76240a |
+
|
|
|
76240a |
+description: |-
|
|
|
76240a |
+ All audit logs must be group owned by root user. By default, the path for audit log is /var/log/audit/ .
|
|
|
76240a |
+ {{{ describe_file_group_owner(file="/var/log/audit/*", group="root") }}}
|
|
|
76240a |
+ If <tt>log_group</tt> in <tt>/etc/audit/auditd.conf</tt> is set to a group other than the <tt>root</tt>
|
|
|
76240a |
+ group account, change the group ownership of the audit logs to this specific group.
|
|
|
76240a |
+
|
|
|
76240a |
+rationale: |-
|
|
|
76240a |
+ Unauthorized disclosure of audit records can reveal system and configuration data to
|
|
|
76240a |
+ attackers, thus compromising its confidentiality.
|
|
|
76240a |
+
|
|
|
76240a |
+severity: medium
|
|
|
76240a |
+
|
|
|
76240a |
+identifiers:
|
|
|
76240a |
+ cce@rhel8: CCE-88227-4
|
|
|
76240a |
+
|
|
|
76240a |
+references:
|
|
|
76240a |
+ cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8
|
|
|
76240a |
+ cjis: 5.4.1.1
|
|
|
76240a |
+ cobit5: APO01.06,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA02.01
|
|
|
76240a |
+ cui: 3.3.1
|
|
|
76240a |
+ disa: CCI-000162,CCI-000163,CCI-000164,CCI-001314
|
|
|
76240a |
+ isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.3.7.3,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
|
|
|
76240a |
+ isa-62443-2013: 'SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 5.2,SR 6.1'
|
|
|
76240a |
+ iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
|
|
76240a |
+ nist: CM-6(a),AC-6(1),AU-9(4)
|
|
|
76240a |
+ nist-csf: DE.AE-3,DE.AE-5,PR.AC-4,PR.DS-5,PR.PT-1,RS.AN-1,RS.AN-4
|
|
|
76240a |
+ pcidss: Req-10.5.1
|
|
|
76240a |
+ srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000206-GPOS-00084
|
|
|
76240a |
+ stigid@rhel8: RHEL-08-030090
|
|
|
76240a |
+
|
|
|
76240a |
+ocil: |-
|
|
|
76240a |
+ {{{ describe_file_group_owner(file="/var/log/audit/*", group="root") }}}
|
|
|
76240a |
+
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value.pass.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..e4e69bff538
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value.pass.sh
|
|
|
76240a |
@@ -0,0 +1,5 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+
|
|
|
76240a |
+sed -i "/\s*log_group.*/d" /etc/audit/auditd.conf
|
|
|
76240a |
+echo "log_group = root" >> /etc/audit/auditd.conf
|
|
|
76240a |
+chgrp root /var/log/audit/audit.log*
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..89995b11954
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh
|
|
|
76240a |
@@ -0,0 +1,8 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+
|
|
|
76240a |
+groupadd group_test
|
|
|
76240a |
+
|
|
|
76240a |
+sed -i "/\s*log_group.*/d" /etc/audit/auditd.conf
|
|
|
76240a |
+echo "log_group = group_test" >> /etc/audit/auditd.conf
|
|
|
76240a |
+
|
|
|
76240a |
+chgrp group_test /var/log/audit
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/wrong_value.fail.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..37c0f070ae1
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/wrong_value.fail.sh
|
|
|
76240a |
@@ -0,0 +1,7 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+
|
|
|
76240a |
+sed -i "/\s*log_group.*/d" /etc/audit/auditd.conf
|
|
|
76240a |
+echo "log_group = root" >> /etc/audit/auditd.conf
|
|
|
76240a |
+touch /var/log/audit/audit.log.1
|
|
|
76240a |
+groupadd group_test
|
|
|
76240a |
+chgrp group_test /var/log/audit/audit.log.1
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/bash/shared.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..ee2364a4a69
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/bash/shared.sh
|
|
|
76240a |
@@ -0,0 +1,3 @@
|
|
|
76240a |
+# platform = multi_platform_all
|
|
|
76240a |
+
|
|
|
76240a |
+chown root /var/log/audit/audit.log*
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/oval/shared.xml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..c20353b5926
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/oval/shared.xml
|
|
|
76240a |
@@ -0,0 +1,24 @@
|
|
|
76240a |
+<def-group>
|
|
|
76240a |
+ <definition class="compliance" id="file_ownership_var_log_audit_stig" version="1">
|
|
|
76240a |
+ {{{ oval_metadata("Checks that all /var/log/audit files are owned by the root user.") }}}
|
|
|
76240a |
+ <criteria comment="files are root owned">
|
|
|
76240a |
+ <criterion test_ref="test_user_ownership_var_log_audit_files" />
|
|
|
76240a |
+ </criteria>
|
|
|
76240a |
+ </definition>
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:file_test check="all" check_existence="none_exist" comment="/var/log/audit files uid root" id="test_user_ownership_var_log_audit_files" version="1">
|
|
|
76240a |
+ <unix:object object_ref="object_user_ownership_var_log_audit_files" />
|
|
|
76240a |
+ </unix:file_test>
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:file_object comment="/var/log/audit files" id="object_user_ownership_var_log_audit_files" version="1">
|
|
|
76240a |
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" />
|
|
|
76240a |
+ <unix:path operation="equals">/var/log/audit</unix:path>
|
|
|
76240a |
+ <unix:filename operation="pattern match">^.*$</unix:filename>
|
|
|
76240a |
+ <filter action="include">state_group_user_owner_not_root_var_log_audit</filter>
|
|
|
76240a |
+ </unix:file_object>
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:file_state id="state_group_user_owner_not_root_var_log_audit" version="1" operator="OR">
|
|
|
76240a |
+ <unix:user_id datatype="int" operation="not equal">0</unix:user_id>
|
|
|
76240a |
+ </unix:file_state>
|
|
|
76240a |
+
|
|
|
76240a |
+</def-group>
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/rule.yml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..7f895759486
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/rule.yml
|
|
|
76240a |
@@ -0,0 +1,36 @@
|
|
|
76240a |
+documentation_complete: true
|
|
|
76240a |
+
|
|
|
76240a |
+prodtype: rhel8
|
|
|
76240a |
+
|
|
|
76240a |
+title: 'System Audit Logs Must Be Owned By Root'
|
|
|
76240a |
+
|
|
|
76240a |
+description: |-
|
|
|
76240a |
+ All audit logs must be owned by root user. By default, the path for audit log is /var/log/audit/ .
|
|
|
76240a |
+ {{{ describe_file_owner(file="/var/log/audit/*", owner="root") }}}
|
|
|
76240a |
+
|
|
|
76240a |
+rationale: |-
|
|
|
76240a |
+ Unauthorized disclosure of audit records can reveal system and configuration data to
|
|
|
76240a |
+ attackers, thus compromising its confidentiality.
|
|
|
76240a |
+
|
|
|
76240a |
+severity: medium
|
|
|
76240a |
+
|
|
|
76240a |
+identifiers:
|
|
|
76240a |
+ cce@rhel8: CCE-88228-2
|
|
|
76240a |
+
|
|
|
76240a |
+references:
|
|
|
76240a |
+ cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8
|
|
|
76240a |
+ cjis: 5.4.1.1
|
|
|
76240a |
+ cobit5: APO01.06,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA02.01
|
|
|
76240a |
+ cui: 3.3.1
|
|
|
76240a |
+ disa: CCI-000162,CCI-000163,CCI-000164,CCI-001314
|
|
|
76240a |
+ isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.3.7.3,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
|
|
|
76240a |
+ isa-62443-2013: 'SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 5.2,SR 6.1'
|
|
|
76240a |
+ iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
|
|
76240a |
+ nist: CM-6(a),AC-6(1),AU-9(4)
|
|
|
76240a |
+ nist-csf: DE.AE-3,DE.AE-5,PR.AC-4,PR.DS-5,PR.PT-1,RS.AN-1,RS.AN-4
|
|
|
76240a |
+ pcidss: Req-10.5.1
|
|
|
76240a |
+ srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000206-GPOS-00084
|
|
|
76240a |
+ stigid@rhel8: RHEL-08-030080
|
|
|
76240a |
+
|
|
|
76240a |
+ocil: |-
|
|
|
76240a |
+ {{{ describe_file_owner(file="/var/log/audit/*", owner="root") }}}
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/correct_value.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/correct_value.pass.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..eed3164eb31
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/correct_value.pass.sh
|
|
|
76240a |
@@ -0,0 +1,3 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+
|
|
|
76240a |
+chown root /var/log/audit/audit.log*
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/wrong_value.fail.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..32a678562cf
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/wrong_value.fail.sh
|
|
|
76240a |
@@ -0,0 +1,5 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+
|
|
|
76240a |
+touch /var/log/audit/audit.log.1
|
|
|
76240a |
+useradd testuser_123
|
|
|
76240a |
+chown testuser_123 /var/log/audit/audit.log.1
|
|
|
76240a |
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
|
76240a |
index 7270a8f91f2..7d2d386604e 100644
|
|
|
76240a |
--- a/products/rhel8/profiles/stig.profile
|
|
|
76240a |
+++ b/products/rhel8/profiles/stig.profile
|
|
|
76240a |
@@ -625,10 +625,17 @@ selections:
|
|
|
76240a |
# RHEL-08-030070
|
|
|
76240a |
- file_permissions_var_log_audit
|
|
|
76240a |
|
|
|
76240a |
- # RHEL-08-030080, RHEL-08-030090, RHEL-08-030100, RHEL-08-030110
|
|
|
76240a |
- ### NOTE: These might get broken up, but currently the following
|
|
|
76240a |
- ### rule accounts for these STIG ID's
|
|
|
76240a |
- - file_ownership_var_log_audit
|
|
|
76240a |
+ # RHEL-08-030080
|
|
|
76240a |
+ - file_ownership_var_log_audit_stig
|
|
|
76240a |
+
|
|
|
76240a |
+ # RHEL-08-030090
|
|
|
76240a |
+ - file_group_ownership_var_log_audit
|
|
|
76240a |
+
|
|
|
76240a |
+ # RHEL-08-030100
|
|
|
76240a |
+ - directory_ownership_var_log_audit
|
|
|
76240a |
+
|
|
|
76240a |
+ # RHEL-08-030110
|
|
|
76240a |
+ - directory_group_ownership_var_log_audit
|
|
|
76240a |
|
|
|
76240a |
# RHEL-08-030120
|
|
|
76240a |
- directory_permissions_var_log_audit
|
|
|
76240a |
diff --git a/shared/checks/oval/auditd_conf_log_group_not_root.xml b/shared/checks/oval/auditd_conf_log_group_not_root.xml
|
|
|
76240a |
index 93e47d119ef..2871052796e 100644
|
|
|
76240a |
--- a/shared/checks/oval/auditd_conf_log_group_not_root.xml
|
|
|
76240a |
+++ b/shared/checks/oval/auditd_conf_log_group_not_root.xml
|
|
|
76240a |
@@ -8,9 +8,11 @@
|
|
|
76240a |
<description>Verify 'log_group' is not set to 'root' in
|
|
|
76240a |
/etc/audit/auditd.conf.</description>
|
|
|
76240a |
</metadata>
|
|
|
76240a |
- <criteria>
|
|
|
76240a |
+ <criteria operator="AND">
|
|
|
76240a |
|
|
|
76240a |
comment="Verify 'log_group' not set to 'root' in /etc/audit/auditd.conf" />
|
|
|
76240a |
+
|
|
|
76240a |
+ comment="Verify 'log_group' is set in /etc/audit/auditd.conf" />
|
|
|
76240a |
</criteria>
|
|
|
76240a |
</definition>
|
|
|
76240a |
|
|
|
76240a |
@@ -26,4 +28,20 @@
|
|
|
76240a |
<ind:instance datatype="int">1</ind:instance>
|
|
|
76240a |
</ind:textfilecontent54_object>
|
|
|
76240a |
|
|
|
76240a |
+
|
|
|
76240a |
+ By default, log_group is set to root, so we need to make sure something is set
|
|
|
76240a |
+ to meet this criterion.
|
|
|
76240a |
+ -->
|
|
|
76240a |
+
|
|
|
76240a |
+ check_existence="all_exist" comment="log_group is set" version="1">
|
|
|
76240a |
+ <ind:object object_ref="object_auditd_conf_log_group_is_set" />
|
|
|
76240a |
+ </ind:textfilecontent54_test>
|
|
|
76240a |
+
|
|
|
76240a |
+
|
|
|
76240a |
+ comment="log_group is set" version="1">
|
|
|
76240a |
+ <ind:filepath operation="equals">/etc/audit/auditd.conf</ind:filepath>
|
|
|
76240a |
+ <ind:pattern operation="pattern match">^[ ]*log_group[ ]+=.*$</ind:pattern>
|
|
|
76240a |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
76240a |
+ </ind:textfilecontent54_object>
|
|
|
76240a |
+
|
|
|
76240a |
</def-group>
|
|
|
76240a |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
index 665f903ead4..b77e9abeb0b 100644
|
|
|
76240a |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
@@ -2355,10 +2355,6 @@ CCE-88221-7
|
|
|
76240a |
CCE-88222-5
|
|
|
76240a |
CCE-88223-3
|
|
|
76240a |
CCE-88224-1
|
|
|
76240a |
-CCE-88225-8
|
|
|
76240a |
-CCE-88226-6
|
|
|
76240a |
-CCE-88227-4
|
|
|
76240a |
-CCE-88228-2
|
|
|
76240a |
CCE-88229-0
|
|
|
76240a |
CCE-88230-8
|
|
|
76240a |
CCE-88231-6
|
|
|
76240a |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
index 7d59cfff625..6c97a5a8ca3 100644
|
|
|
76240a |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
@@ -103,6 +103,8 @@ selections:
|
|
|
76240a |
- dir_group_ownership_library_dirs
|
|
|
76240a |
- dir_perms_world_writable_root_owned
|
|
|
76240a |
- dir_perms_world_writable_sticky_bits
|
|
|
76240a |
+- directory_group_ownership_var_log_audit
|
|
|
76240a |
+- directory_ownership_var_log_audit
|
|
|
76240a |
- directory_permissions_var_log_audit
|
|
|
76240a |
- disable_ctrlaltdel_burstaction
|
|
|
76240a |
- disable_ctrlaltdel_reboot
|
|
|
76240a |
@@ -113,6 +115,7 @@ selections:
|
|
|
76240a |
- encrypt_partitions
|
|
|
76240a |
- ensure_gpgcheck_globally_activated
|
|
|
76240a |
- ensure_gpgcheck_local_packages
|
|
|
76240a |
+- file_group_ownership_var_log_audit
|
|
|
76240a |
- file_groupowner_var_log
|
|
|
76240a |
- file_groupowner_var_log_messages
|
|
|
76240a |
- file_groupownership_home_directories
|
|
|
76240a |
@@ -121,7 +124,7 @@ selections:
|
|
|
76240a |
- file_owner_var_log_messages
|
|
|
76240a |
- file_ownership_binary_dirs
|
|
|
76240a |
- file_ownership_library_dirs
|
|
|
76240a |
-- file_ownership_var_log_audit
|
|
|
76240a |
+- file_ownership_var_log_audit_stig
|
|
|
76240a |
- file_permission_user_init_files
|
|
|
76240a |
- file_permissions_binary_dirs
|
|
|
76240a |
- file_permissions_etc_audit_auditd
|
|
|
76240a |
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
index 2c2daad6f6d..d026a40a02b 100644
|
|
|
76240a |
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
@@ -114,6 +114,8 @@ selections:
|
|
|
76240a |
- dir_group_ownership_library_dirs
|
|
|
76240a |
- dir_perms_world_writable_root_owned
|
|
|
76240a |
- dir_perms_world_writable_sticky_bits
|
|
|
76240a |
+- directory_group_ownership_var_log_audit
|
|
|
76240a |
+- directory_ownership_var_log_audit
|
|
|
76240a |
- directory_permissions_var_log_audit
|
|
|
76240a |
- disable_ctrlaltdel_burstaction
|
|
|
76240a |
- disable_ctrlaltdel_reboot
|
|
|
76240a |
@@ -124,6 +126,7 @@ selections:
|
|
|
76240a |
- encrypt_partitions
|
|
|
76240a |
- ensure_gpgcheck_globally_activated
|
|
|
76240a |
- ensure_gpgcheck_local_packages
|
|
|
76240a |
+- file_group_ownership_var_log_audit
|
|
|
76240a |
- file_groupowner_var_log
|
|
|
76240a |
- file_groupowner_var_log_messages
|
|
|
76240a |
- file_groupownership_home_directories
|
|
|
76240a |
@@ -132,7 +135,7 @@ selections:
|
|
|
76240a |
- file_owner_var_log_messages
|
|
|
76240a |
- file_ownership_binary_dirs
|
|
|
76240a |
- file_ownership_library_dirs
|
|
|
76240a |
-- file_ownership_var_log_audit
|
|
|
76240a |
+- file_ownership_var_log_audit_stig
|
|
|
76240a |
- file_permission_user_init_files
|
|
|
76240a |
- file_permissions_binary_dirs
|
|
|
76240a |
- file_permissions_etc_audit_auditd
|