Blame SOURCES/scap-security-guide-0.1.61-file_owner-PR_7789.patch

ff1465
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml
ff1465
new file mode 100644
5fd106
index 00000000000..968ef336148
ff1465
--- /dev/null
ff1465
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml
ff1465
@@ -0,0 +1,39 @@
ff1465
+documentation_complete: true
ff1465
+
ff1465
+title: 'Audit Configuration Files Must Be Owned By Root'
ff1465
+
ff1465
+description: |-
ff1465
+    All audit configuration files must be owned by root user.
ff1465
+    {{{ describe_file_owner(file="/etc/audit/", owner="root") }}}
ff1465
+    {{{ describe_file_owner(file="/etc/audit/rules.d/", owner="root") }}}
ff1465
+
ff1465
+rationale: |-
ff1465
+    Without the capability to restrict which roles and individuals can
ff1465
+    select which events are audited, unauthorized personnel may be able
ff1465
+    to prevent the auditing of critical events.
ff1465
+    Misconfigured audits may degrade the system's performance by
ff1465
+    overwhelming the audit log. Misconfigured audits may also make it more
ff1465
+    difficult to establish, correlate, and investigate the events relating
ff1465
+    to an incident or identify those responsible for one.
ff1465
+
ff1465
+severity: medium
ff1465
+
ff1465
+references:
ff1465
+    disa: CCI-000171
ff1465
+    srg: SRG-OS-000063-GPOS-00032
ff1465
+    stigid@ubuntu2004: UBTU-20-010134
ff1465
+
ff1465
+ocil: |-
ff1465
+    {{{ describe_file_owner(file="/etc/audit/", owner="root") }}}
ff1465
+    {{{ describe_file_owner(file="/etc/audit/rules.d/", owner="root") }}}
ff1465
+
ff1465
+template:
ff1465
+    name: file_owner
ff1465
+    vars:
ff1465
+        filepath:
ff1465
+            - /etc/audit/
ff1465
+            - /etc/audit/rules.d/
ff1465
+        file_regex:
ff1465
+            - ^audit(\.rules|d\.conf)$
ff1465
+            - ^.*\.rules$
ff1465
+        fileuid: '0'
ff1465
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh
ff1465
new file mode 100644
5fd106
index 00000000000..4d67307a1ef
ff1465
--- /dev/null
ff1465
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh
ff1465
@@ -0,0 +1,6 @@
ff1465
+#!/bin/bash
ff1465
+# packages = audit
ff1465
+
ff1465
+chown 0 /etc/audit/audit.rules
ff1465
+chown 0 /etc/audit/auditd.conf
ff1465
+chown 0 -R /etc/audit/rules.d/
ff1465
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh
ff1465
new file mode 100644
5fd106
index 00000000000..337074fab92
ff1465
--- /dev/null
ff1465
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh
ff1465
@@ -0,0 +1,7 @@
ff1465
+#!/bin/bash
ff1465
+# packages = audit
ff1465
+
ff1465
+useradd testuser_123
ff1465
+chown testuser_123 /etc/audit/audit.rules
ff1465
+chown testuser_123 /etc/audit/auditd.conf
ff1465
+chown testuser_123 -R /etc/audit/rules.d/
ff1465
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml
ff1465
new file mode 100644
5fd106
index 00000000000..f1bf515455d
ff1465
--- /dev/null
ff1465
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml
ff1465
@@ -0,0 +1,27 @@
ff1465
+documentation_complete: true
ff1465
+
ff1465
+title: 'Verify User Who Owns /var/log/syslog File'
ff1465
+
ff1465
+description: '{{{ describe_file_owner(file="/var/log/syslog", owner="syslog") }}}'
ff1465
+
ff1465
+rationale: |-
ff1465
+    The <tt>/var/log/syslog</tt> file contains logs of error messages in
ff1465
+    the system and should only be accessed by authorized personnel.
ff1465
+
ff1465
+severity: medium
ff1465
+
ff1465
+references:
ff1465
+    disa: CCI-001314
ff1465
+    srg: SRG-OS-000206-GPOS-00084
ff1465
+    stigid@ubuntu2004: UBTU-20-010421
ff1465
+
ff1465
+ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/syslog", owner="syslog") }}}'
ff1465
+
ff1465
+ocil: |-
ff1465
+    {{{ ocil_file_owner(file="/var/log/syslog", owner="syslog") }}}
ff1465
+
ff1465
+template:
ff1465
+    name: file_owner
ff1465
+    vars:
ff1465
+        filepath: /var/log/syslog
ff1465
+        fileuid: '104'
ff1465
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
ff1465
new file mode 100644
5fd106
index 00000000000..e2362388678
ff1465
--- /dev/null
ff1465
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
ff1465
@@ -0,0 +1,55 @@
ff1465
+documentation_complete: true
ff1465
+
ff1465
+title: 'Verify that System Executable Have Root Ownership'
ff1465
+
ff1465
+description: |-
ff1465
+    
/bin
ff1465
+    /sbin
ff1465
+    /usr/bin
ff1465
+    /usr/sbin
ff1465
+    /usr/local/bin
ff1465
+    /usr/local/sbin
ff1465
+    All these directories should be owned by the <tt>root</tt> user.
ff1465
+    If any directory DIR in these directories is found
ff1465
+    to be owned by a user other than root, correct its ownership with the
ff1465
+    following command:
ff1465
+    
$ sudo chown root DIR
ff1465
+
ff1465
+rationale: |-
ff1465
+    System binaries are executed by privileged users as well as system services,
ff1465
+    and restrictive permissions are necessary to ensure that their
ff1465
+    execution of these programs cannot be co-opted.
ff1465
+
ff1465
+severity: medium
ff1465
+
ff1465
+references:
ff1465
+    disa: CCI-001495
ff1465
+    srg: SRG-OS-000258-GPOS-00099
ff1465
+    stigid@ubuntu2004: UBTU-20-010424
ff1465
+
ff1465
+ocil_clause: 'any system exectables directories are found to not be owned by root'
ff1465
+
ff1465
+ocil: |-
ff1465
+    System executables are stored in the following directories by default:
ff1465
+    
/bin
ff1465
+    /sbin
ff1465
+    /usr/bin
ff1465
+    /usr/local/bin
ff1465
+    /usr/local/sbin
ff1465
+    /usr/sbin
ff1465
+    For each of these directories, run the following command to find files
ff1465
+    not owned by root:
ff1465
+    
$ sudo find -L DIR/ ! -user root -type d -exec chown root {} \;
ff1465
+
ff1465
+template:
ff1465
+    name: file_owner
ff1465
+    vars:
ff1465
+        filepath:
ff1465
+            - /bin/
ff1465
+            - /sbin/
ff1465
+            - /usr/bin/
ff1465
+            - /usr/sbin/
ff1465
+            - /usr/local/bin/
ff1465
+            - /usr/local/sbin/
ff1465
+        recursive: 'true'
ff1465
+        fileuid: '0'
ff1465
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml
ff1465
new file mode 100644
5fd106
index 00000000000..0c7d9b313d5
ff1465
--- /dev/null
ff1465
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml
ff1465
@@ -0,0 +1,77 @@
ff1465
+documentation_complete: true
ff1465
+
ff1465
+prodtype: ubuntu2004
ff1465
+
ff1465
+title: 'Verify that audit tools are owned by root'
ff1465
+
ff1465
+description: |-
ff1465
+    The {{{ full_name }}} operating system audit tools must have the proper
ff1465
+    ownership configured to protected against unauthorized access.
ff1465
+
ff1465
+    Verify it by running the following command:
ff1465
+    
$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
ff1465
+
ff1465
+    /sbin/auditctl root
ff1465
+    /sbin/aureport root
ff1465
+    /sbin/ausearch root
ff1465
+    /sbin/autrace root
ff1465
+    /sbin/auditd root
ff1465
+    /sbin/audispd root
ff1465
+    /sbin/augenrules root
ff1465
+    
ff1465
+
ff1465
+    Audit tools needed to successfully view and manipulate audit information
ff1465
+    system activity and records. Audit tools include custom queries and report
ff1465
+    generators
ff1465
+
ff1465
+rationale: |-
ff1465
+    Protecting audit information also includes identifying and protecting the
ff1465
+    tools used to view and manipulate log data. Therefore, protecting audit
ff1465
+    tools is necessary to prevent unauthorized operation on audit information.
ff1465
+ 
ff1465
+    Operating systems providing tools to interface with audit information
ff1465
+    will leverage user permissions and roles identifying the user accessing the
ff1465
+    tools and the corresponding rights the user enjoys to make access decisions
ff1465
+    regarding the access to audit tools.
ff1465
+
ff1465
+severity: medium
ff1465
+
ff1465
+references:
ff1465
+    disa: CCI-001493,CCI-001494
ff1465
+    srg: SRG-OS-000256-GPiOS-00097,SRG-OS-000257-GPOS-00098
ff1465
+    stigid@ubuntu2004: UBTU-20-010200
ff1465
+
ff1465
+ocil: |-
ff1465
+    Verify it by running the following command:
ff1465
+    
$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
ff1465
+
ff1465
+    /sbin/auditctl root
ff1465
+    /sbin/aureport root
ff1465
+    /sbin/ausearch root
ff1465
+    /sbin/autrace root
ff1465
+    /sbin/auditd root
ff1465
+    /sbin/audispd root
ff1465
+    /sbin/augenrules root
ff1465
+    
ff1465
+
ff1465
+    If the command does not return all the above lines, the missing ones
ff1465
+    need to be added.
ff1465
+
ff1465
+    Run the following command to correct the permissions of the missing
ff1465
+    entries:
ff1465
+    
$ sudo chown root [audit_tool] 
ff1465
+
ff1465
+    Replace "[audit_tool]" with each audit tool not owned by root.
ff1465
+
ff1465
+template:
ff1465
+    name: file_owner
ff1465
+    vars:
ff1465
+        filepath:
ff1465
+            - /sbin/auditctl
ff1465
+            - /sbin/aureport
ff1465
+            - /sbin/ausearch
ff1465
+            - /sbin/autrace
ff1465
+            - /sbin/auditd
ff1465
+            - /sbin/audispd
ff1465
+            - /sbin/augenrules
ff1465
+        fileuid: '0'
ff1465
diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template
5fd106
index 80eaae8d50b..590c9fc6055 100644
ff1465
--- a/shared/templates/file_owner/ansible.template
ff1465
+++ b/shared/templates/file_owner/ansible.template
ff1465
@@ -25,7 +25,7 @@
ff1465
 
ff1465
 - name: Ensure owner on {{{ path }}} recursively
ff1465
   file:
ff1465
-    paths "{{{ path }}}"
ff1465
+    path: "{{{ path }}}"
ff1465
     state: directory
ff1465
     recurse: yes
ff1465
     owner: "{{{ FILEUID }}}"
5fd106
diff --git a/shared/templates/file_owner/tests/missing_file_test.pass.sh b/shared/templates/file_owner/tests/missing_file_test.pass.sh
5fd106
index 938e6b30819..4e3683f9dcf 100644
5fd106
--- a/shared/templates/file_owner/tests/missing_file_test.pass.sh
5fd106
+++ b/shared/templates/file_owner/tests/missing_file_test.pass.sh
5fd106
@@ -1,8 +1,18 @@
5fd106
 #!/bin/bash
5fd106
 #
5fd106
 
5fd106
-{{% if MISSING_FILE_PASS %}}
5fd106
-    rm -f {{{ FILEPATH }}}
5fd106
-{{% else %}}
5fd106
-    true
5fd106
-{{% endif %}}
5fd106
+{{% for path in FILEPATH %}}
5fd106
+    {{% if MISSING_FILE_PASS %}}
5fd106
+        rm -f {{{ path }}}
5fd106
+    {{% else %}}
5fd106
+        {{% if IS_DIRECTORY and RECURSIVE %}}
5fd106
+        find -L {{{ path }}} -type d -exec chown {{{ FILEUID }}} {} \;
5fd106
+        {{% else %}}
5fd106
+        if [ ! -f {{{ path }}} ]; then
5fd106
+            mkdir -p "$(dirname '{{{ path }}}')"
5fd106
+            touch {{{ path }}}
5fd106
+        fi
5fd106
+        chown {{{ FILEUID }}} {{{ path }}}
5fd106
+        {{% endif %}}
5fd106
+    {{% endif %}}
5fd106
+{{% endfor %}}