|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/bash/ubuntu.sh b/linux_os/guide/system/permissions/files/permissions_local_var_log/bash/ubuntu.sh
|
|
|
38a2c0 |
new file mode 100644
|
|
|
38a2c0 |
index 00000000000..93fd73e6ece
|
|
|
38a2c0 |
--- /dev/null
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/bash/ubuntu.sh
|
|
|
38a2c0 |
@@ -0,0 +1,14 @@
|
|
|
38a2c0 |
+# platform = multi_platform_ubuntu
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+readarray -t files < <(find /var/log/)
|
|
|
38a2c0 |
+for file in "${files[@]}"; do
|
|
|
38a2c0 |
+ if basename $file | grep -qE '^.*$'; then
|
|
|
38a2c0 |
+ chmod 0640 $file
|
|
|
38a2c0 |
+ fi
|
|
|
38a2c0 |
+done
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+if grep -qE "^f \/var\/log\/(btmp|wtmp|lastlog)? " /usr/lib/tmpfiles.d/var.conf; then
|
|
|
38a2c0 |
+ sed -i --follow-symlinks "s/\(^f[[:space:]]\+\/var\/log\/btmp[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10640/" /usr/lib/tmpfiles.d/var.conf
|
|
|
38a2c0 |
+ sed -i --follow-symlinks "s/\(^f[[:space:]]\+\/var\/log\/wtmp[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10640/" /usr/lib/tmpfiles.d/var.conf
|
|
|
38a2c0 |
+ sed -i --follow-symlinks "s/\(^f[[:space:]]\+\/var\/log\/lastlog[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10640/" /usr/lib/tmpfiles.d/var.conf
|
|
|
38a2c0 |
+fi
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_local_var_log/oval/shared.xml
|
|
|
38a2c0 |
deleted file mode 100644
|
|
|
38a2c0 |
index dd95ce05936..00000000000
|
|
|
38a2c0 |
--- a/linux_os/guide/system/permissions/files/permissions_local_var_log/oval/shared.xml
|
|
|
38a2c0 |
+++ /dev/null
|
|
|
38a2c0 |
@@ -1,36 +0,0 @@
|
|
|
38a2c0 |
-<def-group>
|
|
|
38a2c0 |
- <definition class="compliance" id="permissions_local_var_log" version="1">
|
|
|
38a2c0 |
- {{{ oval_metadata("
|
|
|
38a2c0 |
- Checks that files in /var/log have permission at least 0640
|
|
|
38a2c0 |
- ") }}}
|
|
|
38a2c0 |
- <criteria operator="AND">
|
|
|
38a2c0 |
- <criterion test_ref="test_mode_log_files" />
|
|
|
38a2c0 |
- </criteria>
|
|
|
38a2c0 |
- </definition>
|
|
|
38a2c0 |
-
|
|
|
38a2c0 |
- <unix:file_test check="all" check_existence="none_exist" comment="log file with less restrictive permission than 0640" id="test_mode_log_files" version="1">
|
|
|
38a2c0 |
- <unix:object object_ref="object_file_mode_log_files" />
|
|
|
38a2c0 |
- </unix:file_test>
|
|
|
38a2c0 |
-
|
|
|
38a2c0 |
- <unix:file_object comment="log files" id="object_file_mode_log_files" version="1">
|
|
|
38a2c0 |
- <unix:path operation="pattern match">^\/var\/log\/</unix:path>
|
|
|
38a2c0 |
- <unix:filename operation="pattern match">^.*$</unix:filename>
|
|
|
38a2c0 |
- <filter action="include">log_files_permission_more_0640</filter>
|
|
|
38a2c0 |
- <filter action="exclude">var_log_symlinks</filter>
|
|
|
38a2c0 |
- </unix:file_object>
|
|
|
38a2c0 |
-
|
|
|
38a2c0 |
- <unix:file_state id="log_files_permission_more_0640" version="1" operator="OR">
|
|
|
38a2c0 |
-
|
|
|
38a2c0 |
- <unix:uexec datatype="boolean">true</unix:uexec>
|
|
|
38a2c0 |
- <unix:gwrite datatype="boolean">true</unix:gwrite>
|
|
|
38a2c0 |
- <unix:gexec datatype="boolean">true</unix:gexec>
|
|
|
38a2c0 |
- <unix:oread datatype="boolean">true</unix:oread>
|
|
|
38a2c0 |
- <unix:owrite datatype="boolean">true</unix:owrite>
|
|
|
38a2c0 |
- <unix:oexec datatype="boolean">true</unix:oexec>
|
|
|
38a2c0 |
- </unix:file_state>
|
|
|
38a2c0 |
-
|
|
|
38a2c0 |
- <unix:file_state id="var_log_symlinks" version="1">
|
|
|
38a2c0 |
- <unix:type operation="equals">symbolic link</unix:type>
|
|
|
38a2c0 |
- </unix:file_state>
|
|
|
38a2c0 |
-
|
|
|
38a2c0 |
-</def-group>
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml
|
|
|
38a2c0 |
index 2b0431b7763..9ce79cfde4e 100644
|
|
|
38a2c0 |
--- a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml
|
|
|
38a2c0 |
@@ -47,3 +47,10 @@ ocil: |-
|
|
|
38a2c0 |
|
|
|
38a2c0 |
sudo find /var/log -perm /137 -type f -exec stat -c "%n %a" {} \;
|
|
|
38a2c0 |
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+template:
|
|
|
38a2c0 |
+ name: file_permissions
|
|
|
38a2c0 |
+ vars:
|
|
|
38a2c0 |
+ filepath: /var/log/
|
|
|
38a2c0 |
+ file_regex: '.*'
|
|
|
38a2c0 |
+ filemode: '0640'
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh
|
|
|
38a2c0 |
index 5317ef272b8..1793259cff5 100644
|
|
|
38a2c0 |
--- a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh
|
|
|
38a2c0 |
@@ -1,5 +1,6 @@
|
|
|
38a2c0 |
#!/bin/bash
|
|
|
38a2c0 |
|
|
|
38a2c0 |
+chmod -R 640 /var/log
|
|
|
38a2c0 |
mkdir -p /var/log/testme
|
|
|
38a2c0 |
touch /var/log/testme/test.log
|
|
|
38a2c0 |
chmod 640 /var/log/testme/test.log
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh
|
|
|
38a2c0 |
index 83db1acf8d3..69b081473a5 100644
|
|
|
38a2c0 |
--- a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh
|
|
|
38a2c0 |
@@ -1,4 +1,5 @@
|
|
|
38a2c0 |
#!/bin/bash
|
|
|
38a2c0 |
|
|
|
38a2c0 |
+chmod -R 640 /var/log/
|
|
|
38a2c0 |
mkdir -p /var/log/testme
|
|
|
38a2c0 |
chmod 777 /var/log/testme
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/bash/ubuntu.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/bash/ubuntu.sh
|
|
|
38a2c0 |
new file mode 100644
|
|
|
38a2c0 |
index 00000000000..93962ea66a7
|
|
|
38a2c0 |
--- /dev/null
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/bash/ubuntu.sh
|
|
|
38a2c0 |
@@ -0,0 +1,7 @@
|
|
|
38a2c0 |
+# platform = multi_platform_ubuntu
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+chmod 0755 /var/log/
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+if grep -q "^z \/var\/log " /usr/lib/tmpfiles.d/00rsyslog.conf; then
|
|
|
38a2c0 |
+ sed -i --follow-symlinks "s/\(^z[[:space:]]\+\/var\/log[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10755/" /usr/lib/tmpfiles.d/00rsyslog.conf
|
|
|
38a2c0 |
+fi
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_syslog/rule.yml
|
|
|
38a2c0 |
new file mode 100644
|
|
|
38a2c0 |
index 00000000000..73258d40fdc
|
|
|
38a2c0 |
--- /dev/null
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_syslog/rule.yml
|
|
|
38a2c0 |
@@ -0,0 +1,28 @@
|
|
|
38a2c0 |
+documentation_complete: true
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+title: 'Verify Permissions on /var/log/syslog File'
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+description: |-
|
|
|
38a2c0 |
+ {{{ describe_file_permissions(file="/var/log/syslog", perms="0640") }}}
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+rationale: |-
|
|
|
38a2c0 |
+ The <tt>/var/log/syslog</tt> file contains logs of error messages in
|
|
|
38a2c0 |
+ the system and should only be accessed by authorized personnel.
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+severity: medium
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+references:
|
|
|
38a2c0 |
+ disa: CCI-001314
|
|
|
38a2c0 |
+ srg: SRG-OS-000206-GPOS-00084
|
|
|
38a2c0 |
+ stigid@ubuntu2004: UBTU-20-010422
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/log/syslog", perms="-rw-r-----") }}}'
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ocil: |-
|
|
|
38a2c0 |
+ {{{ ocil_file_permissions(file="/var/log/syslog", perms="-rw-r-----") }}}
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+template:
|
|
|
38a2c0 |
+ name: file_permissions
|
|
|
38a2c0 |
+ vars:
|
|
|
38a2c0 |
+ filepath: /var/log/syslog
|
|
|
38a2c0 |
+ filemode: '0640'
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_binary_dirs/rule.yml
|
|
|
38a2c0 |
new file mode 100644
|
|
|
38a2c0 |
index 00000000000..a666c768870
|
|
|
38a2c0 |
--- /dev/null
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_binary_dirs/rule.yml
|
|
|
38a2c0 |
@@ -0,0 +1,57 @@
|
|
|
38a2c0 |
+documentation_complete: true
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+title: 'Verify that System Executable Directories Have Restrictive Permissions'
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+description: |-
|
|
|
38a2c0 |
+ System executables are stored in the following directories by default:
|
|
|
38a2c0 |
+ /bin
|
|
|
38a2c0 |
+ /sbin
|
|
|
38a2c0 |
+ /usr/bin
|
|
|
38a2c0 |
+ /usr/sbin
|
|
|
38a2c0 |
+ /usr/local/bin
|
|
|
38a2c0 |
+ /usr/local/sbin
|
|
|
38a2c0 |
+ These directories should not be group-writable or world-writable.
|
|
|
38a2c0 |
+ If any directory DIR in these directories is found to be
|
|
|
38a2c0 |
+ group-writable or world-writable, correct its permission with the
|
|
|
38a2c0 |
+ following command:
|
|
|
38a2c0 |
+ $ sudo chmod go-w DIR
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+rationale: |-
|
|
|
38a2c0 |
+ System binaries are executed by privileged users, as well as system services,
|
|
|
38a2c0 |
+ and restrictive permissions are necessary to ensure execution of these programs
|
|
|
38a2c0 |
+ cannot be co-opted.
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+severity: medium
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+references:
|
|
|
38a2c0 |
+ disa: CCI-001495
|
|
|
38a2c0 |
+ srg: SRG-OS-000258-GPOS-00099
|
|
|
38a2c0 |
+ stigid@ubuntu2004: UBTU-20-010423
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ocil_clause: 'any of these files are group-writable or world-writable'
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ocil: |-
|
|
|
38a2c0 |
+ System executables are stored in the following directories by default:
|
|
|
38a2c0 |
+ /bin
|
|
|
38a2c0 |
+ /sbin
|
|
|
38a2c0 |
+ /usr/bin
|
|
|
38a2c0 |
+ /usr/sbin
|
|
|
38a2c0 |
+ /usr/local/bin
|
|
|
38a2c0 |
+ /usr/local/sbin
|
|
|
38a2c0 |
+ To find system executables directories that are group-writable or
|
|
|
38a2c0 |
+ world-writable, run the following command for each directory DIR
|
|
|
38a2c0 |
+ which contains system executables:
|
|
|
38a2c0 |
+ $ sudo find -L DIR -perm /022 -type d
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+template:
|
|
|
38a2c0 |
+ name: file_permissions
|
|
|
38a2c0 |
+ vars:
|
|
|
38a2c0 |
+ filepath:
|
|
|
38a2c0 |
+ - /bin/
|
|
|
38a2c0 |
+ - /sbin/
|
|
|
38a2c0 |
+ - /usr/bin/
|
|
|
38a2c0 |
+ - /usr/sbin/
|
|
|
38a2c0 |
+ - /usr/local/bin/
|
|
|
38a2c0 |
+ - /usr/local/sbin/
|
|
|
38a2c0 |
+ recursive: 'true'
|
|
|
38a2c0 |
+ filemode: '0755'
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
|
|
|
38a2c0 |
index 3f7239deef9..af078463b05 100644
|
|
|
38a2c0 |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
|
|
|
38a2c0 |
@@ -1,4 +1,4 @@
|
|
|
38a2c0 |
-# platform = multi_platform_sle
|
|
|
38a2c0 |
+# platform = multi_platform_sle,multi_platform_ubuntu
|
|
|
38a2c0 |
DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
|
|
38a2c0 |
for dirPath in $DIRS; do
|
|
|
38a2c0 |
find "$dirPath" -perm /022 -type d -exec chmod go-w '{}' \;
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
|
|
|
38a2c0 |
index 1f68586853d..d58616bcafb 100644
|
|
|
38a2c0 |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
|
|
|
38a2c0 |
@@ -1,5 +1,6 @@
|
|
|
38a2c0 |
-# platform = multi_platform_sle
|
|
|
38a2c0 |
+# platform = multi_platform_sle,multi_platform_ubuntu
|
|
|
38a2c0 |
DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
|
|
38a2c0 |
for dirPath in $DIRS; do
|
|
|
38a2c0 |
+ chmod -R 755 "$dirPath"
|
|
|
38a2c0 |
mkdir -p "$dirPath/testme" && chmod 700 "$dirPath/testme"
|
|
|
38a2c0 |
done
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
|
|
|
38a2c0 |
index b60a7269568..98d18cde3ea 100644
|
|
|
38a2c0 |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
|
|
|
38a2c0 |
@@ -1,4 +1,4 @@
|
|
|
38a2c0 |
-# platform = multi_platform_sle
|
|
|
38a2c0 |
+# platform = multi_platform_sle,multi_platform_ubuntu
|
|
|
38a2c0 |
DIRS="/lib /lib64"
|
|
|
38a2c0 |
for dirPath in $DIRS; do
|
|
|
38a2c0 |
mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/testme"
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
|
|
|
38a2c0 |
index 5438b51bb6a..6df6e2f8f9b 100644
|
|
|
38a2c0 |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
|
|
|
38a2c0 |
@@ -1,4 +1,4 @@
|
|
|
38a2c0 |
-# platform = multi_platform_sle
|
|
|
38a2c0 |
+# platform = multi_platform_sle,multi_platform_ubuntu
|
|
|
38a2c0 |
DIRS="/usr/lib /usr/lib64"
|
|
|
38a2c0 |
for dirPath in $DIRS; do
|
|
|
38a2c0 |
mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/testme"
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_audit_binaries/rule.yml
|
|
|
38a2c0 |
new file mode 100644
|
|
|
38a2c0 |
index 00000000000..da42e997478
|
|
|
38a2c0 |
--- /dev/null
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_audit_binaries/rule.yml
|
|
|
38a2c0 |
@@ -0,0 +1,78 @@
|
|
|
38a2c0 |
+documentation_complete: true
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+prodtype: ubuntu2004
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+title: 'Verify that audit tools Have Mode 0755 or less'
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+description: |-
|
|
|
38a2c0 |
+ The {{{ full_name }}} operating system audit tools must have the proper
|
|
|
38a2c0 |
+ permissions configured to protected against unauthorized access.
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ Verify it by running the following command:
|
|
|
38a2c0 |
+ $ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ /sbin/auditctl 755
|
|
|
38a2c0 |
+ /sbin/aureport 755
|
|
|
38a2c0 |
+ /sbin/ausearch 755
|
|
|
38a2c0 |
+ /sbin/autrace 755
|
|
|
38a2c0 |
+ /sbin/auditd 755
|
|
|
38a2c0 |
+ /sbin/audispd 755
|
|
|
38a2c0 |
+ /sbin/augenrules 755
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ Audit tools needed to successfully view and manipulate audit information
|
|
|
38a2c0 |
+ system activity and records. Audit tools include custom queries and report
|
|
|
38a2c0 |
+ generators
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+rationale: |-
|
|
|
38a2c0 |
+ Protecting audit information also includes identifying and protecting the
|
|
|
38a2c0 |
+ tools used to view and manipulate log data. Therefore, protecting audit
|
|
|
38a2c0 |
+ tools is necessary to prevent unauthorized operation on audit information.
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ Operating systems providing tools to interface with audit information
|
|
|
38a2c0 |
+ will leverage user permissions and roles identifying the user accessing the
|
|
|
38a2c0 |
+ tools and the corresponding rights the user enjoys to make access decisions
|
|
|
38a2c0 |
+ regarding the access to audit tools.
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+severity: medium
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+references:
|
|
|
38a2c0 |
+ disa: CCI-001493,CCI-001494
|
|
|
38a2c0 |
+ srg: SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098
|
|
|
38a2c0 |
+ stigid@ubuntu2004: UBTU-20-010199
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ocil: |-
|
|
|
38a2c0 |
+ Verify it by running the following command:
|
|
|
38a2c0 |
+ $ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ /sbin/auditctl 755
|
|
|
38a2c0 |
+ /sbin/aureport 755
|
|
|
38a2c0 |
+ /sbin/ausearch 755
|
|
|
38a2c0 |
+ /sbin/autrace 755
|
|
|
38a2c0 |
+ /sbin/auditd 755
|
|
|
38a2c0 |
+ /sbin/audispd 755
|
|
|
38a2c0 |
+ /sbin/augenrules 755
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ If the command does not return all the above lines, the missing ones
|
|
|
38a2c0 |
+ need to be added.
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ Run the following command to correct the permissions of the missing
|
|
|
38a2c0 |
+ entries:
|
|
|
38a2c0 |
+ $ sudo chmod 0755 [audit_tool]
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ Replace "[audit_tool]" with the audit tool that does not have the
|
|
|
38a2c0 |
+ correct permissions.
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+template:
|
|
|
38a2c0 |
+ name: file_permissions
|
|
|
38a2c0 |
+ vars:
|
|
|
38a2c0 |
+ filepath:
|
|
|
38a2c0 |
+ - /sbin/auditctl
|
|
|
38a2c0 |
+ - /sbin/aureport
|
|
|
38a2c0 |
+ - /sbin/ausearch
|
|
|
38a2c0 |
+ - /sbin/autrace
|
|
|
38a2c0 |
+ - /sbin/auditd
|
|
|
38a2c0 |
+ - /sbin/audispd
|
|
|
38a2c0 |
+ - /sbin/augenrules
|
|
|
38a2c0 |
+ filemode: '0755'
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh
|
|
|
38a2c0 |
index de2e1e98dfa..ab89b277a52 100644
|
|
|
38a2c0 |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh
|
|
|
38a2c0 |
@@ -1,4 +1,4 @@
|
|
|
38a2c0 |
-# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle
|
|
|
38a2c0 |
+# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
|
|
|
38a2c0 |
DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec"
|
|
|
38a2c0 |
for dirPath in $DIRS; do
|
|
|
38a2c0 |
find "$dirPath" -perm /022 -exec chmod go-w '{}' \;
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/correct_permissions.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/correct_permissions.pass.sh
|
|
|
38a2c0 |
new file mode 100644
|
|
|
38a2c0 |
index 00000000000..59b8838581c
|
|
|
38a2c0 |
--- /dev/null
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/correct_permissions.pass.sh
|
|
|
38a2c0 |
@@ -0,0 +1,6 @@
|
|
|
38a2c0 |
+#!/bin/bash
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec"
|
|
|
38a2c0 |
+for dirPath in $DIRS; do
|
|
|
38a2c0 |
+ find "$dirPath" -perm /022 -type f -exec chmod 0755 '{}' \;
|
|
|
38a2c0 |
+done
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/incorrect_permissions.fail.sh
|
|
|
38a2c0 |
new file mode 100644
|
|
|
38a2c0 |
index 00000000000..9d9ce30064b
|
|
|
38a2c0 |
--- /dev/null
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/incorrect_permissions.fail.sh
|
|
|
38a2c0 |
@@ -0,0 +1,6 @@
|
|
|
38a2c0 |
+#!/bin/bash
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec"
|
|
|
38a2c0 |
+for dirPath in $DIRS; do
|
|
|
38a2c0 |
+ find "$dirPath" -type f -exec chmod 0777 '{}' \;
|
|
|
38a2c0 |
+done
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/correct_permissions.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/correct_permissions.pass.sh
|
|
|
38a2c0 |
new file mode 100644
|
|
|
38a2c0 |
index 00000000000..de388e63325
|
|
|
38a2c0 |
--- /dev/null
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/correct_permissions.pass.sh
|
|
|
38a2c0 |
@@ -0,0 +1,6 @@
|
|
|
38a2c0 |
+#!/bin/bash
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
|
|
38a2c0 |
+for dirPath in $DIRS; do
|
|
|
38a2c0 |
+ chmod -R 755 "$dirPath"
|
|
|
38a2c0 |
+done
|
|
|
38a2c0 |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh
|
|
|
38a2c0 |
new file mode 100644
|
|
|
38a2c0 |
index 00000000000..913e75e7b17
|
|
|
38a2c0 |
--- /dev/null
|
|
|
38a2c0 |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh
|
|
|
38a2c0 |
@@ -0,0 +1,7 @@
|
|
|
38a2c0 |
+#!/bin/bash
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
|
|
38a2c0 |
+for dirPath in $DIRS; do
|
|
|
38a2c0 |
+ find "$dirPath" -type d -exec chmod go-w '{}' \;
|
|
|
38a2c0 |
+ find "$dirPath" -type f -exec chmod go+w '{}' \;
|
|
|
38a2c0 |
+done
|
|
|
38a2c0 |
diff --git a/shared/templates/file_permissions/oval.template b/shared/templates/file_permissions/oval.template
|
|
|
38a2c0 |
index 89083e812c1..6b3616a7f42 100644
|
|
|
38a2c0 |
--- a/shared/templates/file_permissions/oval.template
|
|
|
38a2c0 |
+++ b/shared/templates/file_permissions/oval.template
|
|
|
38a2c0 |
@@ -67,6 +67,11 @@
|
|
|
38a2c0 |
#}}
|
|
|
38a2c0 |
<filter action="include">state_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}_mode_not_{{{ FILEMODE }}}</filter>
|
|
|
38a2c0 |
{{%- endif %}}
|
|
|
38a2c0 |
+ <filter action="exclude">exclude_symlinks_{{{ FILEID }}}</filter>
|
|
|
38a2c0 |
</unix:file_object>
|
|
|
38a2c0 |
{{% endfor %}}
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ <unix:file_state id="exclude_symlinks_{{{ FILEID }}}" version="1">
|
|
|
38a2c0 |
+ <unix:type operation="equals">symbolic link</unix:type>
|
|
|
38a2c0 |
+ </unix:file_state>
|
|
|
38a2c0 |
</def-group>
|