Blob Blame History Raw
commit 3cd2b8efbf9d91967e3e65bd2029f7ab3d400314
Author: Gabriel Becker <ggasparb@redhat.com>
Date:   Thu Feb 24 18:22:28 2022 +0100

    Manual edited patch scap-security-guide-0.1.61-file_groupowner-PR_7791.patch.

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml
new file mode 100644
index 0000000..de85c89
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml
@@ -0,0 +1,38 @@
+documentation_complete: true
+
+title: 'Audit Configuration Files Must Be Owned By Group root'
+
+description: |-
+    All audit configuration files must be owned by group root.
+    <pre>chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*</pre>
+
+rationale: |-
+    Without the capability to restrict which roles and individuals can
+    select which events are audited, unauthorized personnel may be able
+    to prevent the auditing of critical events.
+    Misconfigured audits may degrade the system's performance by
+    overwhelming the audit log. Misconfigured audits may also make it more
+    difficult to establish, correlate, and investigate the events relating
+    to an incident or identify those responsible for one.
+
+severity: medium
+
+references:
+    disa: CCI-000171
+    srg: SRG-OS-000063-GPOS-00032
+    stigid@ubuntu2004: UBTU-20-010135
+
+ocil: |-
+    {{{ describe_file_group_owner(file="/etc/audit/", group="root") }}}
+    {{{ describe_file_group_owner(file="/etc/audit/rules.d/", group="root") }}}
+
+template:
+    name: file_groupowner
+    vars:
+        filepath:
+            - /etc/audit/
+            - /etc/audit/rules.d/
+        file_regex:
+            - ^audit(\.rules|d\.conf)$
+            - ^.*\.rules$
+        filegid: '0'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh
new file mode 100644
index 0000000..5235e0d
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+export TESTFILE=/etc/audit/rules.d/test_rule.rules
+export AUDITFILE=/etc/audit/auditd.conf
+mkdir -p /etc/audit/rules.d/
+touch $TESTFILE
+touch $AUDITFILE
+chgrp root $TESTFILE
+chgrp root $AUDITFILE
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh
new file mode 100644
index 0000000..52378d8
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+groupadd group_test
+export TESTFILLE=/etc/audit/rules.d/test_rule.rules
+export AUDITFILE=/etc/audit/auditd.conf
+mkdir -p /etc/audit/rules.d/
+touch $TESTFILLE
+touch $AUDITFILE
+chgrp group_test $TESTFILLE
+chgrp group_test $AUDITFILE
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
index 5ddaf9f..b99705d 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
@@ -1,8 +1,15 @@
+{{% if 'ubuntu' in product %}}
+{{% set gid = 'syslog' %}}
+{{% else %}}
+{{% set gid = 'root' %}}
+{{% endif %}}
+
+
 documentation_complete: true
 
 title: 'Verify Group Who Owns /var/log Directory'
 
-description: '{{{ describe_file_group_owner(file="/var/log", group="root") }}}'
+description: '{{{ describe_file_group_owner(file="/var/log", group=gid) }}}'
 
 rationale: |-
     The <tt>/var/log</tt> directory contains files with logs of error
@@ -21,13 +28,16 @@ references:
     stigid@rhel8: RHEL-08-010260
     stigid@ubuntu2004: UBTU-20-010417
 
-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log", group="root") }}}'
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log", group=gid) }}}'
 
 ocil: |-
-    {{{ ocil_file_group_owner(file="/var/log", group="root") }}}
+    {{{ ocil_file_group_owner(file="/var/log", group=gid) }}}
 
 template:
     name: file_groupowner
     vars:
         filepath: /var/log/
         filegid: '0'
+        filegid@ubuntu1604: '110'
+        filegid@ubuntu1804: '110'
+        filegid@ubuntu2004: '110'
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml
new file mode 100644
index 0000000..f654279
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns /var/log/syslog File'
+
+description: '{{{ describe_file_group_owner(file="/var/log/syslog", group="adm") }}}'
+
+rationale: |-
+    The <tt>/var/log/syslog</tt> file contains logs of error messages in
+    the system and should only be accessed by authorized personnel.
+
+severity: medium
+
+references:
+    disa: CCI-001314
+    srg: SRG-OS-000206-GPOS-00084
+    stigid@ubuntu2004: UBTU-20-010420
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/syslog", group="adm") }}}'
+
+ocil: |-
+    {{{ ocil_file_group_owner(file="/var/log/syslog", group="adm") }}}
+
+template:
+    name: file_groupowner
+    vars:
+        filepath: /var/log/syslog
+        filegid: '4'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml
new file mode 100644
index 0000000..655b2cd
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml
@@ -0,0 +1,65 @@
+documentation_complete: true
+
+prodtype: ubuntu2004
+
+title: 'Verify that system commands directories are group owned by root'
+
+description: |-
+    System commands files are stored in the following directories by default:
+    <pre>/bin
+    /sbin
+    /usr/bin
+    /usr/sbin
+    /usr/local/bin
+    /usr/local/sbin
+    </pre>
+    All these directories should be owned by the <tt>root</tt> group.
+    If the directory is found to be owned by a group other than root correct
+    its ownership with the following command:
+    <pre>$ sudo chgrp root <i>DIR</i></pre>
+
+rationale: |-
+    If the operating system allows any user to make changes to software
+    libraries, then those changes might be implemented without undergoing the
+    appropriate testing and approvals that are part of a robust change management
+    process.
+    This requirement applies to operating systems with software libraries
+    that are accessible and configurable, as in the case of interpreted languages.
+    Software libraries also include privileged programs which execute with
+    escalated privileges. Only qualified and authorized individuals must be
+    allowed to obtain access to information system components for purposes
+    of initiating changes, including upgrades and modifications.
+
+severity: medium
+
+references:
+    disa: CCI-001495
+    srg: SRG-OS-000258-GPOS-00099
+    stigid@ubuntu2004: UBTU-20-010425
+
+ocil_clause: 'any of these directories are not owned by root group'
+ 
+ocil: |-
+    System commands are stored in the following directories:
+    <pre>/bin
+    /sbin
+    /usr/bin
+    /usr/sbin
+    /usr/local/bin
+    /usr/local/sbin</pre>
+    For each of these directories, run the following command to find files not
+    owned by root group:
+    <pre>$ sudo find -L <i>$DIR</i> ! -group root -type d \;</pre>
+
+template:
+    name: file_groupowner
+    vars:
+        filepath:
+            - /bin/
+            - /sbin/
+            - /usr/bin/
+            - /usr/sbin/
+            - /usr/local/bin/
+            - /usr/local/sbin/
+        recursive: 'true'
+        filegid: '0'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml
deleted file mode 100644
index 28df783..0000000
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-# platform = multi_platform_sle
-# reboot = false
-# strategy = restrict
-# complexity = medium
-# disruption = medium
-- name: "Read list libraries without root ownership"
-  find:
-    paths:
-      - "/usr/lib"
-      - "/usr/lib64"
-      - "/lib"
-      - "/lib64"
-    file_type: "directory"
-  register: library_dirs_not_owned_by_root
-
-- name: "Set ownership of system library dirs to root"
-  file:
-    path: "{{ item.path }}"
-    owner: "root"
-    state: "directory"
-    mode: "{{ item.mode }}"
-  with_items: "{{ library_dirs_not_owned_by_root.files }}"
-  when: library_dirs_not_owned_by_root.matched > 0
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml
new file mode 100644
index 0000000..f61a5f9
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml
@@ -0,0 +1,77 @@
+documentation_complete: true
+
+prodtype: ubuntu2004
+
+title: 'Verify that audit tools are owned by group root'
+
+description: |-
+    The {{{ full_name }}} operating system audit tools must have the proper
+    ownership configured to protected against unauthorized access.
+
+    Verify it by running the following command:
+    <pre>$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
+
+    /sbin/auditctl root
+    /sbin/aureport root
+    /sbin/ausearch root
+    /sbin/autrace root
+    /sbin/auditd root
+    /sbin/audispd root
+    /sbin/augenrules root
+    </pre>
+
+    Audit tools needed to successfully view and manipulate audit information
+    system activity and records. Audit tools include custom queries and report
+    generators
+
+rationale: |-
+    Protecting audit information also includes identifying and protecting the
+    tools used to view and manipulate log data. Therefore, protecting audit
+    tools is necessary to prevent unauthorized operation on audit information.
+ 
+    Operating systems providing tools to interface with audit information
+    will leverage user permissions and roles identifying the user accessing the
+    tools and the corresponding rights the user enjoys to make access decisions
+    regarding the access to audit tools.
+
+severity: medium
+
+references:
+    disa: CCI-001493,CCI-001494
+    srg: SRG-OS-000256-GPiOS-00097,SRG-OS-000257-GPOS-00098
+    stigid@ubuntu2004: UBTU-20-010201
+
+ocil: |-
+    Verify it by running the following command:
+    <pre>$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
+
+    /sbin/auditctl root
+    /sbin/aureport root
+    /sbin/ausearch root
+    /sbin/autrace root
+    /sbin/auditd root
+    /sbin/audispd root
+    /sbin/augenrules root
+    </pre>
+
+    If the command does not return all the above lines, the missing ones
+    need to be added.
+
+    Run the following command to correct the permissions of the missing
+    entries:
+    <pre>$ sudo chown :root [audit_tool] </pre>
+
+    Replace "[audit_tool]" with each audit tool not group-owned by root.
+
+template:
+    name: file_groupowner
+    vars:
+        filepath:
+            - /sbin/auditctl
+            - /sbin/aureport
+            - /sbin/ausearch
+            - /sbin/autrace
+            - /sbin/auditd
+            - /sbin/audispd
+            - /sbin/augenrules
+        filegid: '0'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
index 5598e47..a9e8c7d 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
+# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
 
 for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
 do
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh
index 7cf507c..33a0c85 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh
@@ -1,10 +1,12 @@
 #!/bin/bash
 
+groupadd group_test
+
 for TESTFILE in /bin/test_me /sbin/test_me /usr/bin/test_me /usr/sbin/test_me /usr/local/bin/test_me /usr/local/sbin/test_me
 do
    if [[ ! -f $TESTFILE ]]
    then
      touch $TESTFILE
    fi
-   chown nobody.nobody $TESTFILE
+   chgrp group_test $TESTFILE
 done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
deleted file mode 100644
index f5ca938..0000000
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
+++ /dev/null
@@ -1,27 +0,0 @@
-<def-group>
-  <definition class="compliance" id="root_permissions_syslibrary_files" version="2">
-    {{{ oval_metadata("
-        Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
-        are owned by root.
-      ") }}}
-    <criteria >
-      <criterion test_ref="test_root_permissions_for_syslibrary_files" />
-    </criteria>
-  </definition>
-
-  <unix:file_test  check="all" check_existence="none_exist" comment="test if system-wide files have root permissions" id="test_root_permissions_for_syslibrary_files" version="1">
-    <unix:object object_ref="root_permissions_for_system_wide_library_files" />
-  </unix:file_test>
-
-  <unix:file_object comment="system-wide directories" id="root_permissions_for_system_wide_library_files" version="1">
-    <!-- Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
-        are owned by root. -->
-    <unix:path operation="pattern match">^\/lib(|64)?$|^\/usr\/lib(|64)?$</unix:path>
-    <unix:filename operation="pattern match">^.*$</unix:filename>
-    <filter action="include">group_permissions_for_system_wide_files_are_not_root</filter>
-  </unix:file_object>
-
-  <unix:file_state id="group_permissions_for_system_wide_files_are_not_root" version="1" >
-    <unix:group_id datatype="int" operation="not equal">0</unix:group_id>
-  </unix:file_state>
-</def-group>
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
index 83371b8..3b983de 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: sle12,sle15,rhel8,fedora
+prodtype: fedora,ol8,rhel8,rhel9,sle12,sle15,ubuntu2004
 
 title: |-
     Verify the system-wide library files in directories
@@ -44,6 +44,7 @@ references:
     stigid@rhel8: RHEL-08-010350
     stigid@sle12: SLES-12-010875
     stigid@sle15: SLES-15-010355
+    stigid@ubuntu2004: UBTU-20-01430
 
 ocil_clause: 'system wide library files are not group owned by root'
 
@@ -57,3 +58,14 @@ ocil: |-
     To find if system-wide library files stored in these directories are not group-owned by
     root run the following command for each directory <i>DIR</i>:
     <pre>$ sudo find -L <i>DIR</i> ! -group root -type f </pre>
+
+template:
+    name: file_groupowner
+    vars:
+        filepath:
+            - /lib/
+            - /lib64/
+            - /usr/lib/
+            - /usr/lib64/
+        file_regex: ^.*$
+        filegid: '0'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
index a4ae285..0e982c3 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
 
 for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
 do
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
new file mode 100644
index 0000000..a4ae285
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
+
+for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
+do
+    if [[ -d $SYSLIBDIRS  ]]
+    then
+        find $SYSLIBDIRS ! -group root -type f -exec chgrp root '{}' \;
+    fi
+done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
index c96f65b..23a7703 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
@@ -1,10 +1,11 @@
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
 
+groupadd group_test
 for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
 do
    if [[ ! -f $TESTFILE ]]
    then
      touch $TESTFILE
    fi
-   chown nobody.nobody $TESTFILE
+   chgrp group_test $TESTFILE
 done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
new file mode 100644
index 0000000..c96f65b
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
@@ -0,0 +1,10 @@
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
+
+for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
+do
+   if [[ ! -f $TESTFILE ]]
+   then
+     touch $TESTFILE
+   fi
+   chown nobody.nobody $TESTFILE
+done