commit 74bab352f4bb5b52beaf70c6f23f60d4af4f9518 Author: Gabriel Becker Date: Thu Feb 24 18:42:09 2022 +0100 Manual edited scap-security-guide-0.1.61-file_owner-PR_7789.patch. diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml new file mode 100644 index 0000000..968ef33 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml @@ -0,0 +1,39 @@ +documentation_complete: true + +title: 'Audit Configuration Files Must Be Owned By Root' + +description: |- + All audit configuration files must be owned by root user. + {{{ describe_file_owner(file="/etc/audit/", owner="root") }}} + {{{ describe_file_owner(file="/etc/audit/rules.d/", owner="root") }}} + +rationale: |- + Without the capability to restrict which roles and individuals can + select which events are audited, unauthorized personnel may be able + to prevent the auditing of critical events. + Misconfigured audits may degrade the system's performance by + overwhelming the audit log. Misconfigured audits may also make it more + difficult to establish, correlate, and investigate the events relating + to an incident or identify those responsible for one. + +severity: medium + +references: + disa: CCI-000171 + srg: SRG-OS-000063-GPOS-00032 + stigid@ubuntu2004: UBTU-20-010134 + +ocil: |- + {{{ describe_file_owner(file="/etc/audit/", owner="root") }}} + {{{ describe_file_owner(file="/etc/audit/rules.d/", owner="root") }}} + +template: + name: file_owner + vars: + filepath: + - /etc/audit/ + - /etc/audit/rules.d/ + file_regex: + - ^audit(\.rules|d\.conf)$ + - ^.*\.rules$ + fileuid: '0' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh new file mode 100644 index 0000000..4d67307 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# packages = audit + +chown 0 /etc/audit/audit.rules +chown 0 /etc/audit/auditd.conf +chown 0 -R /etc/audit/rules.d/ diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh new file mode 100644 index 0000000..337074f --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# packages = audit + +useradd testuser_123 +chown testuser_123 /etc/audit/audit.rules +chown testuser_123 /etc/audit/auditd.conf +chown testuser_123 -R /etc/audit/rules.d/ diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml new file mode 100644 index 0000000..f1bf515 --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml @@ -0,0 +1,27 @@ +documentation_complete: true + +title: 'Verify User Who Owns /var/log/syslog File' + +description: '{{{ describe_file_owner(file="/var/log/syslog", owner="syslog") }}}' + +rationale: |- + The /var/log/syslog file contains logs of error messages in + the system and should only be accessed by authorized personnel. + +severity: medium + +references: + disa: CCI-001314 + srg: SRG-OS-000206-GPOS-00084 + stigid@ubuntu2004: UBTU-20-010421 + +ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/syslog", owner="syslog") }}}' + +ocil: |- + {{{ ocil_file_owner(file="/var/log/syslog", owner="syslog") }}} + +template: + name: file_owner + vars: + filepath: /var/log/syslog + fileuid: '104' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml new file mode 100644 index 0000000..e236238 --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml @@ -0,0 +1,55 @@ +documentation_complete: true + +title: 'Verify that System Executable Have Root Ownership' + +description: |- +
/bin
+    /sbin
+    /usr/bin
+    /usr/sbin
+    /usr/local/bin
+    /usr/local/sbin
+ All these directories should be owned by the root user. + If any directory DIR in these directories is found + to be owned by a user other than root, correct its ownership with the + following command: +
$ sudo chown root DIR
+ +rationale: |- + System binaries are executed by privileged users as well as system services, + and restrictive permissions are necessary to ensure that their + execution of these programs cannot be co-opted. + +severity: medium + +references: + disa: CCI-001495 + srg: SRG-OS-000258-GPOS-00099 + stigid@ubuntu2004: UBTU-20-010424 + +ocil_clause: 'any system exectables directories are found to not be owned by root' + +ocil: |- + System executables are stored in the following directories by default: +
/bin
+    /sbin
+    /usr/bin
+    /usr/local/bin
+    /usr/local/sbin
+    /usr/sbin
+ For each of these directories, run the following command to find files + not owned by root: +
$ sudo find -L DIR/ ! -user root -type d -exec chown root {} \;
+ +template: + name: file_owner + vars: + filepath: + - /bin/ + - /sbin/ + - /usr/bin/ + - /usr/sbin/ + - /usr/local/bin/ + - /usr/local/sbin/ + recursive: 'true' + fileuid: '0' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml new file mode 100644 index 0000000..0c7d9b3 --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml @@ -0,0 +1,77 @@ +documentation_complete: true + +prodtype: ubuntu2004 + +title: 'Verify that audit tools are owned by root' + +description: |- + The {{{ full_name }}} operating system audit tools must have the proper + ownership configured to protected against unauthorized access. + + Verify it by running the following command: +
$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
+
+    /sbin/auditctl root
+    /sbin/aureport root
+    /sbin/ausearch root
+    /sbin/autrace root
+    /sbin/auditd root
+    /sbin/audispd root
+    /sbin/augenrules root
+    
+ + Audit tools needed to successfully view and manipulate audit information + system activity and records. Audit tools include custom queries and report + generators + +rationale: |- + Protecting audit information also includes identifying and protecting the + tools used to view and manipulate log data. Therefore, protecting audit + tools is necessary to prevent unauthorized operation on audit information. + + Operating systems providing tools to interface with audit information + will leverage user permissions and roles identifying the user accessing the + tools and the corresponding rights the user enjoys to make access decisions + regarding the access to audit tools. + +severity: medium + +references: + disa: CCI-001493,CCI-001494 + srg: SRG-OS-000256-GPiOS-00097,SRG-OS-000257-GPOS-00098 + stigid@ubuntu2004: UBTU-20-010200 + +ocil: |- + Verify it by running the following command: +
$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
+
+    /sbin/auditctl root
+    /sbin/aureport root
+    /sbin/ausearch root
+    /sbin/autrace root
+    /sbin/auditd root
+    /sbin/audispd root
+    /sbin/augenrules root
+    
+ + If the command does not return all the above lines, the missing ones + need to be added. + + Run the following command to correct the permissions of the missing + entries: +
$ sudo chown root [audit_tool] 
+ + Replace "[audit_tool]" with each audit tool not owned by root. + +template: + name: file_owner + vars: + filepath: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/audispd + - /sbin/augenrules + fileuid: '0' diff --git a/products/ubuntu2004/profiles/stig.profile b/products/ubuntu2004/profiles/stig.profile index 4c76824..487de82 100644 --- a/products/ubuntu2004/profiles/stig.profile +++ b/products/ubuntu2004/profiles/stig.profile @@ -452,6 +452,7 @@ selections: # UBTU-20-010423 The Ubuntu operating system must have directories that contain system commands set to a mode of 0755 or less permissive. # UBTU-20-010424 The Ubuntu operating system must have directories that contain system commands owned by root. + - dir_ownership_binary_dirs # UBTU-20-010425 The Ubuntu operating system must have directories that contain system commands group-owned by root. diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template index 80eaae8..590c9fc 100644 --- a/shared/templates/file_owner/ansible.template +++ b/shared/templates/file_owner/ansible.template @@ -25,7 +25,7 @@ - name: Ensure owner on {{{ path }}} recursively file: - paths "{{{ path }}}" + path: "{{{ path }}}" state: directory recurse: yes owner: "{{{ FILEUID }}}"