commit b56ce1b9070236c1f44e936548d9ff44b2ebe8a3 Author: Gabriel Becker Date: Thu Feb 24 18:44:02 2022 +0100 Manual edited patch scap-security-guide-0.1.61-file_permissions-PR_7788.patch. diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/bash/ubuntu.sh b/linux_os/guide/system/permissions/files/permissions_local_var_log/bash/ubuntu.sh new file mode 100644 index 0000000..93fd73e --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/bash/ubuntu.sh @@ -0,0 +1,14 @@ +# platform = multi_platform_ubuntu + +readarray -t files < <(find /var/log/) +for file in "${files[@]}"; do + if basename $file | grep -qE '^.*$'; then + chmod 0640 $file + fi +done + +if grep -qE "^f \/var\/log\/(btmp|wtmp|lastlog)? " /usr/lib/tmpfiles.d/var.conf; then + sed -i --follow-symlinks "s/\(^f[[:space:]]\+\/var\/log\/btmp[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10640/" /usr/lib/tmpfiles.d/var.conf + sed -i --follow-symlinks "s/\(^f[[:space:]]\+\/var\/log\/wtmp[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10640/" /usr/lib/tmpfiles.d/var.conf + sed -i --follow-symlinks "s/\(^f[[:space:]]\+\/var\/log\/lastlog[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10640/" /usr/lib/tmpfiles.d/var.conf +fi diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_local_var_log/oval/shared.xml deleted file mode 100644 index dd95ce0..0000000 --- a/linux_os/guide/system/permissions/files/permissions_local_var_log/oval/shared.xml +++ /dev/null @@ -1,36 +0,0 @@ - - - {{{ oval_metadata(" - Checks that files in /var/log have permission at least 0640 - ") }}} - - - - - - - - - - - ^\/var\/log\/ - ^.*$ - log_files_permission_more_0640 - var_log_symlinks - - - - - true - true - true - true - true - true - - - - symbolic link - - - diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml index 1939531..bd7e984 100644 --- a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml @@ -46,3 +46,10 @@ ocil: |-
     sudo find /var/log -perm /137 -type f -exec stat -c "%n %a" {} \;
     
+ +template: + name: file_permissions + vars: + filepath: /var/log/ + file_regex: '.*' + filemode: '0640' diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh index 5317ef2..1793259 100644 --- a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh +++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh @@ -1,5 +1,6 @@ #!/bin/bash +chmod -R 640 /var/log mkdir -p /var/log/testme touch /var/log/testme/test.log chmod 640 /var/log/testme/test.log diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh index 83db1ac..69b0814 100644 --- a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh +++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh @@ -1,4 +1,5 @@ #!/bin/bash +chmod -R 640 /var/log/ mkdir -p /var/log/testme chmod 777 /var/log/testme diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/bash/ubuntu.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/bash/ubuntu.sh new file mode 100644 index 0000000..93962ea --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/bash/ubuntu.sh @@ -0,0 +1,7 @@ +# platform = multi_platform_ubuntu + +chmod 0755 /var/log/ + +if grep -q "^z \/var\/log " /usr/lib/tmpfiles.d/00rsyslog.conf; then + sed -i --follow-symlinks "s/\(^z[[:space:]]\+\/var\/log[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10755/" /usr/lib/tmpfiles.d/00rsyslog.conf +fi diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_syslog/rule.yml new file mode 100644 index 0000000..73258d4 --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_syslog/rule.yml @@ -0,0 +1,28 @@ +documentation_complete: true + +title: 'Verify Permissions on /var/log/syslog File' + +description: |- + {{{ describe_file_permissions(file="/var/log/syslog", perms="0640") }}} + +rationale: |- + The /var/log/syslog file contains logs of error messages in + the system and should only be accessed by authorized personnel. + +severity: medium + +references: + disa: CCI-001314 + srg: SRG-OS-000206-GPOS-00084 + stigid@ubuntu2004: UBTU-20-010422 + +ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/log/syslog", perms="-rw-r-----") }}}' + +ocil: |- + {{{ ocil_file_permissions(file="/var/log/syslog", perms="-rw-r-----") }}} + +template: + name: file_permissions + vars: + filepath: /var/log/syslog + filemode: '0640' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_binary_dirs/rule.yml new file mode 100644 index 0000000..a666c76 --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_binary_dirs/rule.yml @@ -0,0 +1,57 @@ +documentation_complete: true + +title: 'Verify that System Executable Directories Have Restrictive Permissions' + +description: |- + System executables are stored in the following directories by default: +
/bin
+    /sbin
+    /usr/bin
+    /usr/sbin
+    /usr/local/bin
+    /usr/local/sbin
+ These directories should not be group-writable or world-writable. + If any directory DIR in these directories is found to be + group-writable or world-writable, correct its permission with the + following command: +
$ sudo chmod go-w DIR
+ +rationale: |- + System binaries are executed by privileged users, as well as system services, + and restrictive permissions are necessary to ensure execution of these programs + cannot be co-opted. + +severity: medium + +references: + disa: CCI-001495 + srg: SRG-OS-000258-GPOS-00099 + stigid@ubuntu2004: UBTU-20-010423 + +ocil_clause: 'any of these files are group-writable or world-writable' + +ocil: |- + System executables are stored in the following directories by default: +
/bin
+    /sbin
+    /usr/bin
+    /usr/sbin
+    /usr/local/bin
+    /usr/local/sbin
+ To find system executables directories that are group-writable or + world-writable, run the following command for each directory DIR + which contains system executables: +
$ sudo find -L DIR -perm /022 -type d
+ +template: + name: file_permissions + vars: + filepath: + - /bin/ + - /sbin/ + - /usr/bin/ + - /usr/sbin/ + - /usr/local/bin/ + - /usr/local/sbin/ + recursive: 'true' + filemode: '0755' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh index 3f7239d..af07846 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_sle +# platform = multi_platform_sle,multi_platform_ubuntu DIRS="/lib /lib64 /usr/lib /usr/lib64" for dirPath in $DIRS; do find "$dirPath" -perm /022 -type d -exec chmod go-w '{}' \; diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh index 1f68586..d58616b 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh @@ -1,5 +1,6 @@ -# platform = multi_platform_sle +# platform = multi_platform_sle,multi_platform_ubuntu DIRS="/lib /lib64 /usr/lib /usr/lib64" for dirPath in $DIRS; do + chmod -R 755 "$dirPath" mkdir -p "$dirPath/testme" && chmod 700 "$dirPath/testme" done diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh index b60a726..98d18cd 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_sle +# platform = multi_platform_sle,multi_platform_ubuntu DIRS="/lib /lib64" for dirPath in $DIRS; do mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/testme" diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh index 5438b51..6df6e2f 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_sle +# platform = multi_platform_sle,multi_platform_ubuntu DIRS="/usr/lib /usr/lib64" for dirPath in $DIRS; do mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/testme" diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_audit_binaries/rule.yml new file mode 100644 index 0000000..da42e99 --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_audit_binaries/rule.yml @@ -0,0 +1,78 @@ +documentation_complete: true + +prodtype: ubuntu2004 + +title: 'Verify that audit tools Have Mode 0755 or less' + +description: |- + The {{{ full_name }}} operating system audit tools must have the proper + permissions configured to protected against unauthorized access. + + Verify it by running the following command: +
$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
+
+    /sbin/auditctl 755
+    /sbin/aureport 755
+    /sbin/ausearch 755
+    /sbin/autrace 755
+    /sbin/auditd 755
+    /sbin/audispd 755
+    /sbin/augenrules 755
+    
+ + Audit tools needed to successfully view and manipulate audit information + system activity and records. Audit tools include custom queries and report + generators + +rationale: |- + Protecting audit information also includes identifying and protecting the + tools used to view and manipulate log data. Therefore, protecting audit + tools is necessary to prevent unauthorized operation on audit information. + + Operating systems providing tools to interface with audit information + will leverage user permissions and roles identifying the user accessing the + tools and the corresponding rights the user enjoys to make access decisions + regarding the access to audit tools. + +severity: medium + +references: + disa: CCI-001493,CCI-001494 + srg: SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098 + stigid@ubuntu2004: UBTU-20-010199 + +ocil: |- + Verify it by running the following command: +
$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
+
+    /sbin/auditctl 755
+    /sbin/aureport 755
+    /sbin/ausearch 755
+    /sbin/autrace 755
+    /sbin/auditd 755
+    /sbin/audispd 755
+    /sbin/augenrules 755
+    
+ + If the command does not return all the above lines, the missing ones + need to be added. + + Run the following command to correct the permissions of the missing + entries: +
$ sudo chmod 0755 [audit_tool] 
+ + Replace "[audit_tool]" with the audit tool that does not have the + correct permissions. + +template: + name: file_permissions + vars: + filepath: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/audispd + - /sbin/augenrules + filemode: '0755' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh index 5d95c98..ab89b27 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol +# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec" for dirPath in $DIRS; do find "$dirPath" -perm /022 -exec chmod go-w '{}' \; diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/correct_permissions.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/correct_permissions.pass.sh new file mode 100644 index 0000000..59b8838 --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/correct_permissions.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec" +for dirPath in $DIRS; do + find "$dirPath" -perm /022 -type f -exec chmod 0755 '{}' \; +done diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/incorrect_permissions.fail.sh new file mode 100644 index 0000000..9d9ce30 --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/incorrect_permissions.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec" +for dirPath in $DIRS; do + find "$dirPath" -type f -exec chmod 0777 '{}' \; +done diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/correct_permissions.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/correct_permissions.pass.sh new file mode 100644 index 0000000..de388e6 --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/correct_permissions.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +DIRS="/lib /lib64 /usr/lib /usr/lib64" +for dirPath in $DIRS; do + chmod -R 755 "$dirPath" +done diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh new file mode 100644 index 0000000..913e75e --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +DIRS="/lib /lib64 /usr/lib /usr/lib64" +for dirPath in $DIRS; do + find "$dirPath" -type d -exec chmod go-w '{}' \; + find "$dirPath" -type f -exec chmod go+w '{}' \; +done diff --git a/products/ubuntu2004/profiles/stig.profile b/products/ubuntu2004/profiles/stig.profile index 487de82..091e472 100644 --- a/products/ubuntu2004/profiles/stig.profile +++ b/products/ubuntu2004/profiles/stig.profile @@ -448,8 +448,10 @@ selections: # UBTU-20-010421 The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. # UBTU-20-010422 The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less permissive. + - file_permissions_var_log_syslog # UBTU-20-010423 The Ubuntu operating system must have directories that contain system commands set to a mode of 0755 or less permissive. + - dir_permissions_binary_dirs # UBTU-20-010424 The Ubuntu operating system must have directories that contain system commands owned by root. - dir_ownership_binary_dirs diff --git a/shared/templates/file_permissions/oval.template b/shared/templates/file_permissions/oval.template index 89083e8..6b3616a 100644 --- a/shared/templates/file_permissions/oval.template +++ b/shared/templates/file_permissions/oval.template @@ -67,6 +67,11 @@ #}} state_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}_mode_not_{{{ FILEMODE }}} {{%- endif %}} + exclude_symlinks_{{{ FILEID }}} {{% endfor %}} + + + symbolic link +