Merge pull request #11841 from mpurg/ubuntu_2204_stig_232105

Add rule file_groupowner_journalctl
ComplianceAsCode · May 7, 2024 · 5a5ca71 · 5a5ca71
2 parents eebfe7d + efdc9a6
commit 5a5ca71
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 2 deletions.
diff --git a/components/systemd.yml b/components/systemd.yml
@@ -13,6 +13,7 @@ rules:
 - dir_groupowner_system_journal
 - disable_ctrlaltdel_burstaction
 - file_groupowner_etc_crypttab
+- file_groupowner_journalctl
 - file_groupowner_system_journal
 - file_owner_etc_crypttab
 - file_owner_journalctl

diff --git a/linux_os/guide/system/logging/journald/file_groupowner_journalctl/rule.yml b/linux_os/guide/system/logging/journald/file_groupowner_journalctl/rule.yml
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+title: 'Verify Groupowner on the journalctl command'
+
+description: |-
+    Verify that the "journalctl" command is group-owned by "root" by
+    using the following command:
+    <pre>
+    $ sudo find /usr/bin/journalctl -exec stat -c "%n %G" {} \;
+    </pre>
+    If any output returned is not owned by "root", this is a finding.
+
+rationale: |-
+    Only authorized personnel should be aware of errors and the details of the errors.
+    Error messages are an indicator of an organization's operational state or can
+    identify the operating system or platform. Additionally, personally identifiable
+    information (PII) and operational information must not be revealed through error
+    messages to unauthorized personnel or their designated representatives.
+
+references:
+    disa: CCI-001314
+    stigid@ubuntu2204: UBTU-22-232105
+
+severity: medium
+
+fixtext: |
+    Configure "journalctl" to be owned by "root":
+    <pre>
+    $ sudo chown :root /usr/bin/journalctl
+    </pre>
+
+template:
+    name: file_groupowner
+    vars:
+        filepath: /usr/bin/journalctl
+        gid_or_name: '0'
diff --git a/products/ubuntu2204/profiles/stig.profile b/products/ubuntu2204/profiles/stig.profile
@@ -656,9 +656,8 @@ selections:
     # UBTU-22-232100 The Ubuntu operating system must be configured so that the "journalctl" command is owned by "root"
     - file_owner_journalctl
 
-    ### TODO (rule needed)
-    # Similar to file_group_ownership_var_log_audit
     # UBTU-22-232105 The Ubuntu operating system must be configured so that the "journalctl" command is group-owned by "root"
+    - file_groupowner_journalctl
 
     # UBTU-22-232140 The Ubuntu operating system must be configured so that the "journalctl" command is not accessible by unauthorized users
     - file_permissions_journalctl