Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add and modify rules file/dir_permissions_system_journal #11840

Merged
merged 1 commit into from Apr 29, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions components/systemd.yml
Expand Up @@ -8,6 +8,7 @@ packages:
rules:
- coredump_disable_backtraces
- coredump_disable_storage
- dir_permissions_system_journal
- disable_ctrlaltdel_burstaction
- file_groupowner_etc_crypttab
- file_groupowner_system_journal
Expand Down
@@ -0,0 +1,43 @@
documentation_complete: true

title: 'Verify Permissions on the system journal directories'

description: |-
Verify the /run/log/journal and /var/log/journal directories have
permissions set to "2750" or less permissive by using the following command:
<pre>
$ sudo find /run/log/journal /var/log/journal -type d -exec stat -c "%n %a" {} \;
</pre>
If any output returned has a permission set greater than "2750", this is a finding.

rationale: |-
Any operating system providing too much information in error messages risks
compromising the data and security of the structure, and content of error messages
needs to be carefully considered by the organization.

references:
disa: CCI-001312
stigid@ubuntu2204: UBTU-22-232027

severity: medium

fixtext: |
Configure the system to set the appropriate permissions to the files and directories
used by the systemd journal:
Add or modify the following lines in the "/etc/tmpfiles.d/systemd.conf" file:
<pre>
z /run/log/journal 2750 root systemd-journal - -
Z /run/log/journal/%m ~2750 root systemd-journal - -
z /var/log/journal 2750 root systemd-journal - -
z /var/log/journal/%m 2750 root systemd-journal - -
</pre>
Restart the system for the changes to take effect.

template:
name: file_permissions
vars:
filepath:
- /run/log/journal/
- /var/log/journal/
recursive: 'true'
filemode: '2750'
Expand Up @@ -4,27 +4,67 @@ documentation_complete: true
title: 'Verify Permissions on the system journal'

description: |-
{{{ describe_file_permissions(file="/var/log/journal/.*/system.journal", perms="0640") }}}
{{%- if 'ubuntu' in product %}}
Verify all files in the /run/log/journal and /var/log/journal directories have
permissions set to "640" or less permissive by using the following command:
<pre>
$ sudo find /run/log/journal /var/log/journal -type f -exec stat -c "%n %a" {} \;
</pre>
If any output returned has a permission set greater than "640", this is a finding.
{{%- else %}}
{{{ describe_file_permissions(file="/var/log/journal/.*/system.journal", perms="0640") }}}
{{%- endif %}}

rationale: |-
RHCOS must protect system journal file from any type of unauthorized access by setting file permissions.
{{%- if 'ubuntu' in product %}}
Any operating system providing too much information in error messages risks
compromising the data and security of the structure, and content of error messages
needs to be carefully considered by the organization.
{{%- else %}}
RHCOS must protect system journal file from any type of unauthorized access by setting file permissions.
{{%- endif %}}

identifiers:
cce@rhcos4: CCE-86509-7
cce@rhcos4: CCE-86509-7

severity: medium

fixtext: |
{{%- if 'ubuntu' in product %}}
Configure the system to set the appropriate permissions to the files and directories
used by the systemd journal:
Add or modify the following lines in the "/etc/tmpfiles.d/systemd.conf" file:
<pre>
z /var/log/journal/%m/system.journal 0640 root systemd-journal - -
</pre>
Restart the system for the changes to take effect.
{{%- endif %}}

references:
srg: SRG-APP-000118-CTR-000240
disa: CCI-001312
srg: SRG-APP-000118-CTR-000240
stigid@ubuntu2204: UBTU-22-232027

ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/log/journal/.*/system.journal", perms="-rw-r-----") }}}'

ocil: |-
{{{ ocil_file_permissions(file="/var/log/journal/.*/system.journal", perms="-rw-r-----") }}}
{{{ ocil_file_permissions(file="/var/log/journal/.*/system.journal", perms="-rw-r-----") }}}

template:
name: file_permissions
vars:
filepath: ^/var/log/journal/.*/system.journal$
filemode: '0640'
filepath_is_regex: "true"
name: file_permissions
vars:
{{%- if 'ubuntu' in product %}}
filepath:
- /run/log/journal/
- /var/log/journal/
recursive: 'true'
file_regex: ^.*$
filemode: '0640'

{{%- else %}}
filepath: ^/var/log/journal/.*/system.journal$
filemode: '0640'
filepath_is_regex: "true"

{{%- endif %}}

5 changes: 3 additions & 2 deletions products/ubuntu2204/profiles/stig.profile
Expand Up @@ -636,9 +636,10 @@ selections:
# Analogous to package_telnetd_removed
# UBTU-22-215020 The Ubuntu operating system must not have the "systemd-timesyncd" package installed

### TODO (rule needed; reevaluate permissions)
# Similar to file_permissions_library_dirs and dir_permissions_library_dirs
### TODO (reevaluate directory permissions)
# UBTU-22-232027 The Ubuntu operating system must generate system journal entries without revealing information that could be exploited by adversaries
- file_permissions_system_journal
- dir_permissions_system_journal

### TODO (rule needed)
# Analogous to directory_ownership_var_log_audit
Expand Down