-
Notifications
You must be signed in to change notification settings - Fork 694
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #11966 from mpurg/ubuntu_2204_stig_653045
Add new rule file_permissions_var_log_audit_stig
- Loading branch information
Showing
12 changed files
with
168 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
9 changes: 9 additions & 0 deletions
9
.../guide/auditing/auditd_configure_rules/file_permissions_var_log_audit_stig/bash/shared.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
# platform = multi_platform_ubuntu | ||
|
||
if LC_ALL=C grep -iqw ^log_file /etc/audit/auditd.conf; then | ||
FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') | ||
else | ||
FILE="/var/log/audit/audit.log" | ||
fi | ||
|
||
chmod 0600 -- "$(dirname "$FILE")"/* |
62 changes: 62 additions & 0 deletions
62
...guide/auditing/auditd_configure_rules/file_permissions_var_log_audit_stig/oval/shared.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
<def-group> | ||
<definition class="compliance" id="{{{ rule_id }}}" version="2"> | ||
{{{ oval_metadata("Checks for correct permissions for all audit log files.") }}} | ||
<criteria operator="OR"> | ||
<criteria operator="AND" comment="log_file set"> | ||
<extend_definition comment="log_file set in auditd.conf" definition_ref="auditd_conf_log_file_not_set" negate="true" /> | ||
<criterion test_ref="test_{{{ rule_id }}}" negate="true" /> | ||
</criteria> | ||
<criteria operator="AND" comment="log_file not set"> | ||
<extend_definition comment="log_file not set in auditd.conf" definition_ref="auditd_conf_log_file_not_set"/> | ||
<criterion test_ref="test_{{{ rule_id }}}_default" negate="true" /> | ||
</criteria> | ||
</criteria> | ||
</definition> | ||
|
||
<unix:file_test check="all" check_existence="at_least_one_exists" | ||
comment="audit log files mode 0600" | ||
id="test_{{{ rule_id }}}" version="1"> | ||
<unix:object object_ref="object_{{{ rule_id }}}" /> | ||
<unix:state state_ref="state_{{{ rule_id }}}_not_mode_0600" /> | ||
</unix:file_test> | ||
|
||
<unix:file_object comment="audit log files" id="object_{{{ rule_id }}}" version="1"> | ||
<unix:path operation="equals" var_ref="audit_log_file_dir" /> | ||
<unix:filename operation="pattern match">^.*$</unix:filename> | ||
<filter action="include">state_{{{ rule_id }}}_not_mode_0600</filter> | ||
</unix:file_object> | ||
|
||
<unix:file_test check="all" check_existence="at_least_one_exists" | ||
comment="default audit log files mode 0600" | ||
id="test_{{{ rule_id }}}_default" version="1"> | ||
<unix:object object_ref="object_{{{ rule_id }}}_default" /> | ||
<unix:state state_ref="state_{{{ rule_id }}}_not_mode_0600" /> | ||
</unix:file_test> | ||
|
||
<unix:file_object comment="default audit log files" id="object_{{{ rule_id }}}_default" version="1"> | ||
<unix:path operation="equals">/var/log/audit/</unix:path> | ||
<unix:filename operation="pattern match">^.*$</unix:filename> | ||
<filter action="include">state_{{{ rule_id }}}_not_mode_0600</filter> | ||
</unix:file_object> | ||
|
||
<unix:file_state id="state_{{{ rule_id }}}_not_mode_0600" version="1" operator="OR"> | ||
<!-- if any one of these is true then mode is NOT 0600 (hence the OR operator) --> | ||
<unix:suid datatype="boolean">true</unix:suid> | ||
<unix:sgid datatype="boolean">true</unix:sgid> | ||
<unix:sticky datatype="boolean">true</unix:sticky> | ||
<unix:uexec datatype="boolean">true</unix:uexec> | ||
<unix:gread datatype="boolean">true</unix:gread> | ||
<unix:gwrite datatype="boolean">true</unix:gwrite> | ||
<unix:gexec datatype="boolean">true</unix:gexec> | ||
<unix:oread datatype="boolean">true</unix:oread> | ||
<unix:owrite datatype="boolean">true</unix:owrite> | ||
<unix:oexec datatype="boolean">true</unix:oexec> | ||
</unix:file_state> | ||
|
||
<!-- extract dirname from path --> | ||
<local_variable id="audit_log_file_dir" datatype="string" version="1" comment="dirname of audit log files"> | ||
<regex_capture pattern="^(/.*/)[^/]*$"> | ||
<variable_component var_ref="audit_log_file_path" /> | ||
</regex_capture> | ||
</local_variable> | ||
</def-group> |
32 changes: 32 additions & 0 deletions
32
linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit_stig/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
documentation_complete: true | ||
|
||
title: 'System Audit Logs Must Have Mode 0600 or Less Permissive' | ||
|
||
description: |- | ||
Determine where the audit logs are stored with the following command: | ||
<pre>$ sudo grep -iw log_file /etc/audit/auditd.conf | ||
log_file = /var/log/audit/audit.log</pre> | ||
Using the path of the directory containing the audit logs, determine | ||
if the audit log files have a mode of "600" or less by using the following command: | ||
<pre>$ sudo stat -c "%n %a" /var/log/audit/*</pre> | ||
rationale: 'If users can write to audit logs, audit trails can be modified or destroyed.' | ||
|
||
severity: medium | ||
|
||
references: | ||
srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028 | ||
stigid@ubuntu2204: UBTU-22-653045 | ||
|
||
fixtext: |- | ||
Configure correct permissions of system audit logs. | ||
Determine the location of the system audit logs: | ||
<pre>$ sudo grep -iw log_file /etc/audit/auditd.conf | ||
Using the path of the directory containing the audit logs, | ||
configure the audit log files to have a mode of "0600" or | ||
less permissive by using the following command: | ||
<pre>$ sudo chmod 0600 /var/log/audit/*</pre> | ||
12 changes: 12 additions & 0 deletions
12
...guide/auditing/auditd_configure_rules/file_permissions_var_log_audit_stig/tests/common.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
#!/bin/bash | ||
|
||
sed -i "/^\s*log_file.*/d" /etc/audit/auditd.conf | ||
|
||
FILE1=/var/log/audit/audit.log | ||
FILE2=/var/log/audit2/audit.log | ||
FILE3=/var/log/audit2/audit.log.1 | ||
|
||
for f in $FILE1 $FILE2 $FILE3; do | ||
mkdir -p $(dirname $f) | ||
touch $f | ||
done |
11 changes: 11 additions & 0 deletions
11
...ng/auditd_configure_rules/file_permissions_var_log_audit_stig/tests/correct_value.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
#!/bin/bash | ||
# platform = multi_platform_ubuntu | ||
# packages = audit | ||
|
||
source common.sh | ||
|
||
echo "log_file = ${FILE2}" >> /etc/audit/auditd.conf | ||
|
||
chmod 0640 ${FILE1} | ||
chmod 0600 ${FILE2} | ||
chmod 0600 ${FILE3} |
9 changes: 9 additions & 0 deletions
9
...figure_rules/file_permissions_var_log_audit_stig/tests/correct_value_default_file.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
#!/bin/bash | ||
# platform = multi_platform_ubuntu | ||
# packages = audit | ||
|
||
source common.sh | ||
|
||
chmod 0600 ${FILE1} | ||
chmod 0640 ${FILE2} | ||
chmod 0640 ${FILE3} |
11 changes: 11 additions & 0 deletions
11
.../auditd_configure_rules/file_permissions_var_log_audit_stig/tests/incorrect_value.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
#!/bin/bash | ||
# platform = multi_platform_ubuntu | ||
# packages = audit | ||
|
||
source common.sh | ||
|
||
echo "log_file = ${FILE2}" >> /etc/audit/auditd.conf | ||
|
||
chmod 0600 ${FILE1} | ||
chmod 0640 ${FILE2} | ||
chmod 0600 ${FILE3} |
11 changes: 11 additions & 0 deletions
11
...auditd_configure_rules/file_permissions_var_log_audit_stig/tests/incorrect_value2.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
#!/bin/bash | ||
# platform = multi_platform_ubuntu | ||
# packages = audit | ||
|
||
source common.sh | ||
|
||
echo "log_file = ${FILE2}" >> /etc/audit/auditd.conf | ||
|
||
chmod 0600 ${FILE1} | ||
chmod 0600 ${FILE2} | ||
chmod 0640 ${FILE3} |
9 changes: 9 additions & 0 deletions
9
...gure_rules/file_permissions_var_log_audit_stig/tests/incorrect_value_default_file.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
#!/bin/bash | ||
# platform = multi_platform_ubuntu | ||
# packages = audit | ||
|
||
source common.sh | ||
|
||
chmod 0640 ${FILE1} | ||
chmod 0600 ${FILE2} | ||
chmod 0600 ${FILE3} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters