From 0e074f5040ffb4f55603dcd0b2ff94be6e7b5bf6 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Fri, 12 Apr 2024 14:57:05 +0200 Subject: [PATCH] Modify rule file_owner_system_journal Modified rule file_owner_system_journal to comply with UBTU-22-232090 (root must be owner of files in /var/log/journal/...) --- .../file_owner_system_journal/rule.yml | 50 +++++++++++++++++-- products/ubuntu2204/profiles/stig.profile | 4 +- 2 files changed, 48 insertions(+), 6 deletions(-) diff --git a/linux_os/guide/system/logging/journald/file_owner_system_journal/rule.yml b/linux_os/guide/system/logging/journald/file_owner_system_journal/rule.yml index a36c6812380..e3cf5b3d74d 100644 --- a/linux_os/guide/system/logging/journald/file_owner_system_journal/rule.yml +++ b/linux_os/guide/system/logging/journald/file_owner_system_journal/rule.yml @@ -3,18 +3,49 @@ documentation_complete: true title: 'Verify Owner on the system journal' -description: '{{{ describe_file_owner(file="/var/log/journal/.*/system.journal", owner="root") }}}' +description: |- + {{%- if 'ubuntu' in product %}} + Verify the /run/log/journal and /var/log/journal files are owned by + "root" by using the following command: + 
+    $ sudo find /run/log/journal /var/log/journal  -type f -exec stat -c "%n %U" {} \;
+
+ If any output returned is not owned by "root", this is a finding. + {{%- else %}} + '{{{ describe_file_owner(file="/var/log/journal/.*/system.journal", owner="root") }}}' + {{%- endif %}} rationale: |- - RHCOS must protect system journal file from any type of unauthorized access by setting file ownership + {{%- if 'ubuntu' in product %}} + Only authorized personnel should be aware of errors and the details of the errors. + Error messages are an indicator of an organization's operational state or can + identify the operating system or platform. Additionally, personally identifiable + information (PII) and operational information must not be revealed through error + messages to unauthorized personnel or their designated representatives. + {{%- else %}} + RHCOS must protect system journal file from any type of unauthorized access by setting file ownership + {{%- endif %}} identifiers: - cce@rhcos4: CCE-87682-1 + cce@rhcos4: CCE-87682-1 severity: medium +fixtext: | + {{%- if 'ubuntu' in product %}} + Configure the system to set the appropriate ownership to the files + used by the systemd journal: + Add or modify the following lines in the "/etc/tmpfiles.d/systemd.conf" file: + 
+    z /var/log/journal/%m/system.journal 0640 root systemd-journal - -
+
+ Restart the system for the changes to take effect. + {{%- endif %}} + references: - srg: SRG-APP-000118-CTR-000240 + disa: CCI-001314 + srg: SRG-APP-000118-CTR-000240 + stigid@ubuntu2204: UBTU-22-232090 ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/journal/.*/system.journal", owner="root") }}}' @@ -24,6 +55,17 @@ ocil: |- template: name: file_owner vars: + {{%- if 'ubuntu' in product %}} + filepath: + - /run/log/journal/ + - /var/log/journal/ + recursive: 'true' + file_regex: ^.*$ + fileuid: '0' + + {{%- else %}} filepath: ^/var/log/journal/.*/system.journal$ fileuid: '0' filepath_is_regex: "true" + + {{%- endif %}} diff --git a/products/ubuntu2204/profiles/stig.profile b/products/ubuntu2204/profiles/stig.profile index ddf3fa32e35..ea18228145c 100644 --- a/products/ubuntu2204/profiles/stig.profile +++ b/products/ubuntu2204/profiles/stig.profile @@ -645,9 +645,9 @@ selections: - dir_groupowner_system_journal - ### TODO (rule needed) - # Analogous to file_ownership_var_log_audit + ### TODO (incomplete remediation - tmpfiles.d) # UBTU-22-232090 The Ubuntu operating system must configure the files used by the system journal to be owned by "root" + - file_owner_system_journal ### TODO (rule needed) # Analogous to file_group_ownership_var_log_audit