File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.76-1
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 110,644 kB
  • sloc: xml: 241,883; sh: 73,777; python: 32,527; makefile: 27
file content (70 lines) | stat: -rw-r--r-- 2,263 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
 
documentation_complete: true


title: 'Verify Permissions on the system journal'

description: |-
    {{%- if 'ubuntu' in product %}}
    Verify all files in the /run/log/journal and /var/log/journal directories have
    permissions set to "640" or less permissive by using the following command:
    <pre>
    $ sudo find /run/log/journal /var/log/journal  -type f -exec stat -c "%n %a" {} \;
    </pre>
    If any output returned has a permission set greater than "640", this is a finding.
    {{%- else %}}
    {{{ describe_file_permissions(file="/var/log/journal/.*/system.journal", perms="0640") }}}
    {{%- endif %}}

rationale: |-
    {{%- if 'ubuntu' in product %}}
    Any operating system providing too much information in error messages risks
    compromising the data and security of the structure, and content of error messages
    needs to be carefully considered by the organization.
    {{%- else %}}
    RHCOS must protect system  journal file from any type of unauthorized access by setting file permissions.
    {{%- endif %}}

identifiers:
    cce@rhcos4: CCE-86509-7

severity: medium

fixtext: |
    {{%- if 'ubuntu' in product %}}
    Configure the system to set the appropriate permissions to the files and directories
    used by the systemd journal:
    Add or modify the following lines in the "/etc/tmpfiles.d/systemd.conf" file:
    <pre>
    z /var/log/journal/%m/system.journal 0640 root systemd-journal - -
    </pre>
    Restart the system for the changes to take effect.
    {{%- endif %}}

references:
    disa: CCI-001312
    srg: SRG-APP-000118-CTR-000240
    stigid@ubuntu2204: UBTU-22-232027

ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/log/journal/.*/system.journal", perms="-rw-r-----") }}}'

ocil: |-
    {{{ ocil_file_permissions(file="/var/log/journal/.*/system.journal", perms="-rw-r-----") }}}

template:
    name: file_permissions
    vars:
        {{%- if 'ubuntu' in product %}}
        filepath:
            - /run/log/journal/
            - /var/log/journal/
        recursive: 'true'
        file_regex: ^.*$
        filemode: '0640'

        {{%- else %}}
        filepath: ^/var/log/journal/.*/system.journal$
        filemode: '0640'
        filepath_is_regex: "true"

        {{%- endif %}}