File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.76-1
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 110,644 kB
  • sloc: xml: 241,883; sh: 73,777; python: 32,527; makefile: 27
file content (71 lines) | stat: -rw-r--r-- 2,550 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
 
documentation_complete: true


title: 'Verify permissions of log files'

description: |-
    Any operating system providing too much information in error messages
    risks compromising the data and security of the structure, and content
    of error messages needs to be carefully considered by the organization.

    Organizations carefully consider the structure/content of error messages.
    The extent to which information systems are able to identify and handle
    error conditions is guided by organizational policy and operational
    requirements. Information that could be exploited by adversaries includes,
    for example, erroneous logon attempts with passwords entered by mistake
    as the username, mission/business information that can be derived from
    (if not stated explicitly by) information recorded, and personal
    information, such as account numbers, social security numbers, and credit
    card numbers.

rationale: |-
    The {{{ full_name }}} must generate error messages that provide information
    necessary for corrective actions without revealing information that could
    be exploited by adversaries.

severity: medium

identifiers:
    cce@sle12: CCE-92224-5
    cce@sle15: CCE-85755-7
    cce@slmicro5: CCE-93660-9

references:
    cis@sle12: 4.2.3
    cis@sle15: 4.2.3
    cis@slmicro5: 4.2.3
    cis@ubuntu2004: 4.2.3
    cis@ubuntu2204: 4.2.3
    disa: CCI-001312
    nist: SI-11(a),SI-11(b),SI-11.1(iii)
    nist-csf: PR.AC-4,PR.DS-5
    srg: SRG-OS-000205-GPOS-00083
    stigid@sle15: SLES-15-010340
    stigid@ubuntu2004: UBTU-20-010416
    stigid@ubuntu2204: UBTU-22-232026

ocil_clause: 'not all log files have permission 640 or stricter'

ocil: |-
    Verify the operating system has all system log files under the
    <pre>/var/log</pre> directory with a permission set to 640,
    by using the following command:
    <pre>
    sudo find /var/log -perm /137 -type f -exec stat -c "%n %a" {} \;
    </pre>

template:
    name: file_permissions
    vars:
        excluded_files@sle15: ['*[bw]tmp', '*lastlog']
        excluded_files@slmicro5: ['*[bw]tmp', '*lastlog']
        excluded_files@ubuntu2004: ['history.log', 'eipp.log.xz', '*[bw]tmp', '*lastlog']
        excluded_files@ubuntu2204: ['history.log', 'eipp.log.xz', '*[bw]tmp', '*lastlog']
        file_regex: '.*'
        filemode: '0640'
        filepath: /var/log/
        recursive@sle12: 'true'
        recursive@sle15: 'true'
        recursive@slmicro5: 'true'
        recursive@ubuntu2004: 'true'
        recursive@ubuntu2204: 'true'