Merge pull request #12737 from Mab879/adjust_filesystem_permissions

Adjust two filesystem permission rules to 600

linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml

@@ -22,7 +22,7 @@
     path: "{{ item }}"
     create: True
     line: "-e 2"
-    mode: o-rwx
+    mode: g-rwx,o-rwx
   loop:
     - "/etc/audit/audit.rules"
     - "/etc/audit/rules.d/immutable.rules"

linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh

@@ -21,4 +21,5 @@ do
 	echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_FILE
 	echo '-e 2' >> $AUDIT_FILE
 	chmod o-rwx $AUDIT_FILE
+	chmod g-rwx $AUDIT_FILE
 done

linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/ansible/shared.yml

@@ -16,6 +16,7 @@
     path: '/etc/audit/audit.rules'
     line: '--loginuid-immutable'
     regexp: '^\s*--loginuid-immutable\s*$'
+    mode: '0600'
     create: true
   when: auditctl_used is defined and auditctl_used.matched >= 1
 
@@ -33,6 +34,7 @@
         path: '/etc/audit/rules.d/immutable.rules'
         line: '--loginuid-immutable'
         regexp: '^\s*--loginuid-immutable\s*$'
+        mode: '0600'
         create: true
       when: immutable_found_in_rules_d is defined and immutable_found_in_rules_d.matched == 0
   when: auditctl_used is defined and auditctl_used.matched == 0

linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml

@@ -43,9 +43,10 @@
     path: /etc/audit/rules.d/privileged.rules
     line: "{{  item.rule  }}"
     regexp: "{{ item.regex }}"
+    mode: "0600"
     create: yes
   when:
-    - ('"auditd.service" in ansible_facts.services' or 
+    - ('"auditd.service" in ansible_facts.services' or
         '"augenrules.service" in ansible_facts.services')
   register: augenrules_audit_rules_privilege_function_update_result
   with_items: "{{ suid_audit_rules }}"
@@ -57,7 +58,7 @@
     regexp: "{{ item.regex }}"
     create: yes
   when:
-    - ('"auditd.service" in ansible_facts.services' or 
+    - ('"auditd.service" in ansible_facts.services' or
         '"augenrules.service" in ansible_facts.services')
   register: auditctl_audit_rules_privilege_function_update_result
   with_items: "{{ suid_audit_rules }}"

linux_os/guide/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml

@@ -23,6 +23,7 @@
   lineinfile:
     path: "{{ item }}"
     create: True
+    mode: "0600"
     line: "-f {{ var_audit_failure_mode }}"
   loop:
     - "/etc/audit/audit.rules"

linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/rule.yml

@@ -4,7 +4,7 @@ documentation_complete: true
 title: 'Verify Permissions on /etc/audit/rules.d/*.rules'
 
 description: |-
-    {{{ describe_file_permissions(file="/etc/audit/rules.d/*.rules", perms="0640") }}}
+    {{{ describe_file_permissions(file="/etc/audit/rules.d/*.rules", perms="0600") }}}
 
 
 rationale: |-
@@ -32,20 +32,20 @@ references:
     stigid@ubuntu2004: UBTU-20-010133
     stigid@ubuntu2204: UBTU-22-653065
 
-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/audit/rules.d/*.rules", perms="-rw-r-----") }}}'
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/audit/rules.d/*.rules", perms="-rw-------") }}}'
 
 ocil: |-
-    {{{ ocil_file_permissions(file="/etc/audit/rules.d/*.rules", perms="-rw-r-----") }}}
+    {{{ ocil_file_permissions(file="/etc/audit/rules.d/*.rules", perms="-rw-------") }}}
 
 fixtext: |-
-    {{{ describe_file_permissions(file="/etc/audit/rules.d/*.rules", perms="0640") }}}
+    {{{ describe_file_permissions(file="/etc/audit/rules.d/*.rules", perms="0600") }}}
 
-srg_requirement: '{{{ srg_requirement_file_permission(file="/etc/audit/rules.d/*.rules", mode="0640")  }}}'
+srg_requirement: '{{{ srg_requirement_file_permission(file="/etc/audit/rules.d/*.rules", mode="0600")  }}}'
 
 template:
     name: file_permissions
     vars:
       filepath: /etc/audit/rules.d/
       file_regex: ^.*rules$
       allow_stricter_permissions: "true"
-      filemode: '0640'
+      filemode: '0600'

linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml

@@ -3,7 +3,7 @@ documentation_complete: true
 title: 'Verify Permissions on /var/log/messages File'
 
 description: |-
-    {{{ describe_file_permissions(file="/var/log/messages", perms="0640") }}}
+    {{{ describe_file_permissions(file="/var/log/messages", perms="0600") }}}
 
 rationale: |-
     The <tt>/var/log/messages</tt> file contains logs of error messages in
@@ -22,18 +22,18 @@ references:
     stigid@ol8: OL08-00-010210
     stigid@rhel8: RHEL-08-010210
 
-ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/log/messages", perms="-rw-r-----") }}}'
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/log/messages", perms="-rw-------") }}}'
 
 ocil: |-
-    {{{ ocil_file_permissions(file="/var/log/messages", perms="-rw-r-----") }}}
+    {{{ ocil_file_permissions(file="/var/log/messages", perms="-rw-------") }}}
 
 template:
     name: file_permissions
     vars:
         filepath: /var/log/messages
-        filemode: '0640'
+        filemode: '0600'
 
 fixtext: |-
     {{{ fixtext_file_permissions("/var/log/messages", "0640") | indent(4) }}}
 
-srg_requirement: '{{{ srg_requirement_file_permission("/var/log/messages", "0640") }}}'
+srg_requirement: '{{{ srg_requirement_file_permission("/var/log/messages", "0600") }}}'

shared/macros/10-ansible.jinja

@@ -454,7 +454,7 @@ The following macro remediates one audit watch rule in :code:`/etc/audit/rules.d
     path: "{{ all_files[0] }}"
     line: "-w {{{ path }}} -p {{{ permissions }}} -k {{{ key }}}"
     create: yes
-    mode: '0640'
+    mode: '0600'
   when: find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
 {{%- endmacro %}}
 
@@ -484,7 +484,7 @@ The following macro remediates one audit watch rule in :code:`/etc/audit/audit.r
     state: present
     dest: /etc/audit/audit.rules
     create: yes
-    mode: '0640'
+    mode: '0600'
   when: find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
 {{%- endmacro %}}
 
@@ -577,7 +577,7 @@ The macro requires following parameters:
     path: '{{ audit_file }}'
     line: "{{{ action_arch_filters }}}{{{ syscall_flag }}}{{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}"
     create: true
-    mode: o-rwx
+    mode: g-rwx,o-rwx
     state: present
   when: syscalls_found | length == 0
 {{%- endmacro %}}
@@ -654,7 +654,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
     path: '{{ audit_file }}'
     line: "{{{ action_arch_filters }}}{{{ syscall_flag }}}{{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}"
     create: true
-    mode: o-rwx
+    mode: g-rwx,o-rwx
     state: present
   when: syscalls_found | length == 0
 {{%- endmacro %}}

shared/macros/10-bash.jinja

@@ -390,7 +390,7 @@ then
     if [ ! -e "$key_rule_file" ]
     then
         touch "$key_rule_file"
-        chmod 0640 "$key_rule_file"
+        chmod 0600 "$key_rule_file"
     fi
     files_to_inspect+=("$key_rule_file")
 fi
@@ -1765,7 +1765,7 @@ then
     if [ ! -e "$file_to_inspect" ]
     then
         touch "$file_to_inspect"
-        chmod 0640 "$file_to_inspect"
+        chmod 0600 "$file_to_inspect"
     fi
 fi
 {{%- endif %}}

shared/templates/audit_file_contents/ansible.template

@@ -10,7 +10,7 @@
     )
 }}}
 
-- name: Remove any permissions from other group
-  file:
+- name: {{{ rule_title }}} - Remove any permissions from group and other
+  ansible.builtin.file:
     path: {{{ FILEPATH }}}
-    mode: o-rwx
+    mode: g-rwx,o-rwx