Completed /var/log group ownership checks

components/filesystem.yml

@@ -40,12 +40,17 @@ rules:
 - file_groupowner_etc_shells
 - file_groupowner_systemmap
 - file_groupowner_var_log
+- file_groupowner_var_log_apt
 - file_groupowner_var_log_auth
 - file_groupowner_var_log_cloud_init
+- file_groupowner_var_log_gdm
+- file_groupowner_var_log_gdm3
+- file_groupowner_var_log_journal
 - file_groupowner_var_log_lastlog
 - file_groupowner_var_log_localmessages
 - file_groupowner_var_log_messages
 - file_groupowner_var_log_secure
+- file_groupowner_var_log_sssd
 - file_groupowner_var_log_syslog
 - file_groupowner_var_log_waagent
 - file_groupowner_var_log_wbtmp
@@ -120,6 +125,7 @@ rules:
 - file_permissions_var_log_syslog
 - file_permissions_var_log_waagent
 - file_permissions_var_log_wbtmp
+- groupowner_local_var_log
 - mount_option_boot_efi_nosuid
 - mount_option_boot_noauto
 - mount_option_boot_nodev

controls/cis_ubuntu2404.yml

@@ -2425,12 +2425,17 @@ controls:
       - l1_server
       - l1_workstation
     rules:  
+      - file_groupowner_var_log_apt
       - file_groupowner_var_log_auth
       - file_groupowner_var_log_cloud_init
+      - file_groupowner_var_log_gdm
+      - file_groupowner_var_log_gdm3
+      - file_groupowner_var_log_journal
       - file_groupowner_var_log_lastlog
       - file_groupowner_var_log_localmessages
       - file_groupowner_var_log_messages
       - file_groupowner_var_log_secure
+      - file_groupowner_var_log_sssd
       - file_groupowner_var_log_syslog
       - file_groupowner_var_log_waagent
       - file_groupowner_var_log_wbtmp
@@ -2461,6 +2466,7 @@ controls:
       - file_permissions_var_log_syslog
       - file_permissions_var_log_waagent
       - file_permissions_var_log_wbtmp
+      - groupowner_local_var_log
       - owner_local_var_log
       - permissions_local_var_log
     status: automated

linux_os/guide/system/permissions/files/groupowner_local_var_log/bash/shared.sh

@@ -0,0 +1,13 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+if getent group "adm" >/dev/null 2>&1; then
+    group="adm"
+else
+    group="root"
+fi
+
+find -L /var/log/ -maxdepth 1 -regextype posix-extended ! -group root ! -group adm -name '*' ! -path '/var/log/apt/*' ! -name 'auth.log' ! -path '/var/log/[bw]tmp*' ! -path '/var/log/cloud-init.log*' ! -name 'gdm' ! -name 'gdm3' ! -regex '.*\.journal[~]?' ! -regex '.*lastlog(\.[^\/]+)?$' ! -regex '.*localmessages(.*)'  ! -name 'messages' ! -regex '.*secure(.*)' ! -name 'sssd' ! -name 'syslog' ! -regex '.*waagent.log(.*)' -regex '.*' -exec chgrp $group {} \;

linux_os/guide/system/permissions/files/groupowner_local_var_log/oval/shared.xml

@@ -0,0 +1,87 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+      {{{ oval_metadata("Group owner of /var/log/* should be root or adm.") }}}
+    <criteria comment="Check group ownership of /var/log/*">
+     <criterion test_ref="test_group_ownership_var_log" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_object id="object_adm_gid" version="1" comment="gid of the dedicated adm group">
+    <ind:filepath>/etc/group</ind:filepath>
+    <ind:pattern operation="pattern match">^adm:\w+:(\w+):.*</ind:pattern>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <local_variable id="var_adm_gid" datatype="int" version="1"
+                  comment="Retrieve the gid of adm group">
+    <object_component item_field="subexpression" object_ref="object_adm_gid"/>
+  </local_variable>
+
+  <unix:file_test check="all" comment="/var/log/* group owner is root|adm"
+      id="test_group_ownership_var_log" state_operator="OR" version="1">
+    <unix:object object_ref="object_group_ownership_var_log" />
+    <unix:state state_ref="state_group_ownership_adm_var_log_auth_log"/>
+    <unix:state state_ref="state_group_ownership_root_var_log_auth_log"/>
+  </unix:file_test>
+  <unix:file_object comment="/var/log/*" id="object_group_ownership_var_log" version="1">
+    <unix:path>/var/log</unix:path>
+    <unix:filename operation="pattern match">.*</unix:filename>
+    <filter action="exclude">exclude_files_apt</filter>
+    <filter action="exclude">exclude_files_auth_log</filter>
+    <filter action="exclude">exclude_files_bwtmp</filter>
+    <filter action="exclude">exclude_files_cloudinit</filter>
+    <filter action="exclude">exclude_files_gdm</filter>
+    <filter action="exclude">exclude_files_journal</filter>
+    <filter action="exclude">exclude_files_lastlog</filter>
+    <filter action="exclude">exclude_files_localmessages</filter>
+    <filter action="exclude">exclude_files_messages</filter>
+    <filter action="exclude">exclude_files_secure</filter>
+    <filter action="exclude">exclude_files_sssd</filter>
+    <filter action="exclude">exclude_files_syslog</filter>
+    <filter action="exclude">exclude_files_waagent</filter>
+  </unix:file_object>
+  <unix:file_state id="state_group_ownership_adm_var_log_auth_log" version="1">
+    <unix:group_id datatype="int" operation="equals" var_ref="var_adm_gid"/>
+  </unix:file_state>
+  <unix:file_state id="state_group_ownership_root_var_log_auth_log" version="1">
+    <unix:group_id datatype="int" operation="equals">0</unix:group_id>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_apt" version="1">
+    <unix:path operation="pattern match">^.*apt</unix:path>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_auth_log" version="1">
+    <unix:filename>auth.log</unix:filename>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_bwtmp" version="1">
+    <unix:filename operation="pattern match">^.*[bw]tmp((\.|-).*)?$</unix:filename>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_cloudinit" version="1">
+    <unix:filename operation="pattern match">^.*cloud-init\.log.*</unix:filename>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_gdm" version="1" operator="AND">
+    <unix:path operation="pattern match">^.*gdm|gdm3</unix:path>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_journal" version="1" operator="AND">
+    <unix:filename operation="pattern match">^.*\.journal.*$</unix:filename>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_lastlog" version="1">
+    <unix:filename operation="pattern match">^.*lastlog.*$</unix:filename>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_localmessages" version="1">
+    <unix:filename operation="pattern match">^.*localmessages.*$</unix:filename>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_messages" version="1">
+    <unix:filename>messages</unix:filename>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_secure" version="1">
+    <unix:filename operation="pattern match">^.*secure.*$</unix:filename>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_sssd" version="1" operator="AND">
+    <unix:path operation="pattern match">^.*(sssd|SSSD)$</unix:path>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_syslog" version="1">
+    <unix:filename>syslog</unix:filename>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_waagent" version="1">
+    <unix:filename operation="pattern match">^.*waagent\.log.*$</unix:filename>
+  </unix:file_state>
+</def-group>

linux_os/guide/system/permissions/files/groupowner_local_var_log/rule.yml

@@ -0,0 +1,33 @@
+documentation_complete: true
+
+
+title: 'Verify ownership of log files'
+
+description: |-
+    Any operating system providing too much information in error messages
+    risks compromising the data and security of the structure, and content
+    of error messages needs to be carefully considered by the organization.
+
+    Organizations carefully consider the structure/content of error messages.
+    The extent to which information systems are able to identify and handle
+    error conditions is guided by organizational policy and operational
+    requirements. Information that could be exploited by adversaries includes,
+    for example, erroneous logon attempts with passwords entered by mistake
+    as the username, mission/business information that can be derived from
+    (if not stated explicitly by) information recorded, and personal
+    information, such as account numbers, social security numbers, and credit
+    card numbers.
+
+rationale: |-
+    The {{{ full_name }}} must generate error messages that provide information
+    necessary for corrective actions without revealing information that could
+    be exploited by adversaries.
+
+severity: medium
+
+ocil_clause: 'not all log files owned by root or syslog'
+
+ocil: |-
+    Verify the operating system has all system log files under the
+    <pre>/var/log</pre> directory, that are not excluded, with a group owner set to root | adm,
+

linux_os/guide/system/permissions/files/groupowner_local_var_log/tests/excluded_files.pass.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+chgrp root /var/log/*
+mkdir -p /var/log/apt
+chgrp nogroup /var/log/apt
+touch /var/log/auth.log
+chgrp nogroup /var/log/auth.log
+touch /var/log/btmp.log
+touch /var/log/btmp.log.1
+touch /var/log/btmp.log-1
+chgrp nogroup /var/log/btmp*
+touch /var/log/wtmp.log
+touch /var/log/wtmp.log.1
+touch /var/log/wtmp.log-1
+chgrp nogroup /var/log/wtmp*
+touch /var/log/cloud-init.log
+touch /var/log/cloud-init.log.1
+chgrp nogroup /var/log/cloud-init.log*
+mkdir -p /var/log/gdm
+chgrp nogroup /var/log/gdm
+mkdir -p /var/log/gdm3
+chgrp nogroup /var/log/gdm3
+touch /var/log/test.journal
+touch /var/log/test.journal~
+chgrp nogroup /var/log/*.journal*
+touch /var/log/lastlog
+touch /var/log/lastlog.1
+chgrp nogroup /var/log/lastlog*
+touch /var/log/localmessages
+touch /var/log/localmessages.1
+chgrp nogroup /var/log/localmessages*
+touch /var/log/messages
+chgrp nogroup /var/log/messages
+touch /var/log/secure
+chgrp nogroup /var/log/secure*
+mkdir -p /var/log/sssd
+chgrp nogroup /var/log/sssd
+touch /var/log/syslog
+chgrp nogroup /var/log/syslog
+touch /var/log/waagent.log
+touch /var/log/waagent.log.1
+chgrp nogroup /var/log/waagent.log*

linux_os/guide/system/permissions/files/groupowner_local_var_log/tests/owned_by_adm.pass.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/test.log
+chgrp adm /var/log/test.log

linux_os/guide/system/permissions/files/groupowner_local_var_log/tests/owned_by_nobody.fail.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/test.log
+chgrp nogroup /var/log/test.log

linux_os/guide/system/permissions/files/groupowner_local_var_log/tests/owned_by_root.pass.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/test.log
+chgrp root /var/log/test.log

linux_os/guide/system/permissions/files/owner_local_var_log/bash/shared.sh

@@ -10,4 +10,4 @@ else
     username="root"
 fi
 
-find -L /var/log/ -maxdepth 1 -name '*' ! -name '*apt/*' ! -name 'auth.log' ! -name '*[bw]tmp' ! -name '*cloud-init' ! -name '*gdm' ! -name '*.journal' ! -name '*lastlog' ! -name '*localmessages' ! -name '*messages' ! -name 'secure' ! -name '*sssd|*SSSD' ! -name 'syslog' ! -name '*waagent'  -regextype posix-extended -regex '.*' -exec chown $username {} \;
+find -L /var/log/ -maxdepth 1 -regextype posix-extended ! -user root ! -user syslog ! -path '/var/log/apt/*' ! -name 'auth.log' ! -path '/var/log/[bw]tmp*' ! -path '/var/log/cloud-init.log*' ! -name 'gdm' ! -name 'gdm3' ! -regex '.*\.journal[~]?' ! -regex '.*lastlog(\.[^\/]+)?$' ! -regex '.*localmessages(.*)'  ! -name 'messages' ! -regex '.*secure(.*)' ! -name 'sssd' ! -name 'syslog' ! -regex '.*waagent.log(.*)' -regex '.*' -exec chown $username {} \;

linux_os/guide/system/permissions/files/owner_local_var_log/tests/excluded_files.pass.sh

@@ -8,20 +8,28 @@ chown nobody /var/log/apt
 touch /var/log/auth.log
 chown nobody /var/log/auth.log
 touch /var/log/btmp.log
+touch /var/log/btmp.log.1
+touch /var/log/btmp.log-1
 chown nobody /var/log/btmp*
 touch /var/log/wtmp.log
+touch /var/log/wtmp.log.1
+touch /var/log/wtmp.log-1
 chown nobody /var/log/wtmp*
 touch /var/log/cloud-init.log
+touch /var/log/cloud-init.log.1
 chown nobody /var/log/cloud-init.log*
 mkdir -p /var/log/gdm
 chown nobody /var/log/gdm
 mkdir -p /var/log/gdm3
 chown nobody /var/log/gdm3
 touch /var/log/test.journal
+touch /var/log/test.journal~
 chown nobody /var/log/*.journal*
 touch /var/log/lastlog
+touch /var/log/lastlog.1
 chown nobody /var/log/lastlog*
 touch /var/log/localmessages
+touch /var/log/localmessages.1
 chown nobody /var/log/localmessages*
 touch /var/log/messages
 chown nobody /var/log/messages
@@ -32,4 +40,5 @@ chown nobody /var/log/sssd
 touch /var/log/syslog
 chown nobody /var/log/syslog
 touch /var/log/waagent.log
+touch /var/log/waagent.log.1
 chown nobody /var/log/waagent.log*

linux_os/guide/system/permissions/files/owner_local_var_log/tests/owned_by_syslog.pass.sh

@@ -2,6 +2,5 @@
 # platform = Ubuntu 24.04
 # packages = rsyslog
 
-id -u syslog || useradd -r -s /bin/false syslog || true
 touch /var/log/test.log
 chown syslog /var/log/test.log

linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/bash/shared.sh

@@ -0,0 +1,6 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+find -L /var/log/ -maxdepth 1 ! -group root ! -group adm -type d -regextype posix-extended -name 'apt' -exec chgrp adm {} \;

linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/oval/shared.xml

@@ -0,0 +1,35 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+      {{{ oval_metadata("Group owner of /var/log/apt should be root or adm.") }}}
+    <criteria comment="Check group ownership of /var/log/apt">
+     <criterion test_ref="test_group_ownership_var_log_apt" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_object id="object_adm_gid" version="1" comment="gid of the dedicated adm group">
+    <ind:filepath>/etc/group</ind:filepath>
+    <ind:pattern operation="pattern match">^adm:\w+:(\w+):.*</ind:pattern>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <local_variable id="var_adm_gid" datatype="int" version="1"
+                  comment="Retrieve the gid of adm group">
+    <object_component item_field="subexpression" object_ref="object_adm_gid"/>
+  </local_variable>
+
+  <unix:file_test check="all" comment="/var/log/apt group owner is root|adm"
+      id="test_group_ownership_var_log_apt" state_operator="OR" version="1">
+    <unix:object object_ref="object_group_ownership_var_log_apt" />
+    <unix:state state_ref="state_group_ownership_adm_var_log_apt"/>
+    <unix:state state_ref="state_group_ownership_root_var_log_apt"/>
+  </unix:file_test>
+  <unix:file_object comment="/var/log/apt" id="object_group_ownership_var_log_apt" version="1">
+    <unix:path>/var/log/apt</unix:path>
+    <unix:filename xsi:nil="true"/>
+  </unix:file_object>
+  <unix:file_state id="state_group_ownership_adm_var_log_apt" version="1">
+    <unix:group_id datatype="int" operation="equals" var_ref="var_adm_gid"/>
+  </unix:file_state>
+  <unix:file_state id="state_group_ownership_root_var_log_apt" version="1">
+    <unix:group_id datatype="int" operation="equals">0</unix:group_id>
+  </unix:file_state>
+ </def-group>

linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/rule.yml

@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns /var/log/apt Directory'
+
+description: '{{{ describe_file_group_owner(file="/var/log/apt", group="root|adm") }}}'
+
+rationale: |-
+    The <tt>/var/log/apt</tt> directory contains information about APT
+    and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/apt", group="root|adm") }}}'
+
+ocil: |-
+    {{{ ocil_file_group_owner(file="/var/log/apt", group="root|adm") }}}

linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/tests/owned_by_adm.pass.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+mkdir -p /var/log/apt
+chgrp adm /var/log/apt

linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/tests/owned_by_nogroup.fail.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+mkdir -p /var/log/apt
+chgrp nogroup /var/log/apt

linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/tests/owned_by_root.pass.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+mkdir -p /var/log/apt
+chgrp root /var/log/apt

linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_auth/bash/shared.sh

@@ -3,4 +3,4 @@
 # strategy = configure
 # complexity = low
 # disruption = low
-chgrp adm /var/log/auth
+find -L /var/log/ -maxdepth 1 ! -group root ! -group adm -type f -regextype posix-extended -name 'auth.log' -exec chgrp adm {} \;

linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_auth/oval/shared.xml

@@ -23,7 +23,7 @@
     <unix:state state_ref="state_group_ownership_root_var_log_auth"/>
   </unix:file_test>
   <unix:file_object comment="/var/log/auth" id="object_group_ownership_var_log_auth" version="1">
-    <unix:filepath>/var/log/auth</unix:filepath>
+    <unix:filepath>/var/log/auth.log</unix:filepath>
   </unix:file_object>
   <unix:file_state id="state_group_ownership_adm_var_log_auth" version="1">
     <unix:group_id datatype="int" operation="equals" var_ref="var_adm_gid"/>