diff --git a/components/filesystem.yml b/components/filesystem.yml
index b2c0d2300c5..0b1f4f652d3 100644
--- a/components/filesystem.yml
+++ b/components/filesystem.yml
@@ -40,8 +40,20 @@ rules:
- file_groupowner_etc_shells
- file_groupowner_systemmap
- file_groupowner_var_log
+- file_groupowner_var_log_apt
+- file_groupowner_var_log_auth
+- file_groupowner_var_log_cloud_init
+- file_groupowner_var_log_gdm
+- file_groupowner_var_log_gdm3
+- file_groupowner_var_log_journal
+- file_groupowner_var_log_lastlog
+- file_groupowner_var_log_localmessages
- file_groupowner_var_log_messages
+- file_groupowner_var_log_secure
+- file_groupowner_var_log_sssd
- file_groupowner_var_log_syslog
+- file_groupowner_var_log_waagent
+- file_groupowner_var_log_wbtmp
- file_groupownership_audit_binaries
- file_groupownership_system_commands_dirs
- file_owner_backup_etc_group
@@ -58,8 +70,19 @@ rules:
- file_owner_etc_shadow
- file_owner_systemmap
- file_owner_var_log
+- file_owner_var_log_auth
+- file_owner_var_log_cloud_init
+- file_owner_var_log_gdm
+- file_owner_var_log_gdm3
+- file_owner_var_log_journal
+- file_owner_var_log_lastlog
+- file_owner_var_log_localmessages
- file_owner_var_log_messages
+- file_owner_var_log_secure
+- file_owner_var_log_sssd
- file_owner_var_log_syslog
+- file_owner_var_log_waagent
+- file_owner_var_log_wbtmp
- file_ownership_audit_binaries
- file_ownership_binary_dirs
- file_ownership_library_dirs
@@ -89,8 +112,20 @@ rules:
- file_permissions_unauthorized_world_writable
- file_permissions_ungroupowned
- file_permissions_var_log
+- file_permissions_var_log_apt
+- file_permissions_var_log_auth
+- file_permissions_var_log_cloud-init
+- file_permissions_var_log_gdm
+- file_permissions_var_log_gdm3
+- file_permissions_var_log_lastlog
+- file_permissions_var_log_localmessages
- file_permissions_var_log_messages
+- file_permissions_var_log_secure
+- file_permissions_var_log_sssd
- file_permissions_var_log_syslog
+- file_permissions_var_log_waagent
+- file_permissions_var_log_wbtmp
+- groupowner_local_var_log
- mount_option_boot_efi_nosuid
- mount_option_boot_noauto
- mount_option_boot_nodev
@@ -132,6 +167,7 @@ rules:
- mount_option_var_tmp_noexec
- mount_option_var_tmp_nosuid
- no_files_unowned_by_user
+- owner_local_var_log
- partition_for_boot
- partition_for_dev_shm
- partition_for_home
diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
index 4f282614315..7efa9ba8fdc 100644
--- a/controls/cis_ubuntu2404.yml
+++ b/controls/cis_ubuntu2404.yml
@@ -2433,10 +2433,52 @@ controls:
levels:
- l1_server
- l1_workstation
- related_rules:
+ rules:
+ - file_groupowner_var_log_apt
+ - file_groupowner_var_log_auth
+ - file_groupowner_var_log_cloud_init
+ - file_groupowner_var_log_gdm
+ - file_groupowner_var_log_gdm3
+ - file_groupowner_var_log_journal
+ - file_groupowner_var_log_lastlog
+ - file_groupowner_var_log_localmessages
+ - file_groupowner_var_log_messages
+ - file_groupowner_var_log_secure
+ - file_groupowner_var_log_sssd
+ - file_groupowner_var_log_syslog
+ - file_groupowner_var_log_waagent
+ - file_groupowner_var_log_wbtmp
+ - file_owner_var_log_auth
+ - file_owner_var_log_cloud_init
+ - file_owner_var_log_gdm
+ - file_owner_var_log_gdm3
+ - file_owner_var_log_journal
+ - file_owner_var_log_lastlog
+ - file_owner_var_log_localmessages
+ - file_owner_var_log_messages
+ - file_owner_var_log_secure
+ - file_owner_var_log_sssd
+ - file_owner_var_log_syslog
+ - file_owner_var_log_waagent
+ - file_owner_var_log_wbtmp
+ - file_permissions_var_log_apt
+ - file_permissions_var_log_auth
+ - file_permissions_var_log_cloud-init
+ - file_permissions_var_log_gdm
+ - file_permissions_var_log_gdm3
+ - file_permissions_var_log_lastlog
+ - file_permissions_var_log_cloud-init
+ - file_permissions_var_log_localmessages
+ - file_permissions_var_log_messages
+ - file_permissions_var_log_secure
+ - file_permissions_var_log_sssd
+ - file_permissions_var_log_syslog
+ - file_permissions_var_log_waagent
+ - file_permissions_var_log_wbtmp
+ - groupowner_local_var_log
+ - owner_local_var_log
- permissions_local_var_log
- status: planned
- notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/4.2.3.
+ status: automated
- id: 6.2.1.1
title: Ensure auditd packages are installed (Automated)
diff --git a/linux_os/guide/system/permissions/files/groupowner_local_var_log/bash/shared.sh b/linux_os/guide/system/permissions/files/groupowner_local_var_log/bash/shared.sh
new file mode 100644
index 00000000000..7446a00b8f6
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/groupowner_local_var_log/bash/shared.sh
@@ -0,0 +1,13 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+if getent group "adm" >/dev/null 2>&1; then
+ group="adm"
+else
+ group="root"
+fi
+
+find -L /var/log/ -maxdepth 1 -regextype posix-extended ! -group root ! -group adm -name '*' ! -path '/var/log/apt/*' ! -name 'auth.log' ! -path '/var/log/[bw]tmp*' ! -path '/var/log/cloud-init.log*' ! -name 'gdm' ! -name 'gdm3' ! -regex '.*\.journal[~]?' ! -regex '.*lastlog(\.[^\/]+)?$' ! -regex '.*localmessages(.*)' ! -name 'messages' ! -regex '.*secure(.*)' ! -name 'sssd' ! -name 'syslog' ! -regex '.*waagent.log(.*)' -regex '.*' -exec chgrp $group {} \;
diff --git a/linux_os/guide/system/permissions/files/groupowner_local_var_log/oval/shared.xml b/linux_os/guide/system/permissions/files/groupowner_local_var_log/oval/shared.xml
new file mode 100644
index 00000000000..20c91db17aa
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/groupowner_local_var_log/oval/shared.xml
@@ -0,0 +1,87 @@
+
+
+ {{{ oval_metadata("Group owner of /var/log/* should be root or adm.") }}}
+
+
+
+
+
+
+ /etc/group
+ ^adm:\w+:(\w+):.*
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ /var/log
+ .*
+ exclude_files_apt
+ exclude_files_auth_log
+ exclude_files_bwtmp
+ exclude_files_cloudinit
+ exclude_files_gdm
+ exclude_files_journal
+ exclude_files_lastlog
+ exclude_files_localmessages
+ exclude_files_messages
+ exclude_files_secure
+ exclude_files_sssd
+ exclude_files_syslog
+ exclude_files_waagent
+
+
+
+
+
+ 0
+
+
+ ^.*apt
+
+
+ auth.log
+
+
+ ^.*[bw]tmp((\.|-).*)?$
+
+
+ ^.*cloud-init\.log.*
+
+
+ ^.*gdm|gdm3
+
+
+ ^.*\.journal.*$
+
+
+ ^.*lastlog.*$
+
+
+ ^.*localmessages.*$
+
+
+ messages
+
+
+ ^.*secure.*$
+
+
+ ^.*(sssd|SSSD)$
+
+
+ syslog
+
+
+ ^.*waagent\.log.*$
+
+
diff --git a/linux_os/guide/system/permissions/files/groupowner_local_var_log/rule.yml b/linux_os/guide/system/permissions/files/groupowner_local_var_log/rule.yml
new file mode 100644
index 00000000000..ac9dc0da084
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/groupowner_local_var_log/rule.yml
@@ -0,0 +1,33 @@
+documentation_complete: true
+
+
+title: 'Verify ownership of log files'
+
+description: |-
+ Any operating system providing too much information in error messages
+ risks compromising the data and security of the structure, and content
+ of error messages needs to be carefully considered by the organization.
+
+ Organizations carefully consider the structure/content of error messages.
+ The extent to which information systems are able to identify and handle
+ error conditions is guided by organizational policy and operational
+ requirements. Information that could be exploited by adversaries includes,
+ for example, erroneous logon attempts with passwords entered by mistake
+ as the username, mission/business information that can be derived from
+ (if not stated explicitly by) information recorded, and personal
+ information, such as account numbers, social security numbers, and credit
+ card numbers.
+
+rationale: |-
+ The {{{ full_name }}} must generate error messages that provide information
+ necessary for corrective actions without revealing information that could
+ be exploited by adversaries.
+
+severity: medium
+
+ocil_clause: 'not all log files owned by root or syslog'
+
+ocil: |-
+ Verify the operating system has all system log files under the
+ /var/log
directory, that are not excluded, with a group owner set to root | adm,
+
diff --git a/linux_os/guide/system/permissions/files/groupowner_local_var_log/tests/excluded_files.pass.sh b/linux_os/guide/system/permissions/files/groupowner_local_var_log/tests/excluded_files.pass.sh
new file mode 100644
index 00000000000..8cfdf05e84f
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/groupowner_local_var_log/tests/excluded_files.pass.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+chgrp root /var/log/*
+mkdir -p /var/log/apt
+chgrp nogroup /var/log/apt
+touch /var/log/auth.log
+chgrp nogroup /var/log/auth.log
+touch /var/log/btmp.log
+touch /var/log/btmp.log.1
+touch /var/log/btmp.log-1
+chgrp nogroup /var/log/btmp*
+touch /var/log/wtmp.log
+touch /var/log/wtmp.log.1
+touch /var/log/wtmp.log-1
+chgrp nogroup /var/log/wtmp*
+touch /var/log/cloud-init.log
+touch /var/log/cloud-init.log.1
+chgrp nogroup /var/log/cloud-init.log*
+mkdir -p /var/log/gdm
+chgrp nogroup /var/log/gdm
+mkdir -p /var/log/gdm3
+chgrp nogroup /var/log/gdm3
+touch /var/log/test.journal
+touch /var/log/test.journal~
+chgrp nogroup /var/log/*.journal*
+touch /var/log/lastlog
+touch /var/log/lastlog.1
+chgrp nogroup /var/log/lastlog*
+touch /var/log/localmessages
+touch /var/log/localmessages.1
+chgrp nogroup /var/log/localmessages*
+touch /var/log/messages
+chgrp nogroup /var/log/messages
+touch /var/log/secure
+chgrp nogroup /var/log/secure*
+mkdir -p /var/log/sssd
+chgrp nogroup /var/log/sssd
+touch /var/log/syslog
+chgrp nogroup /var/log/syslog
+touch /var/log/waagent.log
+touch /var/log/waagent.log.1
+chgrp nogroup /var/log/waagent.log*
diff --git a/linux_os/guide/system/permissions/files/groupowner_local_var_log/tests/owned_by_adm.pass.sh b/linux_os/guide/system/permissions/files/groupowner_local_var_log/tests/owned_by_adm.pass.sh
new file mode 100644
index 00000000000..9589f5fdde4
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/groupowner_local_var_log/tests/owned_by_adm.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/test.log
+chgrp adm /var/log/test.log
diff --git a/linux_os/guide/system/permissions/files/groupowner_local_var_log/tests/owned_by_nobody.fail.sh b/linux_os/guide/system/permissions/files/groupowner_local_var_log/tests/owned_by_nobody.fail.sh
new file mode 100644
index 00000000000..ac052d18dfd
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/groupowner_local_var_log/tests/owned_by_nobody.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/test.log
+chgrp nogroup /var/log/test.log
diff --git a/linux_os/guide/system/permissions/files/groupowner_local_var_log/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/groupowner_local_var_log/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..89bd07ab748
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/groupowner_local_var_log/tests/owned_by_root.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/test.log
+chgrp root /var/log/test.log
diff --git a/linux_os/guide/system/permissions/files/owner_local_var_log/bash/shared.sh b/linux_os/guide/system/permissions/files/owner_local_var_log/bash/shared.sh
new file mode 100644
index 00000000000..749384310e1
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/owner_local_var_log/bash/shared.sh
@@ -0,0 +1,13 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+if id "syslog" >/dev/null 2>&1; then
+ username="syslog"
+else
+ username="root"
+fi
+
+find -L /var/log/ -maxdepth 1 -regextype posix-extended ! -user root ! -user syslog ! -path '/var/log/apt/*' ! -name 'auth.log' ! -path '/var/log/[bw]tmp*' ! -path '/var/log/cloud-init.log*' ! -name 'gdm' ! -name 'gdm3' ! -regex '.*\.journal[~]?' ! -regex '.*lastlog(\.[^\/]+)?$' ! -regex '.*localmessages(.*)' ! -name 'messages' ! -regex '.*secure(.*)' ! -name 'sssd' ! -name 'syslog' ! -regex '.*waagent.log(.*)' -regex '.*' -exec chown $username {} \;
diff --git a/linux_os/guide/system/permissions/files/owner_local_var_log/oval/shared.xml b/linux_os/guide/system/permissions/files/owner_local_var_log/oval/shared.xml
new file mode 100644
index 00000000000..82a453d5508
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/owner_local_var_log/oval/shared.xml
@@ -0,0 +1,84 @@
+
+
+ {{{ oval_metadata("Owner of /var/log/* should be root or syslog.") }}}
+
+
+
+
+
+
+ syslog
+
+
+
+
+
+
+
+
+
+
+
+ /var/log
+ .*
+ exclude_files_apt
+ exclude_files_auth_log
+ exclude_files_bwtmp
+ exclude_files_cloudinit
+ exclude_files_gdm
+ exclude_files_journal
+ exclude_files_lastlog
+ exclude_files_localmessages
+ exclude_files_messages
+ exclude_files_secure
+ exclude_files_sssd
+ exclude_files_syslog
+ exclude_files_waagent
+
+
+
+
+
+ 0
+
+
+ ^.*apt
+
+
+ auth.log
+
+
+ ^.*[bw]tmp((\.|-).*)?$
+
+
+ ^.*cloud-init\.log.*
+
+
+ ^.*gdm|gdm3
+
+
+ ^.*\.journal.*$
+
+
+ ^.*lastlog.*$
+
+
+ ^.*localmessages.*$
+
+
+ messages
+
+
+ ^.*secure.*$
+
+
+ ^.*(sssd|SSSD)$
+
+
+ syslog
+
+
+ ^.*waagent\.log.*$
+
+
diff --git a/linux_os/guide/system/permissions/files/owner_local_var_log/rule.yml b/linux_os/guide/system/permissions/files/owner_local_var_log/rule.yml
new file mode 100644
index 00000000000..dc899f97aa6
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/owner_local_var_log/rule.yml
@@ -0,0 +1,33 @@
+documentation_complete: true
+
+
+title: 'Verify ownership of log files'
+
+description: |-
+ Any operating system providing too much information in error messages
+ risks compromising the data and security of the structure, and content
+ of error messages needs to be carefully considered by the organization.
+
+ Organizations carefully consider the structure/content of error messages.
+ The extent to which information systems are able to identify and handle
+ error conditions is guided by organizational policy and operational
+ requirements. Information that could be exploited by adversaries includes,
+ for example, erroneous logon attempts with passwords entered by mistake
+ as the username, mission/business information that can be derived from
+ (if not stated explicitly by) information recorded, and personal
+ information, such as account numbers, social security numbers, and credit
+ card numbers.
+
+rationale: |-
+ The {{{ full_name }}} must generate error messages that provide information
+ necessary for corrective actions without revealing information that could
+ be exploited by adversaries.
+
+severity: medium
+
+ocil_clause: 'not all log files owned by root or syslog'
+
+ocil: |-
+ Verify the operating system has all system log files under the
+ /var/log
directory, that are not excluded, with an owner set to root | syslog,
+
diff --git a/linux_os/guide/system/permissions/files/owner_local_var_log/tests/excluded_files.pass.sh b/linux_os/guide/system/permissions/files/owner_local_var_log/tests/excluded_files.pass.sh
new file mode 100644
index 00000000000..78c18db16cd
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/owner_local_var_log/tests/excluded_files.pass.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+chown root /var/log/*
+mkdir -p /var/log/apt
+chown nobody /var/log/apt
+touch /var/log/auth.log
+chown nobody /var/log/auth.log
+touch /var/log/btmp.log
+touch /var/log/btmp.log.1
+touch /var/log/btmp.log-1
+chown nobody /var/log/btmp*
+touch /var/log/wtmp.log
+touch /var/log/wtmp.log.1
+touch /var/log/wtmp.log-1
+chown nobody /var/log/wtmp*
+touch /var/log/cloud-init.log
+touch /var/log/cloud-init.log.1
+chown nobody /var/log/cloud-init.log*
+mkdir -p /var/log/gdm
+chown nobody /var/log/gdm
+mkdir -p /var/log/gdm3
+chown nobody /var/log/gdm3
+touch /var/log/test.journal
+touch /var/log/test.journal~
+chown nobody /var/log/*.journal*
+touch /var/log/lastlog
+touch /var/log/lastlog.1
+chown nobody /var/log/lastlog*
+touch /var/log/localmessages
+touch /var/log/localmessages.1
+chown nobody /var/log/localmessages*
+touch /var/log/messages
+chown nobody /var/log/messages
+touch /var/log/secure
+chown nobody /var/log/secure*
+mkdir -p /var/log/sssd
+chown nobody /var/log/sssd
+touch /var/log/syslog
+chown nobody /var/log/syslog
+touch /var/log/waagent.log
+touch /var/log/waagent.log.1
+chown nobody /var/log/waagent.log*
diff --git a/linux_os/guide/system/permissions/files/owner_local_var_log/tests/owned_by_nobody.fail.sh b/linux_os/guide/system/permissions/files/owner_local_var_log/tests/owned_by_nobody.fail.sh
new file mode 100644
index 00000000000..5e849fbb808
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/owner_local_var_log/tests/owned_by_nobody.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/test.log
+chown nobody /var/log/test.log
diff --git a/linux_os/guide/system/permissions/files/owner_local_var_log/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/owner_local_var_log/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..3f045ec704c
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/owner_local_var_log/tests/owned_by_root.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/test.log
+chown root /var/log/test.log
diff --git a/linux_os/guide/system/permissions/files/owner_local_var_log/tests/owned_by_syslog.pass.sh b/linux_os/guide/system/permissions/files/owner_local_var_log/tests/owned_by_syslog.pass.sh
new file mode 100644
index 00000000000..e032ab3cf24
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/owner_local_var_log/tests/owned_by_syslog.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/test.log
+chown syslog /var/log/test.log
diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml
index 45e90dfb3a6..2dceab60fc0 100644
--- a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml
@@ -61,6 +61,7 @@ template:
excluded_files@slmicro5: ['*[bw]tmp', '*lastlog']
excluded_files@ubuntu2004: ['history.log', 'eipp.log.xz', '*[bw]tmp', '*lastlog']
excluded_files@ubuntu2204: ['history.log', 'eipp.log.xz', '*[bw]tmp', '*lastlog']
+ excluded_files@ubuntu2404: ['*[bw]tmp', '*lastlog', '*cloud-init', '*localmessages', '*waagent', '*sssd|*SSSD', '*gdm', '*apt/*']
file_regex: '.*'
filemode: '0640'
filepath: /var/log/
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/bash/shared.sh
new file mode 100644
index 00000000000..83fadb8c36c
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+find -L /var/log/ -maxdepth 1 ! -group root ! -group adm -type d -regextype posix-extended -name 'apt' -exec chgrp adm {} \;
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/oval/shared.xml
new file mode 100644
index 00000000000..44ef6802a54
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/oval/shared.xml
@@ -0,0 +1,35 @@
+
+
+ {{{ oval_metadata("Group owner of /var/log/apt should be root or adm.") }}}
+
+
+
+
+
+
+ /etc/group
+ ^adm:\w+:(\w+):.*
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ /var/log/apt
+
+
+
+
+
+
+ 0
+
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/rule.yml
new file mode 100644
index 00000000000..b414256c4cf
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/rule.yml
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns /var/log/apt Directory'
+
+description: '{{{ describe_file_group_owner(file="/var/log/apt", group="root|adm") }}}'
+
+rationale: |-
+ The /var/log/apt directory contains information about APT
+ and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/apt", group="root|adm") }}}'
+
+ocil: |-
+ {{{ ocil_file_group_owner(file="/var/log/apt", group="root|adm") }}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/tests/owned_by_adm.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/tests/owned_by_adm.pass.sh
new file mode 100644
index 00000000000..d01c42a961d
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/tests/owned_by_adm.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+mkdir -p /var/log/apt
+chgrp adm /var/log/apt
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/tests/owned_by_nogroup.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/tests/owned_by_nogroup.fail.sh
new file mode 100644
index 00000000000..b117e976162
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/tests/owned_by_nogroup.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+mkdir -p /var/log/apt
+chgrp nogroup /var/log/apt
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..3988f2d423f
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_apt/tests/owned_by_root.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+mkdir -p /var/log/apt
+chgrp root /var/log/apt
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_auth/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_auth/bash/shared.sh
new file mode 100644
index 00000000000..065457bdcd1
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_auth/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+find -L /var/log/ -maxdepth 1 ! -group root ! -group adm -type f -regextype posix-extended -name 'auth.log' -exec chgrp adm {} \;
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_auth/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_auth/oval/shared.xml
new file mode 100644
index 00000000000..ba493980396
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_auth/oval/shared.xml
@@ -0,0 +1,34 @@
+
+
+ {{{ oval_metadata("Group owner of /var/log/auth should be root or adm.") }}}
+
+
+
+
+
+
+ /etc/group
+ ^adm:\w+:(\w+):.*
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ /var/log/auth.log
+
+
+
+
+
+ 0
+
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_auth/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_auth/rule.yml
new file mode 100644
index 00000000000..d4adc023d7f
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_auth/rule.yml
@@ -0,0 +1,17 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns /var/log/auth.log File'
+
+description: '{{{ describe_file_group_owner(file="/var/log/auth.log", group="root|adm") }}}'
+
+rationale: |-
+ The /var/log/auth.log file contains records information about user
+ login attempts and authentication processes and should only be accessed by
+ authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/auth.log", group="root|adm") }}}'
+
+ocil: |-
+ {{{ ocil_file_group_owner(file="/var/log/auth.log", group="root|adm") }}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_auth/tests/owned_by_adm.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_auth/tests/owned_by_adm.pass.sh
new file mode 100644
index 00000000000..1b523c68fb5
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_auth/tests/owned_by_adm.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/auth.log
+chgrp adm /var/log/auth.log
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_auth/tests/owned_by_nogroup.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_auth/tests/owned_by_nogroup.fail.sh
new file mode 100644
index 00000000000..2aa944fbf66
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_auth/tests/owned_by_nogroup.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/auth.log
+chgrp nogroup /var/log/auth.log
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_auth/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_auth/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..518a2ad404d
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_auth/tests/owned_by_root.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/auth.log
+chgrp root /var/log/auth.log
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_cloud_init/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_cloud_init/bash/shared.sh
new file mode 100644
index 00000000000..8ded9fb24c0
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_cloud_init/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+find -L /var/log/ -maxdepth 1 ! -group root ! -group adm -type f -regextype posix-extended -regex '.*cloud-init.log(.*)' -exec chgrp adm {} \;
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_cloud_init/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_cloud_init/oval/shared.xml
new file mode 100644
index 00000000000..1130e282962
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_cloud_init/oval/shared.xml
@@ -0,0 +1,34 @@
+
+
+ {{{ oval_metadata("Group owner of /var/log/cloud-init.log should be root or adm.") }}}
+
+
+
+
+
+
+ /etc/group
+ ^adm:\w+:(\w+):.*
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ /var/log/cloud-init.log(.*)
+
+
+
+
+
+ 0
+
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_cloud_init/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_cloud_init/rule.yml
new file mode 100644
index 00000000000..806de152a55
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_cloud_init/rule.yml
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns /var/log/cloud-init.log File'
+
+description: '{{{ describe_file_group_owner(file="/var/log/cloud-init.log", group="root|adm") }}}'
+
+rationale: |-
+ The /var/log/cloud-init.log file contains detailed debugging information that
+ helps users troubleshoot cloud-init and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/cloud-init.log", group="root|adm") }}}'
+
+ocil: |-
+ {{{ ocil_file_group_owner(file="/var/log/cloud-init.log", group="root|adm") }}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_cloud_init/tests/owned_by_adm.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_cloud_init/tests/owned_by_adm.pass.sh
new file mode 100644
index 00000000000..0931f657de4
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_cloud_init/tests/owned_by_adm.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/cloud-init.log
+chgrp adm /var/log/cloud-init.log*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_cloud_init/tests/owned_by_nogroup.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_cloud_init/tests/owned_by_nogroup.fail.sh
new file mode 100644
index 00000000000..02858735fd2
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_cloud_init/tests/owned_by_nogroup.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/cloud-init.log
+chgrp nogroup /var/log/cloud-init.log*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_cloud_init/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_cloud_init/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..23cbd33649d
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_cloud_init/tests/owned_by_root.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/cloud-init.log
+chgrp root /var/log/cloud-init.log*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm/bash/shared.sh
new file mode 100644
index 00000000000..af9234cd665
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+find -L /var/log/ -maxdepth 1 ! -group root ! -group gdm -type d -regextype posix-extended -name 'gdm' -exec chgrp gdm {} \;
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm/oval/shared.xml
new file mode 100644
index 00000000000..fd017094d14
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm/oval/shared.xml
@@ -0,0 +1,35 @@
+
+
+ {{{ oval_metadata("Group owner of /var/log/gdm should be root or gdm.") }}}
+
+
+
+
+
+
+ /etc/group
+ ^gdm:\w+:(\w+):.*
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ /var/log/gdm
+
+
+
+
+
+
+ 0
+
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm/rule.yml
new file mode 100644
index 00000000000..24f30c350ea
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm/rule.yml
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns /var/log/gdm Directory'
+
+description: '{{{ describe_file_group_owner(file="/var/log/gdm", group="root|gdm") }}}'
+
+rationale: |-
+ The /var/log/gdm directory contains information about the GDM daemon
+ and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/gdm", group="root|gdm") }}}'
+
+ocil: |-
+ {{{ ocil_file_group_owner(file="/var/log/gdm", group="root|gdm") }}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm/tests/owned_by_gdm.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm/tests/owned_by_gdm.pass.sh
new file mode 100644
index 00000000000..eb4a13eb4ed
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm/tests/owned_by_gdm.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = gdm
+
+mkdir -p /var/log/gdm
+chgrp gdm /var/log/gdm
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm/tests/owned_by_nogroup.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm/tests/owned_by_nogroup.fail.sh
new file mode 100644
index 00000000000..edd8cec8f48
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm/tests/owned_by_nogroup.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = gdm
+
+mkdir -p /var/log/gdm
+chgrp nogroup /var/log/gdm
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..1491b301906
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm/tests/owned_by_root.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = gdm
+
+mkdir -p /var/log/gdm
+chgrp root /var/log/gdm
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm3/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm3/bash/shared.sh
new file mode 100644
index 00000000000..7cdcd09fa9f
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm3/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+find -L /var/log/ -maxdepth 1 ! -group root ! -group gdm -type d -regextype posix-extended -name 'gdm3' -exec chgrp gdm {} \;
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm3/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm3/oval/shared.xml
new file mode 100644
index 00000000000..ffb6d779b5e
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm3/oval/shared.xml
@@ -0,0 +1,35 @@
+
+
+ {{{ oval_metadata("Group owner of /var/log/gdm3 should be root or gdm.") }}}
+
+
+
+
+
+
+ /etc/group
+ ^gdm:\w+:(\w+):.*
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ /var/log/gdm3
+
+
+
+
+
+
+ 0
+
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm3/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm3/rule.yml
new file mode 100644
index 00000000000..7e074ef4286
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm3/rule.yml
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns /var/log/gdm3 Directory'
+
+description: '{{{ describe_file_group_owner(file="/var/log/gdm3", group="root|gdm") }}}'
+
+rationale: |-
+ The /var/log/gdm3 directory stores information about the GNOME Display Manager (GDM)
+ and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/gdm3", group="root|gdm") }}}'
+
+ocil: |-
+ {{{ ocil_file_group_owner(file="/var/log/gdm3", group="root|gdm") }}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm3/tests/owned_by_gdm.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm3/tests/owned_by_gdm.pass.sh
new file mode 100644
index 00000000000..8605f999cc0
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm3/tests/owned_by_gdm.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = gdm3
+
+mkdir -p /var/log/gdm3
+chgrp gdm /var/log/gdm3
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm3/tests/owned_by_nogroup.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm3/tests/owned_by_nogroup.fail.sh
new file mode 100644
index 00000000000..049ab198cb9
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm3/tests/owned_by_nogroup.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = gdm3
+
+mkdir -p /var/log/gdm3
+chgrp nogroup /var/log/gdm3
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm3/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm3/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..151e0d68a3d
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_gdm3/tests/owned_by_root.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = gdm3
+
+mkdir -p /var/log/gdm3
+chgrp root /var/log/gdm3
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_journal/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_journal/bash/shared.sh
new file mode 100644
index 00000000000..fffcdaf40b9
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_journal/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+find -L /var/log/ -maxdepth 1 ! -group root ! -group systemd-journal -type f -regextype posix-extended -regex ".*\.journal[~]?" -exec chgrp systemd-journal {} \;
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_journal/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_journal/oval/shared.xml
new file mode 100644
index 00000000000..d76b924f00d
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_journal/oval/shared.xml
@@ -0,0 +1,34 @@
+
+
+ {{{ oval_metadata("Group owner of /var/log/*.journal-* should be root or systemd-journal.") }}}
+
+
+
+
+
+
+ /etc/group
+ ^systemd-journal:\w+:(\w+):.*
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ /var/log/.*\.journal(~)?$
+
+
+
+
+
+ 0
+
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_journal/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_journal/rule.yml
new file mode 100644
index 00000000000..c73b60a6310
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_journal/rule.yml
@@ -0,0 +1,15 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns /var/log/*.journal(~) File'
+
+description: '{{{ describe_file_group_owner(file="/var/log/*.journal(~)", group="root|systemd-journal") }}}'
+
+rationale: |-
+ The /var/log/*.journal(~) files are system logs managed by the "systemd" service.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/*.journal(~)", group="root|systemd-journal") }}}'
+
+ocil: |-
+ {{{ ocil_file_group_owner(file="/var/log/*.journal(~)", group="root|systemd-journal") }}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_journal/tests/owned_by_nogroup.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_journal/tests/owned_by_nogroup.fail.sh
new file mode 100644
index 00000000000..deface5d857
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_journal/tests/owned_by_nogroup.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = systemd
+
+
+touch /var/log/test.journal
+touch /var/log/test.journal~
+chgrp nogroup /var/log/test.journal
+chgrp nogroup /var/log/test.journal~
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_journal/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_journal/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..bb55e34be81
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_journal/tests/owned_by_root.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = systemd
+
+
+touch /var/log/test.journal
+touch /var/log/test.journal~
+chgrp root /var/log/test.journal
+chgrp root /var/log/test.journal~
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_journal/tests/owned_by_systemd-journal.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_journal/tests/owned_by_systemd-journal.pass.sh
new file mode 100644
index 00000000000..b8a45e2f9ce
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_journal/tests/owned_by_systemd-journal.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = systemd
+
+touch /var/log/test.journal
+touch /var/log/test.journal~
+chgrp systemd-journal /var/log/test.journal
+chgrp systemd-journal /var/log/test.journal~
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_lastlog/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_lastlog/bash/shared.sh
new file mode 100644
index 00000000000..5034dd2a90e
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_lastlog/bash/shared.sh
@@ -0,0 +1,12 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+find -L /var/log/ -maxdepth 1 ! -group root ! -group utmp -type f -regextype posix-extended -regex '.*lastlog(\.[^\/]+)?$' -exec chgrp utmp {} \;
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_lastlog/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_lastlog/oval/shared.xml
new file mode 100644
index 00000000000..99a6eead756
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_lastlog/oval/shared.xml
@@ -0,0 +1,34 @@
+
+
+ {{{ oval_metadata("Group owner of /var/log/lastlog should be root or utmp.") }}}
+
+
+
+
+
+
+ /etc/group
+ ^utmp:\w+:(\w+):.*
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ /var/log/lastlog(\.[^\/]+)?
+
+
+
+
+
+ 0
+
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_lastlog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_lastlog/rule.yml
new file mode 100644
index 00000000000..abc4793f805
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_lastlog/rule.yml
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns /var/log/lastlog File'
+
+description: '{{{ describe_file_group_owner(file="/var/log/lastlog", group="root|utmp") }}}'
+
+rationale: |-
+ The /var/log/lastlog file contains logs of reports the most recent login of all users
+ and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/lastlog", group="root|utmp") }}}'
+
+ocil: |-
+ {{{ ocil_file_group_owner(file="/var/log/lastlog", group="root|utmp") }}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_lastlog/tests/owned_by_adm.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_lastlog/tests/owned_by_adm.pass.sh
new file mode 100644
index 00000000000..1fa2f5abce4
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_lastlog/tests/owned_by_adm.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+
+touch /var/log/lastlog
+touch /var/log/lastlog.1
+chgrp utmp /var/log/lastlog*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_lastlog/tests/owned_by_nogroup.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_lastlog/tests/owned_by_nogroup.fail.sh
new file mode 100644
index 00000000000..14ffe4e8841
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_lastlog/tests/owned_by_nogroup.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+
+touch /var/log/lastlog
+touch /var/log/lastlog.1
+chgrp nogroup /var/log/lastlog*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_lastlog/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_lastlog/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..b3888368b0a
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_lastlog/tests/owned_by_root.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+
+touch /var/log/lastlog
+touch /var/log/lastlog.1
+chgrp root /var/log/lastlog*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_localmessages/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_localmessages/bash/shared.sh
new file mode 100644
index 00000000000..1c816c1ce52
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_localmessages/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+find -L /var/log/ -maxdepth 1 ! -group root ! -group adm -type f -regextype posix-extended -regex '.*localmessages(.*)' -exec chgrp adm {} \;
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_localmessages/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_localmessages/oval/shared.xml
new file mode 100644
index 00000000000..e75cff2d965
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_localmessages/oval/shared.xml
@@ -0,0 +1,34 @@
+
+
+ {{{ oval_metadata("Group owner of /var/log/localmessages should be root or adm.") }}}
+
+
+
+
+
+
+ /etc/group
+ ^adm:\w+:(\w+):.*
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ /var/log/localmessages(.*)
+
+
+
+
+
+ 0
+
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_localmessages/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_localmessages/rule.yml
new file mode 100644
index 00000000000..54ad36f500a
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_localmessages/rule.yml
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns /var/log/localmessages File'
+
+description: '{{{ describe_file_group_owner(file="/var/log/localmessages", group="root|adm") }}}'
+
+rationale: |-
+ The /var/log/localmessages file contains log messages from certain boot scripts,
+ including the DHCP client, and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/localmessages", group="root|adm") }}}'
+
+ocil: |-
+ {{{ ocil_file_group_owner(file="/var/log/localmessages", group="root|adm") }}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_localmessages/tests/owned_by_adm.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_localmessages/tests/owned_by_adm.pass.sh
new file mode 100644
index 00000000000..72f5d23263c
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_localmessages/tests/owned_by_adm.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/localmessages
+chgrp adm /var/log/localmessages*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_localmessages/tests/owned_by_nogroup.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_localmessages/tests/owned_by_nogroup.fail.sh
new file mode 100644
index 00000000000..e656311f137
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_localmessages/tests/owned_by_nogroup.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/localmessages
+chgrp nogroup /var/log/localmessages*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_localmessages/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_localmessages/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..440c038a322
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_localmessages/tests/owned_by_root.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/localmessages
+chgrp root /var/log/localmessages*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/bash/shared.sh
new file mode 100644
index 00000000000..6dde84531a2
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+find -L /var/log/ -maxdepth 1 ! -group root ! -group adm -type f -regextype posix-extended -name 'messages' -exec chgrp adm {} \;
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/oval/ubuntu.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/oval/ubuntu.xml
new file mode 100644
index 00000000000..c7952557706
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/oval/ubuntu.xml
@@ -0,0 +1,34 @@
+
+
+ {{{ oval_metadata("Group owner of /var/log/messages should be root or adm.") }}}
+
+
+
+
+
+
+ /etc/group
+ ^adm:\w+:(\w+):.*
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ /var/log/messages
+
+
+
+
+
+ 0
+
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml
index 68849bd25df..0b9cd58bed4 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml
@@ -2,7 +2,11 @@ documentation_complete: true
title: 'Verify Group Who Owns /var/log/messages File'
-description: '{{{ describe_file_group_owner(file="/var/log/messages", group="root") }}}'
+{{% if 'ubuntu2404' not in product %}}
+description: '{{{ describe_file_group_owner(file="/var/log/messages", group="adm") }}}'
+{{%- else %}}
+description: '{{{ describe_file_group_owner(file="/var/log/messages", group="root|adm") }}}'
+{{%- endif %}}
rationale: |-
The /var/log/messages file contains logs of error messages in
@@ -21,6 +25,7 @@ references:
stigid@ol8: OL08-00-010230
stigid@rhel8: RHEL-08-010230
+{{% if 'ubuntu2404' not in product %}}
ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/messages", group="root") }}}'
ocil: |-
@@ -35,3 +40,9 @@ fixtext: |-
{{{ describe_file_group_owner(file="/var/log/messages", group="root") }}}
srg_requirement: '{{{ srg_requirement_file_group_owner("/var/log/messages", group="root") }}}'
+{{%- else %}}
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/messages", group="root|adm") }}}'
+
+ocil: |-
+ {{{ ocil_file_group_owner(file="/var/log/messages", group="root|adm") }}}
+{{%- endif %}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/tests/owned_by_adm.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/tests/owned_by_adm.pass.sh
new file mode 100644
index 00000000000..0bcc2765271
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/tests/owned_by_adm.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/messages
+chgrp adm /var/log/messages*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/tests/owned_by_nogroup.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/tests/owned_by_nogroup.fail.sh
new file mode 100644
index 00000000000..04532205dff
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/tests/owned_by_nogroup.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/messages
+chgrp nogroup /var/log/messages*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..d5d151d517d
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/tests/owned_by_root.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/messages
+chgrp root /var/log/messages*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_secure/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_secure/bash/shared.sh
new file mode 100644
index 00000000000..e079aae6c86
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_secure/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+find -L /var/log/ -maxdepth 1 ! -group root ! -group adm -type f -regextype posix-extended -regex '.*secure(.*)' -exec chgrp adm {} \;
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_secure/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_secure/oval/shared.xml
new file mode 100644
index 00000000000..28d96dc29e3
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_secure/oval/shared.xml
@@ -0,0 +1,34 @@
+
+
+ {{{ oval_metadata("Group owner of /var/log/secure should be root or adm.") }}}
+
+
+
+
+
+
+ /etc/group
+ ^adm:\w+:(\w+):.*
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ /var/log/secure(.*)
+
+
+
+
+
+ 0
+
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_secure/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_secure/rule.yml
new file mode 100644
index 00000000000..9e92f99ec8c
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_secure/rule.yml
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns /var/log/secure File'
+
+description: '{{{ describe_file_group_owner(file="/var/log/secure", group="root|adm") }}}'
+
+rationale: |-
+ The /var/log/secure file contains information related to authentication
+ and authorization privileges and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/secure", group="root|adm") }}}'
+
+ocil: |-
+ {{{ ocil_file_group_owner(file="/var/log/secure", group="root|adm") }}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_secure/tests/owned_by_adm.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_secure/tests/owned_by_adm.pass.sh
new file mode 100644
index 00000000000..aa72bebff3d
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_secure/tests/owned_by_adm.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/secure
+chgrp adm /var/log/secure*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_secure/tests/owned_by_nogroup.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_secure/tests/owned_by_nogroup.fail.sh
new file mode 100644
index 00000000000..7b4b7f90bce
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_secure/tests/owned_by_nogroup.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/secure
+chgrp nogroup /var/log/secure*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_secure/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_secure/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..8c4bb95dc07
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_secure/tests/owned_by_root.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/secure
+chgrp root /var/log/secure*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_sssd/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_sssd/bash/shared.sh
new file mode 100644
index 00000000000..ce5a7b13585
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_sssd/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+find -L /var/log/ -maxdepth 1 ! -group root ! -group sssd -type d -regextype posix-extended -name 'sssd' -exec chgrp sssd {} \;
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_sssd/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_sssd/oval/shared.xml
new file mode 100644
index 00000000000..876ffb6080c
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_sssd/oval/shared.xml
@@ -0,0 +1,35 @@
+
+
+ {{{ oval_metadata("Group owner of /var/log/sssd should be root or sssd.") }}}
+
+
+
+
+
+
+ /etc/group
+ ^sssd:\w+:(\w+):.*
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ /var/log/sssd
+
+
+
+
+
+
+ 0
+
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_sssd/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_sssd/rule.yml
new file mode 100644
index 00000000000..b414256c4cf
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_sssd/rule.yml
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns /var/log/apt Directory'
+
+description: '{{{ describe_file_group_owner(file="/var/log/apt", group="root|adm") }}}'
+
+rationale: |-
+ The /var/log/apt directory contains information about APT
+ and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/apt", group="root|adm") }}}'
+
+ocil: |-
+ {{{ ocil_file_group_owner(file="/var/log/apt", group="root|adm") }}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_sssd/tests/owned_by_nogroup.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_sssd/tests/owned_by_nogroup.fail.sh
new file mode 100644
index 00000000000..4997c82d993
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_sssd/tests/owned_by_nogroup.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = sssd
+
+mkdir -p /var/log/sssd
+chgrp nogroup /var/log/sssd
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_sssd/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_sssd/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..0999ea8a180
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_sssd/tests/owned_by_root.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = sssd
+
+mkdir -p /var/log/sssd
+chgrp root /var/log/sssd
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_sssd/tests/owned_by_sssd.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_sssd/tests/owned_by_sssd.pass.sh
new file mode 100644
index 00000000000..569631f39df
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_sssd/tests/owned_by_sssd.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = sssd
+
+mkdir -p /var/log/sssd
+chgrp sssd /var/log/sssd
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/bash/shared.sh
new file mode 100644
index 00000000000..9da1e04856e
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+find -L /var/log/ -maxdepth 1 ! -group root ! -group adm -type f -regextype posix-extended -name 'syslog' -exec chgrp adm {} \;
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/oval/ubuntu.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/oval/ubuntu.xml
new file mode 100644
index 00000000000..8878927a621
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/oval/ubuntu.xml
@@ -0,0 +1,34 @@
+
+
+ {{{ oval_metadata("Group owner of /var/log/syslog should be root or adm.") }}}
+
+
+
+
+
+
+ /etc/group
+ ^adm:\w+:(\w+):.*
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ /var/log/syslog
+
+
+
+
+
+ 0
+
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml
index 6b323f5b81e..c3e4097ee79 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml
@@ -2,7 +2,11 @@ documentation_complete: true
title: 'Verify Group Who Owns /var/log/syslog File'
+{{% if 'ubuntu2404' not in product %}}
description: '{{{ describe_file_group_owner(file="/var/log/syslog", group="adm") }}}'
+{{%- else %}}
+description: '{{{ describe_file_group_owner(file="/var/log/syslog", group="root|adm") }}}'
+{{%- endif %}}
rationale: |-
The /var/log/syslog file contains logs of error messages in
@@ -16,6 +20,7 @@ references:
stigid@ubuntu2004: UBTU-20-010420
stigid@ubuntu2204: UBTU-22-232135
+{{% if 'ubuntu2404' not in product %}}
ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/syslog", group="adm") }}}'
ocil: |-
@@ -26,3 +31,9 @@ template:
vars:
filepath: /var/log/syslog
gid_or_name: '4'
+{{%- else %}}
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/syslog", group="root|adm") }}}'
+
+ocil: |-
+ {{{ ocil_file_group_owner(file="/var/log/syslog", group="root|adm") }}}
+{{%- endif %}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/tests/owned_by_adm.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/tests/owned_by_adm.pass.sh
new file mode 100644
index 00000000000..90f0d646603
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/tests/owned_by_adm.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/syslog
+chgrp adm /var/log/syslog*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/tests/owned_by_nogroup.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/tests/owned_by_nogroup.fail.sh
new file mode 100644
index 00000000000..f2419e3d1c6
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/tests/owned_by_nogroup.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/syslog
+chgrp nogroup /var/log/syslog*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..98504afbb03
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/tests/owned_by_root.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/syslog
+chgrp root /var/log/syslog*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_waagent/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_waagent/bash/shared.sh
new file mode 100644
index 00000000000..ed67ab6765e
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_waagent/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+find -L /var/log/ -maxdepth 1 ! -group root ! -group adm -type f -regextype posix-extended -regex '.*waagent.log(.*)' -exec chgrp adm {} \;
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_waagent/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_waagent/oval/shared.xml
new file mode 100644
index 00000000000..f32be3f576f
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_waagent/oval/shared.xml
@@ -0,0 +1,34 @@
+
+
+ {{{ oval_metadata("Group owner of /var/log/waagent.log should be root or adm.") }}}
+
+
+
+
+
+
+ /etc/group
+ ^adm:\w+:(\w+):.*
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ /var/log/waagent.log(.*)
+
+
+
+
+
+ 0
+
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_waagent/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_waagent/rule.yml
new file mode 100644
index 00000000000..9cc8041bce4
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_waagent/rule.yml
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns /var/log/secure File'
+
+description: '{{{ describe_file_group_owner(file="/var/log/secure", group="root|adm") }}}'
+
+rationale: |-
+ The /var/log/waagent.log file contains Azure Linux Guest Agent records
+ events that can be used for troubleshooting and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/secure", group="root|adm") }}}'
+
+ocil: |-
+ {{{ ocil_file_group_owner(file="/var/log/secure", group="root|adm") }}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_waagent/tests/owned_by_adm.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_waagent/tests/owned_by_adm.pass.sh
new file mode 100644
index 00000000000..e6bc5561c4d
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_waagent/tests/owned_by_adm.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/waagent.log
+chgrp adm /var/log/waagent.log*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_waagent/tests/owned_by_nogroup.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_waagent/tests/owned_by_nogroup.fail.sh
new file mode 100644
index 00000000000..330581a573a
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_waagent/tests/owned_by_nogroup.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/waagent.log
+chgrp nogroup /var/log/waagent.log*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_waagent/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_waagent/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..74e4fab27e4
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_waagent/tests/owned_by_root.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/waagent.log
+chgrp root /var/log/waagent.log*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_wbtmp/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_wbtmp/bash/shared.sh
new file mode 100644
index 00000000000..65d70ced901
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_wbtmp/bash/shared.sh
@@ -0,0 +1,12 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+find -L /var/log/ -maxdepth 1 ! -group root ! -group utmp -type f -regextype posix-extended -regex '.*(b|w)tmp((\.|-)[^\/]+)?$' -exec chgrp utmp {} \;
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_wbtmp/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_wbtmp/oval/shared.xml
new file mode 100644
index 00000000000..8c09df3f958
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_wbtmp/oval/shared.xml
@@ -0,0 +1,34 @@
+
+
+ {{{ oval_metadata("Group owner of /var/log/(w|b)tmp should be root or utmp.") }}}
+
+
+
+
+
+
+ /etc/group
+ ^utmp:\w+:(\w+):.*
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ /var/log/(b|w)tmp((\.|-)[^\/]+)?
+
+
+
+
+
+ 0
+
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_wbtmp/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_wbtmp/rule.yml
new file mode 100644
index 00000000000..bf06139cf82
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_wbtmp/rule.yml
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns /var/log/(b|w)tmp(.*|-*) File'
+
+description: '{{{ describe_file_group_owner(file="/var/log/(b|w)tmp(.*|-*)", group="root|utmp") }}}'
+
+rationale: |-
+ The /var/log/(b|w)tmp(.*|-*) file contains logs of reports the most recent login of all users
+ and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/(b|w)tmp(.*|-*)", group="root|utmp") }}}'
+
+ocil: |-
+ {{{ ocil_file_group_owner(file="/var/log/(b|w)tmp(.*|-*)", group="root|utmp") }}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_wbtmp/tests/owned_by_nogroup.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_wbtmp/tests/owned_by_nogroup.fail.sh
new file mode 100644
index 00000000000..18e6abb02ca
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_wbtmp/tests/owned_by_nogroup.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+
+touch /var/log/btmp
+touch /var/log/btmp.1
+touch /var/log/btmp-1
+chgrp nogroup /var/log/btmp*
+touch /var/log/wtmp
+touch /var/log/wtmp.1
+touch /var/log/wtmp-1
+chgrp nogroup /var/log/wtmp*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_wbtmp/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_wbtmp/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..c447f5ce18a
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_wbtmp/tests/owned_by_root.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+
+touch /var/log/btmp
+touch /var/log/btmp.1
+touch /var/log/btmp-1
+chgrp root /var/log/btmp*
+touch /var/log/wtmp
+touch /var/log/wtmp.1
+touch /var/log/wtmp-1
+chgrp root /var/log/wtmp*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_wbtmp/tests/owned_by_utmp.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_wbtmp/tests/owned_by_utmp.pass.sh
new file mode 100644
index 00000000000..5e7c4299fb1
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_wbtmp/tests/owned_by_utmp.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+
+touch /var/log/btmp
+touch /var/log/btmp.1
+touch /var/log/btmp-1
+chgrp utmp /var/log/btmp*
+touch /var/log/wtmp
+touch /var/log/wtmp.1
+touch /var/log/wtmp-1
+chgrp utmp /var/log/wtmp*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_auth/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_auth/bash/shared.sh
new file mode 100644
index 00000000000..301bd7c9bdc
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_auth/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+chown syslog /var/log/auth.log
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_auth/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_auth/oval/shared.xml
new file mode 100644
index 00000000000..afb0b338038
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_auth/oval/shared.xml
@@ -0,0 +1,31 @@
+
+
+ {{{ oval_metadata("Owner of /var/log/auth.log should be root or syslog.") }}}
+
+
+
+
+
+
+ syslog
+
+
+
+
+
+
+
+
+
+
+
+ /var/log/auth.log
+
+
+
+
+
+ 0
+
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_auth/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_auth/rule.yml
new file mode 100644
index 00000000000..b08e6b2d107
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_auth/rule.yml
@@ -0,0 +1,17 @@
+documentation_complete: true
+
+title: 'Verify User Who Owns /var/log/auth.log File'
+
+description: '{{{ describe_file_owner(file="/var/log/auth.log", owner="root|syslog") }}}'
+
+rationale: |-
+ The /var/log/auth.log file contains records information about user
+ login attempts and authentication processes and should only be accessed by
+ authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/auth.log", owner="root|syslog") }}}'
+
+ocil: |-
+ {{{ ocil_file_owner(file="/var/log/auth.log", owner="root|syslog") }}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_auth/tests/owned_by_nobody.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_auth/tests/owned_by_nobody.fail.sh
new file mode 100644
index 00000000000..bd7114a7a1d
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_auth/tests/owned_by_nobody.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/auth.log
+chown nobody /var/log/auth.log
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_auth/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_auth/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..346c96c2bc1
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_auth/tests/owned_by_root.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/auth.log
+chown root /var/log/auth.log
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_auth/tests/owned_by_syslog.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_auth/tests/owned_by_syslog.pass.sh
new file mode 100644
index 00000000000..a692887109f
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_auth/tests/owned_by_syslog.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/auth.log
+chown syslog /var/log/auth.log
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_cloud_init/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_cloud_init/bash/shared.sh
new file mode 100644
index 00000000000..72bc353445a
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_cloud_init/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+chown syslog /var/log/cloud-init.log*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_cloud_init/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_cloud_init/oval/shared.xml
new file mode 100644
index 00000000000..39d489043b0
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_cloud_init/oval/shared.xml
@@ -0,0 +1,31 @@
+
+
+ {{{ oval_metadata("Owner of /var/log/cloud-init.log should be root or syslog.") }}}
+
+
+
+
+
+
+ syslog
+
+
+
+
+
+
+
+
+
+
+
+ /var/log/cloud-init.log(.*)
+
+
+
+
+
+ 0
+
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_cloud_init/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_cloud_init/rule.yml
new file mode 100644
index 00000000000..6f483f9af48
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_cloud_init/rule.yml
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'Verify User Who Owns /var/log/cloud-init.log File'
+
+description: '{{{ describe_file_owner(file="/var/log/cloud-init.log", owner="root|syslog") }}}'
+
+rationale: |-
+ The /var/log/cloud-init.log file contains detailed debugging information that
+ helps users troubleshoot cloud-init and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/cloud-init.log", owner="root|syslog") }}}'
+
+ocil: |-
+ {{{ ocil_file_owner(file="/var/log/cloud-init.log", owner="root|syslog") }}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_cloud_init/tests/owned_by_nobody.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_cloud_init/tests/owned_by_nobody.fail.sh
new file mode 100644
index 00000000000..170c11beeed
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_cloud_init/tests/owned_by_nobody.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/cloud-init.log
+chown nobody /var/log/cloud-init.log*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_cloud_init/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_cloud_init/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..cd249ebdd4c
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_cloud_init/tests/owned_by_root.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/cloud-init.log
+chown root /var/log/cloud-init.log*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_cloud_init/tests/owned_by_syslog.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_cloud_init/tests/owned_by_syslog.pass.sh
new file mode 100644
index 00000000000..13000086bc3
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_cloud_init/tests/owned_by_syslog.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/cloud-init.log
+chown syslog /var/log/cloud-init.log*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_gdm/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_gdm/rule.yml
new file mode 100644
index 00000000000..7d8af2f1e58
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_gdm/rule.yml
@@ -0,0 +1,28 @@
+documentation_complete: true
+
+title: 'Verify User Who Owns /var/log/gdm directory'
+
+description: '{{{ describe_file_owner(file="/var/log/gdm", owner="root") }}}'
+
+rationale: |-
+ The /var/log/gdm directory contains information about the GDM daemon
+ and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/gdm", owner="root") }}}'
+
+ocil: |-
+ {{{ ocil_file_owner(file="/var/log/gdm", owner="root") }}}
+
+fixtext: |-
+ {{{ describe_file_owner(file="/var/log/gdm", owner="root") }}}
+
+srg_requirement: '{{{ srg_requirement_file_owner("/var/log/gdm", owner="root") }}}'
+
+template:
+ name: file_owner
+ vars:
+ filepath: /var/log/gdm/
+ fileuid: '0'
+ recursive: 'true'
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_gdm3/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_gdm3/rule.yml
new file mode 100644
index 00000000000..c2802dabf91
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_gdm3/rule.yml
@@ -0,0 +1,28 @@
+documentation_complete: true
+
+title: 'Verify User Who Owns /var/log/gdm3 directory'
+
+description: '{{{ describe_file_owner(file="/var/log/gdm3", owner="root") }}}'
+
+rationale: |-
+ The /var/log/gdm3 directory stores information about the GNOME Display Manager (GDM)
+ and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/gdm3", owner="root") }}}'
+
+ocil: |-
+ {{{ ocil_file_owner(file="/var/log/gdm3", owner="root") }}}
+
+fixtext: |-
+ {{{ describe_file_owner(file="/var/log/gdm3", owner="root") }}}
+
+srg_requirement: '{{{ srg_requirement_file_owner("/var/log/gdm3", owner="root") }}}'
+
+template:
+ name: file_owner
+ vars:
+ filepath: /var/log/gdm3/
+ fileuid: '0'
+ recursive: 'true'
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_journal/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_journal/rule.yml
new file mode 100644
index 00000000000..ee71754c7ef
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_journal/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+title: 'Verify User Who Owns /var/log/*.journal(~) Files'
+
+description: '{{{ describe_file_owner(file="/var/log/*.journal(~)", owner="root") }}}'
+
+rationale: |-
+ The /var/log/*.journal(~) files are system logs managed by the "systemd" service.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/*.journal(~)", owner="root") }}}'
+
+ocil: |-
+ {{{ ocil_file_owner(file="/var/log/*.journal(~)", owner="root") }}}
+
+fixtext: |-
+ {{{ describe_file_owner(file="/var/log/*.journal(~)", owner="root") }}}
+
+srg_requirement: '{{{ srg_requirement_file_owner("/var/log/*.journal(~)", owner="root") }}}'
+
+template:
+ name: file_owner
+ vars:
+ filepath: /var/log/
+ file_regex: .*\.journal(~)?$
+ fileuid: '0'
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_journal/tests/incorrect_owner.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_journal/tests/incorrect_owner.fail.sh
new file mode 100644
index 00000000000..bac2945af55
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_journal/tests/incorrect_owner.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+touch /var/log/my.journal
+chown nobody /var/log/my.journal
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_journal/tests/invalid_owner.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_journal/tests/invalid_owner.fail.sh
new file mode 100644
index 00000000000..ee3954a2dcd
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_journal/tests/invalid_owner.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+touch /var/log/my.journal~
+chown nobody /var/log/my.journal~
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_journal/tests/valid_permissions.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_journal/tests/valid_permissions.pass.sh
new file mode 100644
index 00000000000..5175f6bf6b5
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_journal/tests/valid_permissions.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+touch touch /var/log/my.journal~
+chown root /var/log/my.journal~
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_lastlog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_lastlog/rule.yml
new file mode 100644
index 00000000000..a382289466a
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_lastlog/rule.yml
@@ -0,0 +1,28 @@
+documentation_complete: true
+
+title: 'Verify User Who Owns /var/log/lastlog File'
+
+description: '{{{ describe_file_owner(file="/var/log/lastlog", owner="root") }}}'
+
+rationale: |-
+ The /var/log/lastlog file contains logs of reports the most recent login of all users
+ and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/lastlog", owner="root") }}}'
+
+ocil: |-
+ {{{ ocil_file_owner(file="/var/log/lastlog", owner="root") }}}
+
+fixtext: |-
+ {{{ describe_file_owner(file="/var/log/lastlog", owner="root") }}}
+
+srg_requirement: '{{{ srg_requirement_file_owner("/var/log/lastlog", owner="root") }}}'
+
+template:
+ name: file_owner
+ vars:
+ filepath: /var/log/
+ file_regex: .*lastlog(\.[^\/]+)?$
+ fileuid: '0'
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_lastlog/tests/incorrect_owner.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_lastlog/tests/incorrect_owner.fail.sh
new file mode 100644
index 00000000000..a0fe9e9cd3b
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_lastlog/tests/incorrect_owner.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+touch /var/log/lastlog
+chown syslog /var/log/lastlog
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_lastlog/tests/invalid_owner.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_lastlog/tests/invalid_owner.fail.sh
new file mode 100644
index 00000000000..d2136f32f41
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_lastlog/tests/invalid_owner.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+touch /var/log/lastlog.1
+chown syslog /var/log/lastlog.1
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_lastlog/tests/valid_permissions.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_lastlog/tests/valid_permissions.pass.sh
new file mode 100644
index 00000000000..17ea28ed0c8
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_lastlog/tests/valid_permissions.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+touch /var/log/lastlog.1
+chown root /var/log/lastlog.1
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_localmessages/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_localmessages/bash/shared.sh
new file mode 100644
index 00000000000..da1f1bde5ef
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_localmessages/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+chown syslog /var/log/localmessages*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_localmessages/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_localmessages/oval/shared.xml
new file mode 100644
index 00000000000..08e07c8713a
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_localmessages/oval/shared.xml
@@ -0,0 +1,31 @@
+
+
+ {{{ oval_metadata("Owner of /var/log/localmessages should be root or syslog.") }}}
+
+
+
+
+
+
+ syslog
+
+
+
+
+
+
+
+
+
+
+
+ /var/log/localmessages(.*)
+
+
+
+
+
+ 0
+
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_localmessages/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_localmessages/rule.yml
new file mode 100644
index 00000000000..4c19485abcb
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_localmessages/rule.yml
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'Verify User Who Owns /var/log/localmessages File'
+
+description: '{{{ describe_file_owner(file="/var/log/localmessages", owner="root|syslog") }}}'
+
+rationale: |-
+ The /var/log/localmessages file contains log messages from certain boot scripts,
+ including the DHCP client, and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/localmessages", owner="root|syslog") }}}'
+
+ocil: |-
+ {{{ ocil_file_owner(file="/var/log/localmessages", owner="root|syslog") }}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_localmessages/tests/owned_by_nobody.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_localmessages/tests/owned_by_nobody.fail.sh
new file mode 100644
index 00000000000..c76e43d18ee
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_localmessages/tests/owned_by_nobody.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/localmessages
+chown nobody /var/log/localmessages*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_localmessages/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_localmessages/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..312c1c676ef
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_localmessages/tests/owned_by_root.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/localmessages
+chown root /var/log/localmessages*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_localmessages/tests/owned_by_syslog.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_localmessages/tests/owned_by_syslog.pass.sh
new file mode 100644
index 00000000000..a7f286faf49
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_localmessages/tests/owned_by_syslog.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/localmessages
+chown syslog /var/log/localmessages*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/bash/shared.sh
new file mode 100644
index 00000000000..5d60d1953e7
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+chown syslog /var/log/messages
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/oval/ubuntu.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/oval/ubuntu.xml
new file mode 100644
index 00000000000..dd05122751d
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/oval/ubuntu.xml
@@ -0,0 +1,33 @@
+{{% if 'ubuntu2404' in product %}}
+
+
+ {{{ oval_metadata("Owner of /var/log/messages should be root or syslog.") }}}
+
+
+
+
+
+
+ syslog
+
+
+
+
+
+
+
+
+
+
+
+ /var/log/messages
+
+
+
+
+
+ 0
+
+
+ {{%- endif %}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/rule.yml
index b17311a2418..f646e9419fd 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/rule.yml
@@ -2,7 +2,11 @@ documentation_complete: true
title: 'Verify User Who Owns /var/log/messages File'
+{{% if 'ubuntu2404' not in product %}}
description: '{{{ describe_file_owner(file="/var/log/messages", owner="root") }}}'
+{{%- else %}}
+description: '{{{ describe_file_owner(file="/var/log/messages", owner="root|syslog") }}}'
+{{%- endif %}}
rationale: |-
The /var/log/messages file contains logs of error messages in
@@ -21,18 +25,25 @@ references:
stigid@ol8: OL08-00-010220
stigid@rhel8: RHEL-08-010220
+{{% if 'ubuntu2404' not in product %}}
ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/messages", owner="root") }}}'
ocil: |-
{{{ ocil_file_owner(file="/var/log/messages", owner="root") }}}
+fixtext: |-
+ {{{ describe_file_owner(file="/var/log/messages", owner="root") }}}
+
+srg_requirement: '{{{ srg_requirement_file_owner("/var/log/messages", owner="root") }}}'
+
template:
name: file_owner
vars:
filepath: /var/log/messages
fileuid: '0'
+{{%- else %}}
+ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/messages", owner="root|syslog") }}}'
-fixtext: |-
- {{{ describe_file_owner(file="/var/log/messages", owner="root") }}}
-
-srg_requirement: '{{{ srg_requirement_file_owner("/var/log/messages", owner="root") }}}'
+ocil: |-
+ {{{ ocil_file_owner(file="/var/log/messages", owner="root|syslog") }}}
+{{%- endif %}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/tests/owned_by_nobody.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/tests/owned_by_nobody.fail.sh
new file mode 100644
index 00000000000..094050a536c
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/tests/owned_by_nobody.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/messages
+chown nobody /var/log/messages
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..98d3997bcf4
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/tests/owned_by_root.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/messages
+chown root /var/log/messages
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/tests/owned_by_syslog.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/tests/owned_by_syslog.pass.sh
new file mode 100644
index 00000000000..91b51f1a10a
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/tests/owned_by_syslog.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/messages
+chown syslog /var/log/messages
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_secure/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_secure/bash/shared.sh
new file mode 100644
index 00000000000..c14f8f061e4
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_secure/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+chown syslog /var/log/secure*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_secure/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_secure/oval/shared.xml
new file mode 100644
index 00000000000..4b617acd5a8
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_secure/oval/shared.xml
@@ -0,0 +1,31 @@
+
+
+ {{{ oval_metadata("Owner of /var/log/secure should be root or syslog.") }}}
+
+
+
+
+
+
+ syslog
+
+
+
+
+
+
+
+
+
+
+
+ /var/log/secure
+
+
+
+
+
+ 0
+
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_secure/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_secure/rule.yml
new file mode 100644
index 00000000000..f2b8ec83a0c
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_secure/rule.yml
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'Verify User Who Owns /var/log/secure File'
+
+description: '{{{ describe_file_owner(file="/var/log/secure", owner="root|syslog") }}}'
+
+rationale: |-
+ The /var/log/secure file contains information related to authentication
+ and authorization privileges and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/secure", owner="root|syslog") }}}'
+
+ocil: |-
+ {{{ ocil_file_owner(file="/var/log/secure", owner="root|syslog") }}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_secure/tests/owned_by_nobody.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_secure/tests/owned_by_nobody.fail.sh
new file mode 100644
index 00000000000..44fce586c11
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_secure/tests/owned_by_nobody.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/secure
+chown nobody /var/log/secure*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_secure/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_secure/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..f12891701e8
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_secure/tests/owned_by_root.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/secure
+chown root /var/log/secure*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_secure/tests/owned_by_syslog.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_secure/tests/owned_by_syslog.pass.sh
new file mode 100644
index 00000000000..8d44722bd63
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_secure/tests/owned_by_syslog.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/secure
+chown syslog /var/log/secure*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_sssd/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_sssd/bash/shared.sh
new file mode 100644
index 00000000000..7da51141a01
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_sssd/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+chown sssd /var/log/sssd
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_sssd/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_sssd/oval/shared.xml
new file mode 100644
index 00000000000..9e98adceaf7
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_sssd/oval/shared.xml
@@ -0,0 +1,32 @@
+
+
+ {{{ oval_metadata("Owner of /var/log/sssd should be root or sssd.") }}}
+
+
+
+
+
+
+ sssd
+
+
+
+
+
+
+
+
+
+
+
+ /var/log/sssd
+
+
+
+
+
+
+ 0
+
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_sssd/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_sssd/rule.yml
new file mode 100644
index 00000000000..a8ed4a8fa1d
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_sssd/rule.yml
@@ -0,0 +1,22 @@
+documentation_complete: true
+
+title: 'Verify User Who Owns /var/log/sssd Files'
+
+description: '{{{ describe_file_owner(file="/var/log/sssd", owner="root|sssd") }}}'
+
+rationale: |-
+ The /var/log/sssd directory contains debug logs for the System
+ Security Services Daemon (SSSD) and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/sssd", owner="root|sssd") }}}'
+
+ocil: |-
+ {{{ ocil_file_owner(file="/var/log/sssd", owner="root|sssd") }}}
+
+fixtext: |-
+ {{{ describe_file_owner(file="/var/log/sssd", owner="root|sssd") }}}
+
+srg_requirement: '{{{ srg_requirement_file_owner("/var/log/sssd", owner="root|sssd") }}}'
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_sssd/tests/owned_by_nobody.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_sssd/tests/owned_by_nobody.fail.sh
new file mode 100644
index 00000000000..9f6b9b0c99a
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_sssd/tests/owned_by_nobody.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = sssd
+
+chown nobody /var/log/sssd
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_sssd/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_sssd/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..6e9b2befb43
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_sssd/tests/owned_by_root.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = sssd
+
+chown root /var/log/sssd
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_sssd/tests/owned_by_sssd.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_sssd/tests/owned_by_sssd.pass.sh
new file mode 100644
index 00000000000..7c373361009
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_sssd/tests/owned_by_sssd.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = sssd
+
+chown sssd /var/log/sssd
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/bash/shared.sh
new file mode 100644
index 00000000000..2399d21bfeb
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+chown syslog /var/log/syslog
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/oval/ubuntu.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/oval/ubuntu.xml
new file mode 100644
index 00000000000..469c6d9eb0f
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/oval/ubuntu.xml
@@ -0,0 +1,33 @@
+{{% if 'ubuntu2404' in product %}}
+
+
+ {{{ oval_metadata("Owner of /var/log/syslog should be root or syslog.") }}}
+
+
+
+
+
+
+ syslog
+
+
+
+
+
+
+
+
+
+
+
+ /var/log/syslog
+
+
+
+
+
+ 0
+
+
+{{%- endif %}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml
index 40cfa5dfd93..7ea7cc2458a 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml
@@ -2,7 +2,11 @@ documentation_complete: true
title: 'Verify User Who Owns /var/log/syslog File'
-description: '{{{ describe_file_owner(file="/var/log/syslog", owner="syslog") }}}'
+{{% if 'ubuntu2404' not in product %}}
+description: '{{{ describe_file_owner(file="/var/log/syslog", owner="root") }}}'
+{{%- else %}}
+description: '{{{ describe_file_owner(file="/var/log/syslog", owner="root|syslog") }}}'
+{{%- endif %}}
rationale: |-
The /var/log/syslog file contains logs of error messages in
@@ -16,13 +20,26 @@ references:
stigid@ubuntu2004: UBTU-20-010421
stigid@ubuntu2204: UBTU-22-232130
-ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/syslog", owner="syslog") }}}'
+{{% if 'ubuntu2404' not in product %}}
+ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/syslog", owner="root") }}}'
ocil: |-
- {{{ ocil_file_owner(file="/var/log/syslog", owner="syslog") }}}
+ {{{ ocil_file_owner(file="/var/log/syslog", owner="root") }}}
+
+fixtext: |-
+ {{{ describe_file_owner(file="/var/log/syslog", owner="root") }}}
+
+srg_requirement: '{{{ srg_requirement_file_owner("/var/log/syslog", owner="root") }}}'
template:
name: file_owner
vars:
filepath: /var/log/syslog
- fileuid: '104'
+ fileuid: '0'
+{{%- else %}}
+ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/syslog", owner="root|syslog") }}}'
+
+ocil: |-
+ {{{ ocil_file_owner(file="/var/log/syslog", owner="root|syslog") }}}
+{{%- endif %}}
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/tests/owned_by_nobody.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/tests/owned_by_nobody.fail.sh
new file mode 100644
index 00000000000..d611478699b
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/tests/owned_by_nobody.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/syslog
+chown nobody /var/log/syslog*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..1c475efcbd0
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/tests/owned_by_root.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/syslog
+chown root /var/log/syslog*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/tests/owned_by_syslog.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/tests/owned_by_syslog.pass.sh
new file mode 100644
index 00000000000..6f476cad3f3
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/tests/owned_by_syslog.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/syslog
+chown syslog /var/log/syslog*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_waagent/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_waagent/bash/shared.sh
new file mode 100644
index 00000000000..564d047ec94
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_waagent/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+chown syslog /var/log/waagent.log*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_waagent/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_waagent/oval/shared.xml
new file mode 100644
index 00000000000..783a6a5dcf8
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_waagent/oval/shared.xml
@@ -0,0 +1,31 @@
+
+
+ {{{ oval_metadata("Owner of /var/log/waagent.log should be root or syslog.") }}}
+
+
+
+
+
+
+ syslog
+
+
+
+
+
+
+
+
+
+
+
+ /var/log/waagent.log(.*)
+
+
+
+
+
+ 0
+
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_waagent/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_waagent/rule.yml
new file mode 100644
index 00000000000..7d1c643b6b7
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_waagent/rule.yml
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'Verify User Who Owns /var/log/waagent.log File'
+
+description: '{{{ describe_file_owner(file="/var/log/waagent.log", owner="root|syslog") }}}'
+
+rationale: |-
+ The /var/log/waagent.log file contains Azure Linux Guest Agent records
+ events that can be used for troubleshooting and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/waagent.log", owner="sroot|yslog") }}}'
+
+ocil: |-
+ {{{ ocil_file_owner(file="/var/log/waagent.log", owner="root|syslog") }}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_waagent/tests/owned_by_nobody.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_waagent/tests/owned_by_nobody.fail.sh
new file mode 100644
index 00000000000..617bc6e7ee6
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_waagent/tests/owned_by_nobody.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/waagent.log
+chown nobody /var/log/waagent.log*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_waagent/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_waagent/tests/owned_by_root.pass.sh
new file mode 100644
index 00000000000..00907355056
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_waagent/tests/owned_by_root.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/waagent.log
+chown root /var/log/waagent.log*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_waagent/tests/owned_by_syslog.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_waagent/tests/owned_by_syslog.pass.sh
new file mode 100644
index 00000000000..9a0830294f9
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_waagent/tests/owned_by_syslog.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/waagent.log
+chown syslog /var/log/waagent.log*
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_wbtmp/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_wbtmp/rule.yml
new file mode 100644
index 00000000000..b9f49726f57
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_wbtmp/rule.yml
@@ -0,0 +1,28 @@
+documentation_complete: true
+
+title: 'Verify User Who Owns /var/log/(b|w)tmp(.*|-*) File'
+
+description: '{{{ describe_file_owner(file="/var/log/(b|w)tmp(.*|-*)", owner="root") }}}'
+
+rationale: |-
+ The /var/log/(b|w)tmp(.*|-*) file contains logs of reports the most recent login of all users
+ and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/(b|w)tmp(.*|-*)", owner="root") }}}'
+
+ocil: |-
+ {{{ ocil_file_owner(file="/var/log/(b|w)tmp(.*|-*)", owner="root") }}}
+
+fixtext: |-
+ {{{ describe_file_owner(file="/var/log/(b|w)tmp(.*|-*)", owner="root") }}}
+
+srg_requirement: '{{{ srg_requirement_file_owner("/var/log/(b|w)tmp(.*|-*)", owner="root") }}}'
+
+template:
+ name: file_owner
+ vars:
+ filepath: /var/log/
+ file_regex: .*(b|w)tmp((\.|-)[^\/]+)?$
+ fileuid: '0'
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_wbtmp/tests/incorrect_owner.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_wbtmp/tests/incorrect_owner.fail.sh
new file mode 100644
index 00000000000..9cc4c19aafc
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_wbtmp/tests/incorrect_owner.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+touch /var/log/wtmp
+chown syslog /var/log/wtmp
+
+touch /var/log/btmp
+chown syslog /var/log/btmp
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_wbtmp/tests/invalid_owner.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_wbtmp/tests/invalid_owner.fail.sh
new file mode 100644
index 00000000000..a510b8e3bef
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_wbtmp/tests/invalid_owner.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+touch /var/log/wtmp.1
+chown syslog /var/log/wtmp.1
+touch /var/log/btmp.1
+chown syslog /var/log/btmp.1
+touch /var/log/wtmp-1
+chown syslog /var/log/wtmp-1
+touch /var/log/btmp-1
+chown syslog /var/log/btmp-1
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_wbtmp/tests/valid_permissions.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_wbtmp/tests/valid_permissions.pass.sh
new file mode 100644
index 00000000000..da2997e9250
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_wbtmp/tests/valid_permissions.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+touch /var/log/wtmp.1
+chown root /var/log/wtmp.1
+touch /var/log/btmp.1
+chown root /var/log/btmp.1
+touch /var/log/wtmp-1
+chown root /var/log/wtmp-1
+touch /var/log/btmp-1
+chown root /var/log/btmp-1
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_apt/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_apt/rule.yml
new file mode 100644
index 00000000000..8288782d22d
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_apt/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'Verify Permissions on files in the /var/log/apt/.* directory'
+
+description: |-
+ {{{ describe_file_permissions(file="/var/log/apt/.*", perms="0644") }}}
+
+rationale: |-
+ The /var/log/apt directory contains information about APT
+ and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/log/apt/.*", perms="-rw-r--r--") }}}'
+
+ocil: |-
+ {{{ ocil_file_permissions(file="/var/log/apt/.*", perms="-rw-r--r--") }}}
+
+template:
+ name: file_permissions
+ vars:
+ filepath: /var/log/apt/
+ file_regex: ^.*$
+ filemode: '0644'
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_apt/tests/lenient_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_apt/tests/lenient_permissions.fail.sh
new file mode 100644
index 00000000000..3c1da015d2c
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_apt/tests/lenient_permissions.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+mkdir -p /var/log/apt
+touch /var/log/apt/history.log
+chmod 777 /var/log/apt/history.log
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_auth/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_auth/rule.yml
new file mode 100644
index 00000000000..3daeb64a9b8
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_auth/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'Verify Permissions on /var/log/auth.log File'
+
+description: |-
+ {{{ describe_file_permissions(file="/var/log/auth.log", perms="0640") }}}
+
+rationale: |-
+ The /var/log/auth.log file contains records information about user
+ login attempts and authentication processes and should only be accessed by
+ authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/log/auth.log", perms="-rw-r-----") }}}'
+
+ocil: |-
+ {{{ ocil_file_permissions(file="/var/log/auth.log", perms="-rw-r-----") }}}
+
+template:
+ name: file_permissions
+ vars:
+ filepath: /var/log/auth.log
+ filemode: '0640'
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_cloud-init/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_cloud-init/rule.yml
new file mode 100644
index 00000000000..097e92040c3
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_cloud-init/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+title: 'Verify Permissions on /var/log/cloud-init.log(.*) Files'
+
+description: |-
+ {{{ describe_file_permissions(file="/var/log/cloud-init.log", perms="0664") }}}
+
+rationale: |-
+ The /var/log/cloud-init.log file contains detailed debugging information that
+ helps users troubleshoot cloud-init and should only be accessed by authorized personnel.
+
+severity: medium
+
+
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/log/cloud-init.log", perms="-rw-r--r--") }}}'
+
+ocil: |-
+ {{{ ocil_file_permissions(file="/var/log/cloud-init.log", perms="-rw-r--r--") }}}
+
+template:
+ name: file_permissions
+ vars:
+ filepath: /var/log/
+ file_regex: .*cloud-init.log([^\/]+)?$
+ filemode: '0644'
+
+fixtext: |-
+ {{{ fixtext_file_permissions("/var/log/cloud-init.log", "0664") | indent(4) }}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_cloud-init/tests/invalid_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_cloud-init/tests/invalid_permissions.fail.sh
new file mode 100644
index 00000000000..efa83a4367f
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_cloud-init/tests/invalid_permissions.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+touch /var/log/cloud-init.log1
+chmod a+x /var/log/cloud-init.log1
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_cloud-init/tests/lenient_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_cloud-init/tests/lenient_permissions.fail.sh
new file mode 100644
index 00000000000..15bf2856b20
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_cloud-init/tests/lenient_permissions.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+touch /var/log/cloud-init.log
+chmod 777 /var/log/cloud-init.log
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_cloud-init/tests/valid_permissions.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_cloud-init/tests/valid_permissions.pass.sh
new file mode 100644
index 00000000000..a932439cfb5
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_cloud-init/tests/valid_permissions.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+touch /var/log/cloud-init.log1
+chmod u+rw-x,g+r-wx,o+r-wx /var/log/cloud-init.log1
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_gdm/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_gdm/rule.yml
new file mode 100644
index 00000000000..7b509c4d7d9
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_gdm/rule.yml
@@ -0,0 +1,23 @@
+documentation_complete: true
+
+title: 'Verify Permissions on /var/log/gdm directory'
+
+description: |-
+ {{{ describe_file_permissions(file="/var/log/gdm", perms="0770") }}}
+
+rationale: |-
+ The /var/log/gdm directory contains information about the GDM daemon
+ and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/log/gdm", perms="-rwxrwx---") }}}'
+
+ocil: |-
+ {{{ ocil_file_permissions(file="/var/log/gdm", perms="-rwxrwx---") }}}
+
+template:
+ name: file_permissions
+ vars:
+ filepath: /var/log/gdm/
+ filemode: '0770'
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_gdm/tests/lenient_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_gdm/tests/lenient_permissions.fail.sh
new file mode 100644
index 00000000000..11883bdf5b6
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_gdm/tests/lenient_permissions.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+mkdir -p /var/log/gdm
+chmod 777 /var/log/gdm
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_gdm3/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_gdm3/rule.yml
new file mode 100644
index 00000000000..3a80a1f429a
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_gdm3/rule.yml
@@ -0,0 +1,23 @@
+documentation_complete: true
+
+title: 'Verify Permissions on /var/log/gdm File'
+
+description: |-
+ {{{ describe_file_permissions(file="/var/log/gdm3", perms="0770") }}}
+
+rationale: |-
+ The /var/log/gdm3 directory stores information about the GNOME Display Manager (GDM)
+ and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/log/gdm3", perms="-rwxrwx---") }}}'
+
+ocil: |-
+ {{{ ocil_file_permissions(file="/var/log/gdm3", perms="-rwxrwx---") }}}
+
+template:
+ name: file_permissions
+ vars:
+ filepath: /var/log/gdm3/
+ filemode: '0770'
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_gdm3/tests/lenient_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_gdm3/tests/lenient_permissions.fail.sh
new file mode 100644
index 00000000000..251a92f8944
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_gdm3/tests/lenient_permissions.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+mkdir -p /var/log/gdm3
+chmod 777 /var/log/gdm3
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_lastlog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_lastlog/rule.yml
new file mode 100644
index 00000000000..3c2136fa000
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_lastlog/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+title: 'Verify Permissions on /var/log/lastlog(.*) Files'
+
+description: |-
+ {{{ describe_file_permissions(file="/var/log/lastlog", perms="0664") }}}
+
+rationale: |-
+ The /var/log/lastlog file contains logs of reports the most recent login of all users
+ and should only be accessed by authorized personnel.
+
+severity: medium
+
+
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/log/lastlog", perms="-rw-rw-r--") }}}'
+
+ocil: |-
+ {{{ ocil_file_permissions(file="/var/log/lastlog", perms="-rw-rw-r--") }}}
+
+template:
+ name: file_permissions
+ vars:
+ filepath: /var/log/
+ file_regex: .*lastlog(\.[^\/]+)?$
+ filemode: '0664'
+
+fixtext: |-
+ {{{ fixtext_file_permissions("/var/log/lastlog", "0664") | indent(4) }}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_lastlog/tests/invalid_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_lastlog/tests/invalid_permissions.fail.sh
new file mode 100644
index 00000000000..d24bcef8f50
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_lastlog/tests/invalid_permissions.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+touch /var/log/lastlog.1
+chmod a+x /var/log/lastlog.1
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_lastlog/tests/lenient_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_lastlog/tests/lenient_permissions.fail.sh
new file mode 100644
index 00000000000..8335fa99e5f
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_lastlog/tests/lenient_permissions.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+touch /var/log/lastlog
+chmod 777 /var/log/lastlog
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_lastlog/tests/valid_permissions.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_lastlog/tests/valid_permissions.pass.sh
new file mode 100644
index 00000000000..d58ef645824
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_lastlog/tests/valid_permissions.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+touch /var/log/lastlog.1
+chmod u+rw-x,g+rw-x,o+r-wx /var/log/lastlog.1
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_localmessages/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_localmessages/rule.yml
new file mode 100644
index 00000000000..fbad701233d
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_localmessages/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+title: 'Verify Permissions on /var/log/localmessages(.*) Files'
+
+description: |-
+ {{{ describe_file_permissions(file="/var/log/localmessages", perms="0664") }}}
+
+rationale: |-
+ The /var/log/localmessages file contains log messages from certain boot scripts,
+ including the DHCP client, and should only be accessed by authorized personnel.
+
+severity: medium
+
+
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/log/localmessages", perms="-rw-r--r--") }}}'
+
+ocil: |-
+ {{{ ocil_file_permissions(file="/var/log/localmessages", perms="-rw-r--r--") }}}
+
+template:
+ name: file_permissions
+ vars:
+ filepath: /var/log/
+ file_regex: .*localmessages([^\/]+)?$
+ filemode: '0644'
+
+fixtext: |-
+ {{{ fixtext_file_permissions("/var/log/localmessages", "0664") | indent(4) }}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_localmessages/tests/invalid_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_localmessages/tests/invalid_permissions.fail.sh
new file mode 100644
index 00000000000..fc1064e0624
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_localmessages/tests/invalid_permissions.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+touch /var/log/localmessages1
+chmod a+x /var/log/localmessages1
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_localmessages/tests/lenient_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_localmessages/tests/lenient_permissions.fail.sh
new file mode 100644
index 00000000000..3034b0a236f
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_localmessages/tests/lenient_permissions.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+touch /var/log/localmessages
+chmod 777 /var/log/localmessages
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_localmessages/tests/valid_permissions.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_localmessages/tests/valid_permissions.pass.sh
new file mode 100644
index 00000000000..76c37145629
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_localmessages/tests/valid_permissions.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+touch /var/log/localmessages1
+chmod u+rw-x,g+r-wx,o+r-wx /var/log/localmessages1
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml
index a764107f578..13a69c60ed7 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml
@@ -2,8 +2,16 @@ documentation_complete: true
title: 'Verify Permissions on /var/log/messages File'
+{{% if 'ubuntu2404' not in product %}}
+ {{% set target_perms_octal="0600" %}}
+ {{% set target_perms="-rw-------" %}}
+{{% else %}}
+ {{% set target_perms_octal="0640" %}}
+ {{% set target_perms="-rw-r-----" %}}
+{{% endif %}}
+
description: |-
- {{{ describe_file_permissions(file="/var/log/messages", perms="0600") }}}
+ {{{ describe_file_permissions(file="/var/log/messages", perms=target_perms_octal) }}}
rationale: |-
The /var/log/messages file contains logs of error messages in
@@ -22,18 +30,18 @@ references:
stigid@ol8: OL08-00-010210
stigid@rhel8: RHEL-08-010210
-ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/log/messages", perms="-rw-------") }}}'
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/log/messages", perms=target_perms) }}}'
ocil: |-
- {{{ ocil_file_permissions(file="/var/log/messages", perms="-rw-------") }}}
+ {{{ ocil_file_permissions(file="/var/log/messages", perms=target_perms) }}}
template:
name: file_permissions
vars:
filepath: /var/log/messages
- filemode: '0600'
+ filemode: '{{{ target_perms_octal }}}'
fixtext: |-
- {{{ fixtext_file_permissions("/var/log/messages", "0640") | indent(4) }}}
+ {{{ fixtext_file_permissions("/var/log/messages", target_perms_octal) | indent(4) }}}
-srg_requirement: '{{{ srg_requirement_file_permission("/var/log/messages", "0600") }}}'
+srg_requirement: '{{{ srg_requirement_file_permission("/var/log/messages", target_perms_octal) }}}'
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_secure/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_secure/rule.yml
new file mode 100644
index 00000000000..1190d1c1e14
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_secure/rule.yml
@@ -0,0 +1,23 @@
+documentation_complete: true
+
+title: 'Verify Permissions on /var/log/secure File'
+
+description: |-
+ {{{ describe_file_permissions(file="/var/log/secure", perms="0640") }}}
+
+rationale: |-
+ The /var/log/secure file contains information related to authentication
+ and authorization privileges and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/log/secure", perms="-rw-r-----") }}}'
+
+ocil: |-
+ {{{ ocil_file_permissions(file="/var/log/secure", perms="-rw-r-----") }}}
+
+template:
+ name: file_permissions
+ vars:
+ filepath: /var/log/secure
+ filemode: '0640'
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_sssd/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_sssd/rule.yml
new file mode 100644
index 00000000000..d35496a1d18
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_sssd/rule.yml
@@ -0,0 +1,23 @@
+documentation_complete: true
+
+title: 'Verify Permissions on /var/log/sssd File'
+
+description: |-
+ {{{ describe_file_permissions(file="/var/log/sssd", perms="0770") }}}
+
+rationale: |-
+ The /var/log/sssd directory contains debug logs for the System
+ Security Services Daemon (SSSD) and should only be accessed by authorized personnel.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/log/sssd", perms="-rwxrwx---") }}}'
+
+ocil: |-
+ {{{ ocil_file_permissions(file="/var/log/sssd", perms="-rwxrwx---") }}}
+
+template:
+ name: file_permissions
+ vars:
+ filepath: /var/log/sssd/
+ filemode: '0770'
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_sssd/tests/lenient_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_sssd/tests/lenient_permissions.fail.sh
new file mode 100644
index 00000000000..b35c9294d85
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_sssd/tests/lenient_permissions.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+mkdir -p /var/log/sssd
+chmod 777 /var/log/sssd
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_waagent/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_waagent/rule.yml
new file mode 100644
index 00000000000..daf04b74b51
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_waagent/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+title: 'Verify Permissions on /var/log/waagent.log(.*) Files'
+
+description: |-
+ {{{ describe_file_permissions(file="/var/log/waagent.log", perms="0664") }}}
+
+rationale: |-
+ The /var/log/waagent.log file contains Azure Linux Guest Agent records
+ events that can be used for troubleshooting and should only be accessed by authorized personnel.
+
+severity: medium
+
+
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/log/waagent.log", perms="-rw-r--r--") }}}'
+
+ocil: |-
+ {{{ ocil_file_permissions(file="/var/log/waagent.log", perms="-rw-r--r--") }}}
+
+template:
+ name: file_permissions
+ vars:
+ filepath: /var/log/
+ file_regex: .*waagent.log([^\/]+)?$
+ filemode: '0644'
+
+fixtext: |-
+ {{{ fixtext_file_permissions("/var/log/waagent.log", "0664") | indent(4) }}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_waagent/tests/invalid_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_waagent/tests/invalid_permissions.fail.sh
new file mode 100644
index 00000000000..35f0c7d904b
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_waagent/tests/invalid_permissions.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+touch /var/log/waagent.log1
+chmod a+x /var/log/waagent.log1
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_waagent/tests/lenient_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_waagent/tests/lenient_permissions.fail.sh
new file mode 100644
index 00000000000..28a021e2a59
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_waagent/tests/lenient_permissions.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+touch /var/log/waagent.log
+chmod 777 /var/log/waagent.log
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_waagent/tests/valid_permissions.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_waagent/tests/valid_permissions.pass.sh
new file mode 100644
index 00000000000..e7f12d3e38f
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_waagent/tests/valid_permissions.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+touch /var/log/waagent.log1
+chmod u+rw-x,g+r-wx,o+r-wx /var/log/waagent.log1
+
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_wbtmp/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_wbtmp/rule.yml
new file mode 100644
index 00000000000..44a1470cf47
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_wbtmp/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+title: 'Verify Permissions on /var/log/wtmp(.*) Files'
+
+description: |-
+ {{{ describe_file_permissions(file="/var/log/(b|w)tmp(.*|-*)", perms="0664") }}}
+
+rationale: |-
+ The /var/log/(b|w)tmp(.*|-*) files contains logs of reports the most recent login of all users
+ and should only be accessed by authorized personnel.
+
+severity: medium
+
+
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/log/(b|w)tmp(.*|-*)", perms="-rw-rw-r--") }}}'
+
+ocil: |-
+ {{{ ocil_file_permissions(file="/var/log/(b|w)tmp(.*|-*)", perms="-rw-rw-r--") }}}
+
+template:
+ name: file_permissions
+ vars:
+ filepath: /var/log/
+ file_regex: .*(b|w)tmp((\.|-)[^\/]+)?$
+ filemode: '0664'
+
+fixtext: |-
+ {{{ fixtext_file_permissions("/var/log/(b|w)tmp(.*|-*)", "0664") | indent(4) }}}
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_wbtmp/tests/invalid_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_wbtmp/tests/invalid_permissions.fail.sh
new file mode 100644
index 00000000000..2632d45c612
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_wbtmp/tests/invalid_permissions.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+touch /var/log/wtmp.1
+touch /var/log/wtmp-1
+touch /var/log/btmp.1
+touch /var/log/btmp-1
+chmod a+x /var/log/wtmp.1
+chmod a+x /var/log/wtmp-1
+chmod a+x /var/log/btmp.1
+chmod a+x /var/log/btmp-1
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_wbtmp/tests/lenient_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_wbtmp/tests/lenient_permissions.fail.sh
new file mode 100644
index 00000000000..6fb3f3096a7
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_wbtmp/tests/lenient_permissions.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+touch /var/log/wtmp
+touch /var/log/btmp
+chmod 777 /var/log/wtmp
+chmod 777 /var/log/btmp
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_wbtmp/tests/valid_permissions.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_wbtmp/tests/valid_permissions.pass.sh
new file mode 100644
index 00000000000..bece801ab4d
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_wbtmp/tests/valid_permissions.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+touch /var/log/wtmp.s
+chmod u+rw-x,g+rw-x,o+r-wx /var/log/wtmp.1
+touch /var/log/wtmp-1
+chmod u+rw-x,g+rw-x,o+r-wx /var/log/wtmp-1
+touch /var/log/btmp.1
+chmod u+rw-x,g+rw-x,o+r-wx /var/log/btmp.1
+touch /var/log/btmp-1
+chmod u+rw-x,g+rw-x,o+r-wx /var/log/btmp-1
+
diff --git a/shared/templates/file_owner/oval.template b/shared/templates/file_owner/oval.template
index be4949fd8df..da9348c2e81 100644
--- a/shared/templates/file_owner/oval.template
+++ b/shared/templates/file_owner/oval.template
@@ -27,6 +27,11 @@
{{{ filepath[:-1] }}}
{{%- if FILE_REGEX %}}
{{{ FILE_REGEX[loop.index0] }}}
+ {{%- if EXCLUDED_FILES %}}
+ {{%- for excluded_file in EXCLUDED_FILES %}}
+ exclude_files_{{{ FILEID }}}_{{{ loop.index0 }}}
+ {{%- endfor %}}
+ {{%- endif %}}
{{%- else %}}
{{%- endif %}}
@@ -45,4 +50,11 @@
symbolic link
+ {{%- if EXCLUDED_FILES %}}
+ {{%- for excluded_file in EXCLUDED_FILES %}}
+
+ ^{{{ excluded_file|replace("*", ".*") }}}$
+
+ {{%- endfor %}}
+ {{%- endif %}}