ComplianceAsCode · ericeberry · Jan 24, 2025 · Jan 27, 2025 · Jan 28, 2025 · Jan 31, 2025
diff --git a/components/filesystem.yml b/components/filesystem.yml
@@ -40,8 +40,20 @@ rules:
 - file_groupowner_etc_shells
 - file_groupowner_systemmap
 - file_groupowner_var_log
+- file_groupowner_var_log_apt
+- file_groupowner_var_log_auth
+- file_groupowner_var_log_cloud_init
+- file_groupowner_var_log_gdm
+- file_groupowner_var_log_gdm3
+- file_groupowner_var_log_journal
+- file_groupowner_var_log_lastlog
+- file_groupowner_var_log_localmessages
 - file_groupowner_var_log_messages
+- file_groupowner_var_log_secure
+- file_groupowner_var_log_sssd
 - file_groupowner_var_log_syslog
+- file_groupowner_var_log_waagent
+- file_groupowner_var_log_wbtmp
 - file_groupownership_audit_binaries
 - file_groupownership_system_commands_dirs
 - file_owner_backup_etc_group
@@ -58,8 +70,19 @@ rules:
 - file_owner_etc_shadow
 - file_owner_systemmap
 - file_owner_var_log
+- file_owner_var_log_auth
+- file_owner_var_log_cloud_init
+- file_owner_var_log_gdm
+- file_owner_var_log_gdm3
+- file_owner_var_log_journal
+- file_owner_var_log_lastlog
+- file_owner_var_log_localmessages
 - file_owner_var_log_messages
+- file_owner_var_log_secure
+- file_owner_var_log_sssd
 - file_owner_var_log_syslog
+- file_owner_var_log_waagent
+- file_owner_var_log_wbtmp
 - file_ownership_audit_binaries
 - file_ownership_binary_dirs
 - file_ownership_library_dirs
@@ -89,8 +112,20 @@ rules:
 - file_permissions_unauthorized_world_writable
 - file_permissions_ungroupowned
 - file_permissions_var_log
+- file_permissions_var_log_apt
+- file_permissions_var_log_auth
+- file_permissions_var_log_cloud-init
+- file_permissions_var_log_gdm
+- file_permissions_var_log_gdm3
+- file_permissions_var_log_lastlog
+- file_permissions_var_log_localmessages
 - file_permissions_var_log_messages
+- file_permissions_var_log_secure
+- file_permissions_var_log_sssd
 - file_permissions_var_log_syslog
+- file_permissions_var_log_waagent
+- file_permissions_var_log_wbtmp
+- groupowner_local_var_log
 - mount_option_boot_efi_nosuid
 - mount_option_boot_noauto
 - mount_option_boot_nodev
@@ -132,6 +167,7 @@ rules:
 - mount_option_var_tmp_noexec
 - mount_option_var_tmp_nosuid
 - no_files_unowned_by_user
+- owner_local_var_log
 - partition_for_boot
 - partition_for_dev_shm
 - partition_for_home

@@ -2433,10 +2433,52 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    related_rules:
+    rules:  
+      - file_groupowner_var_log_apt
+      - file_groupowner_var_log_auth
+      - file_groupowner_var_log_cloud_init
+      - file_groupowner_var_log_gdm
+      - file_groupowner_var_log_gdm3
+      - file_groupowner_var_log_journal
+      - file_groupowner_var_log_lastlog
+      - file_groupowner_var_log_localmessages
+      - file_groupowner_var_log_messages
+      - file_groupowner_var_log_secure
+      - file_groupowner_var_log_sssd
+      - file_groupowner_var_log_syslog
+      - file_groupowner_var_log_waagent
+      - file_groupowner_var_log_wbtmp
+      - file_owner_var_log_auth
+      - file_owner_var_log_cloud_init
+      - file_owner_var_log_gdm
+      - file_owner_var_log_gdm3
+      - file_owner_var_log_journal
+      - file_owner_var_log_lastlog
+      - file_owner_var_log_localmessages
+      - file_owner_var_log_messages
+      - file_owner_var_log_secure
+      - file_owner_var_log_sssd
+      - file_owner_var_log_syslog
+      - file_owner_var_log_waagent
+      - file_owner_var_log_wbtmp
+      - file_permissions_var_log_apt
+      - file_permissions_var_log_auth
+      - file_permissions_var_log_cloud-init
+      - file_permissions_var_log_gdm
+      - file_permissions_var_log_gdm3
+      - file_permissions_var_log_lastlog
+      - file_permissions_var_log_cloud-init
+      - file_permissions_var_log_localmessages
+      - file_permissions_var_log_messages
+      - file_permissions_var_log_secure
+      - file_permissions_var_log_sssd
+      - file_permissions_var_log_syslog
+      - file_permissions_var_log_waagent
+      - file_permissions_var_log_wbtmp
+      - groupowner_local_var_log
+      - owner_local_var_log
       - permissions_local_var_log
-    status: planned
-    notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/4.2.3.
+    status: automated
 
   - id: 6.2.1.1
     title: Ensure auditd packages are installed (Automated)

diff --git a/linux_os/guide/system/permissions/files/groupowner_local_var_log/bash/shared.sh b/linux_os/guide/system/permissions/files/groupowner_local_var_log/bash/shared.sh
@@ -0,0 +1,13 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+if getent group "adm" >/dev/null 2>&1; then
+    group="adm"
+else
+    group="root"
+fi
+
+find -L /var/log/ -maxdepth 1 -regextype posix-extended ! -group root ! -group adm -name '*' ! -path '/var/log/apt/*' ! -name 'auth.log' ! -path '/var/log/[bw]tmp*' ! -path '/var/log/cloud-init.log*' ! -name 'gdm' ! -name 'gdm3' ! -regex '.*\.journal[~]?' ! -regex '.*lastlog(\.[^\/]+)?$' ! -regex '.*localmessages(.*)'  ! -name 'messages' ! -regex '.*secure(.*)' ! -name 'sssd' ! -name 'syslog' ! -regex '.*waagent.log(.*)' -regex '.*' -exec chgrp $group {} \;
diff --git a/linux_os/guide/system/permissions/files/groupowner_local_var_log/oval/shared.xml b/linux_os/guide/system/permissions/files/groupowner_local_var_log/oval/shared.xml
@@ -0,0 +1,87 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+      {{{ oval_metadata("Group owner of /var/log/* should be root or adm.") }}}
+    <criteria comment="Check group ownership of /var/log/*">
+     <criterion test_ref="test_group_ownership_var_log" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_object id="object_adm_gid" version="1" comment="gid of the dedicated adm group">
+    <ind:filepath>/etc/group</ind:filepath>
+    <ind:pattern operation="pattern match">^adm:\w+:(\w+):.*</ind:pattern>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <local_variable id="var_adm_gid" datatype="int" version="1"
+                  comment="Retrieve the gid of adm group">
+    <object_component item_field="subexpression" object_ref="object_adm_gid"/>
+  </local_variable>
+
+  <unix:file_test check="all" comment="/var/log/* group owner is root|adm"
+      id="test_group_ownership_var_log" state_operator="OR" version="1">
+    <unix:object object_ref="object_group_ownership_var_log" />
+    <unix:state state_ref="state_group_ownership_adm_var_log_auth_log"/>
+    <unix:state state_ref="state_group_ownership_root_var_log_auth_log"/>
+  </unix:file_test>
+  <unix:file_object comment="/var/log/*" id="object_group_ownership_var_log" version="1">
+    <unix:path>/var/log</unix:path>
+    <unix:filename operation="pattern match">.*</unix:filename>
+    <filter action="exclude">exclude_files_apt</filter>
+    <filter action="exclude">exclude_files_auth_log</filter>
+    <filter action="exclude">exclude_files_bwtmp</filter>
+    <filter action="exclude">exclude_files_cloudinit</filter>
+    <filter action="exclude">exclude_files_gdm</filter>
+    <filter action="exclude">exclude_files_journal</filter>
+    <filter action="exclude">exclude_files_lastlog</filter>
+    <filter action="exclude">exclude_files_localmessages</filter>
+    <filter action="exclude">exclude_files_messages</filter>
+    <filter action="exclude">exclude_files_secure</filter>
+    <filter action="exclude">exclude_files_sssd</filter>
+    <filter action="exclude">exclude_files_syslog</filter>
+    <filter action="exclude">exclude_files_waagent</filter>
+  </unix:file_object>
+  <unix:file_state id="state_group_ownership_adm_var_log_auth_log" version="1">
+    <unix:group_id datatype="int" operation="equals" var_ref="var_adm_gid"/>
+  </unix:file_state>
+  <unix:file_state id="state_group_ownership_root_var_log_auth_log" version="1">
+    <unix:group_id datatype="int" operation="equals">0</unix:group_id>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_apt" version="1">
+    <unix:path operation="pattern match">^.*apt</unix:path>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_auth_log" version="1">
+    <unix:filename>auth.log</unix:filename>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_bwtmp" version="1">
+    <unix:filename operation="pattern match">^.*[bw]tmp((\.|-).*)?$</unix:filename>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_cloudinit" version="1">
+    <unix:filename operation="pattern match">^.*cloud-init\.log.*</unix:filename>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_gdm" version="1" operator="AND">
+    <unix:path operation="pattern match">^.*gdm|gdm3</unix:path>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_journal" version="1" operator="AND">
+    <unix:filename operation="pattern match">^.*\.journal.*$</unix:filename>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_lastlog" version="1">
+    <unix:filename operation="pattern match">^.*lastlog.*$</unix:filename>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_localmessages" version="1">
+    <unix:filename operation="pattern match">^.*localmessages.*$</unix:filename>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_messages" version="1">
+    <unix:filename>messages</unix:filename>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_secure" version="1">
+    <unix:filename operation="pattern match">^.*secure.*$</unix:filename>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_sssd" version="1" operator="AND">
+    <unix:path operation="pattern match">^.*(sssd|SSSD)$</unix:path>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_syslog" version="1">
+    <unix:filename>syslog</unix:filename>
+  </unix:file_state>
+  <unix:file_state id="exclude_files_waagent" version="1">
+    <unix:filename operation="pattern match">^.*waagent\.log.*$</unix:filename>
+  </unix:file_state>
+</def-group>
diff --git a/linux_os/guide/system/permissions/files/groupowner_local_var_log/rule.yml b/linux_os/guide/system/permissions/files/groupowner_local_var_log/rule.yml
@@ -0,0 +1,33 @@
+documentation_complete: true
+
+
+title: 'Verify ownership of log files'
+
+description: |-
+    Any operating system providing too much information in error messages
+    risks compromising the data and security of the structure, and content
+    of error messages needs to be carefully considered by the organization.
+
+    Organizations carefully consider the structure/content of error messages.
+    The extent to which information systems are able to identify and handle
+    error conditions is guided by organizational policy and operational
+    requirements. Information that could be exploited by adversaries includes,
+    for example, erroneous logon attempts with passwords entered by mistake
+    as the username, mission/business information that can be derived from
+    (if not stated explicitly by) information recorded, and personal
+    information, such as account numbers, social security numbers, and credit
+    card numbers.
+
+rationale: |-
+    The {{{ full_name }}} must generate error messages that provide information
+    necessary for corrective actions without revealing information that could
+    be exploited by adversaries.
+
+severity: medium
+
+ocil_clause: 'not all log files owned by root or syslog'
+
+ocil: |-
+    Verify the operating system has all system log files under the
+    <pre>/var/log</pre> directory, that are not excluded, with a group owner set to root | adm,
+
diff --git a/...x_os/guide/system/permissions/files/groupowner_local_var_log/tests/excluded_files.pass.sh b/...x_os/guide/system/permissions/files/groupowner_local_var_log/tests/excluded_files.pass.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+chgrp root /var/log/*
+mkdir -p /var/log/apt
+chgrp nogroup /var/log/apt
+touch /var/log/auth.log
+chgrp nogroup /var/log/auth.log
+touch /var/log/btmp.log
+touch /var/log/btmp.log.1
+touch /var/log/btmp.log-1
+chgrp nogroup /var/log/btmp*
+touch /var/log/wtmp.log
+touch /var/log/wtmp.log.1
+touch /var/log/wtmp.log-1
+chgrp nogroup /var/log/wtmp*
+touch /var/log/cloud-init.log
+touch /var/log/cloud-init.log.1
+chgrp nogroup /var/log/cloud-init.log*
+mkdir -p /var/log/gdm
+chgrp nogroup /var/log/gdm
+mkdir -p /var/log/gdm3
+chgrp nogroup /var/log/gdm3
+touch /var/log/test.journal
+touch /var/log/test.journal~
+chgrp nogroup /var/log/*.journal*
+touch /var/log/lastlog
+touch /var/log/lastlog.1
+chgrp nogroup /var/log/lastlog*
+touch /var/log/localmessages
+touch /var/log/localmessages.1
+chgrp nogroup /var/log/localmessages*
+touch /var/log/messages
+chgrp nogroup /var/log/messages
+touch /var/log/secure
+chgrp nogroup /var/log/secure*
+mkdir -p /var/log/sssd
+chgrp nogroup /var/log/sssd
+touch /var/log/syslog
+chgrp nogroup /var/log/syslog
+touch /var/log/waagent.log
+touch /var/log/waagent.log.1
+chgrp nogroup /var/log/waagent.log*
diff --git a/linux_os/guide/system/permissions/files/groupowner_local_var_log/tests/owned_by_adm.pass.sh b/linux_os/guide/system/permissions/files/groupowner_local_var_log/tests/owned_by_adm.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/test.log
+chgrp adm /var/log/test.log
diff --git a/..._os/guide/system/permissions/files/groupowner_local_var_log/tests/owned_by_nobody.fail.sh b/..._os/guide/system/permissions/files/groupowner_local_var_log/tests/owned_by_nobody.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/test.log
+chgrp nogroup /var/log/test.log
diff --git a/linux_os/guide/system/permissions/files/groupowner_local_var_log/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/groupowner_local_var_log/tests/owned_by_root.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Ubuntu 24.04
+# packages = rsyslog
+
+touch /var/log/test.log
+chgrp root /var/log/test.log
diff --git a/linux_os/guide/system/permissions/files/owner_local_var_log/bash/shared.sh b/linux_os/guide/system/permissions/files/owner_local_var_log/bash/shared.sh
@@ -0,0 +1,13 @@
+# platform = Ubuntu 24.04
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+if id "syslog" >/dev/null 2>&1; then
+    username="syslog"
+else
+    username="root"
+fi
+
+find -L /var/log/ -maxdepth 1 -regextype posix-extended ! -user root ! -user syslog ! -path '/var/log/apt/*' ! -name 'auth.log' ! -path '/var/log/[bw]tmp*' ! -path '/var/log/cloud-init.log*' ! -name 'gdm' ! -name 'gdm3' ! -regex '.*\.journal[~]?' ! -regex '.*lastlog(\.[^\/]+)?$' ! -regex '.*localmessages(.*)'  ! -name 'messages' ! -regex '.*secure(.*)' ! -name 'sssd' ! -name 'syslog' ! -regex '.*waagent.log(.*)' -regex '.*' -exec chown $username {} \;