Verify Permissions On /etc/ipsec.secrets File

An XCCDF Rule

Description

To properly set the permissions of /etc/ipsec.secrets, run the command:

$ sudo chmod 0644 /etc/ipsec.secrets

Rationale

Setting correct permissions on the /etc/ipsec.secrets file is important because this file hosts Libreswan configuration. Protection of this file is critical for system security. Restricting the permissions ensures exclusive control of the Libreswan configuration.

ID: xccdf_org.ssgproject.content_rule_file_permissions_etc_ipsec_secrets
Severity: Medium
References: R50
Updated: 5 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - configure_strategy
  - file_permissions_etc_ipsec_secrets  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Test for existence /etc/ipsec.secrets
  stat:
    path: /etc/ipsec.secrets
  register: file_exists
  when: '"libreswan" in ansible_facts.packages'
  tags:
  - configure_strategy
  - file_permissions_etc_ipsec_secrets
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure permission u-xs,g-xws,o-xwt on /etc/ipsec.secrets
  file:
    path: /etc/ipsec.secrets
    mode: u-xs,g-xws,o-xwt
  when:
  - '"libreswan" in ansible_facts.packages'
  - file_exists.stat is defined and file_exists.stat.exists
  tags:
  - configure_strategy
  - file_permissions_etc_ipsec_secrets
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libreswan' 2>/dev/null | grep -q installed; then

chmod u-xs,g-xws,o-xwt /etc/ipsec.secrets

else    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Verify Permissions On /etc/ipsec.secrets File

Description

Rationale

Remediation - Ansible

Remediation - Shell Script