Verify Groupowner on the journalctl command
An XCCDF Rule
Description
Verify that the "journalctl" command is group-owned by "root" by using the following command:
$ sudo find /usr/bin/journalctl -exec stat -c "%n %G" {} \;
If any output returned is not owned by "root", this is a finding.
Rationale
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
- ID
- xccdf_org.ssgproject.content_rule_file_groupowner_journalctl
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- DISA-STIG-UBTU-22-232105
- configure_strategy
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}
' 'kernel' 2>/dev/null | grep -q installed; then
chgrp 0 /usr/bin/journalctl