Verify Group Who Owns the system journal

An XCCDF Rule

Description

Verify the /run/log/journal and /var/log/journal files are group-owned by "systemd-journal" by using the following command:

$ sudo find /run/log/journal /var/log/journal  -type f -exec stat -c "%n %G" {} \;

If any output returned is not group-owned by "systemd-journal", this is a finding.

Rationale

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.

ID: xccdf_org.ssgproject.content_rule_file_groupowner_system_journal
Severity: Medium
References: CCI-001314

SRG-APP-000118-CTR-000240

UBTU-22-232095

SV-260504r958566_rule
Updated: 5 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-UBTU-22-232095
  - configure_strategy  - file_groupowner_system_journal
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Find /run/log/journal/ file(s) matching ^.*$ recursively
  command: find -H /run/log/journal/  -type f ! -group systemd-journal -regextype
    posix-extended -regex "^.*$"
  register: files_found
  changed_when: false
  failed_when: false
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - DISA-STIG-UBTU-22-232095
  - configure_strategy
  - file_groupowner_system_journal
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure group owner on /run/log/journal/ file(s) matching ^.*$
  file:
    path: '{{ item }}'
    group: systemd-journal
    state: file
  with_items:
  - '{{ files_found.stdout_lines }}'
  when: '"kernel" in ansible_facts.packages'
  tags:
  - DISA-STIG-UBTU-22-232095
  - configure_strategy
  - file_groupowner_system_journal
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Find /var/log/journal/ file(s) matching ^.*$ recursively
  command: find -H /var/log/journal/  -type f ! -group systemd-journal -regextype
    posix-extended -regex "^.*$"
  register: files_found
  changed_when: false
  failed_when: false
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - DISA-STIG-UBTU-22-232095
  - configure_strategy
  - file_groupowner_system_journal
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure group owner on /var/log/journal/ file(s) matching ^.*$
  file:
    path: '{{ item }}'
    group: systemd-journal
    state: file
  with_items:
  - '{{ files_found.stdout_lines }}'
  when: '"kernel" in ansible_facts.packages'
  tags:
  - DISA-STIG-UBTU-22-232095
  - configure_strategy
  - file_groupowner_system_journal
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}
' 'kernel' 2>/dev/null | grep -q installed; then

TMPFILES_CONF="/usr/lib/tmpfiles.d/systemd.conf"
if ! grep -q 'Z /var/log/journal ~2750 root systemd-journal - -' "$TMPFILES_CONF"; then
    if grep -qP "^[zZ][+]*\s+\/var\/log\/journal" "$TMPFILES_CONF"; then
        sed -i --follow-symlinks "s/\(^[zZ][+]*\)\(\s\+\/var\/log\/journal.*\)/# \1\2/" "$TMPFILES_CONF"
    fi
    echo "Z /var/log/journal ~2750 root systemd-journal - -" >>"$TMPFILES_CONF"
fi

if ! grep -q 'Z /run/log/journal ~2750 root systemd-journal - -' "$TMPFILES_CONF"; then
    if grep -qP "^[zZ][+]*\s+\/run\/log\/journal" "$TMPFILES_CONF"; then
        sed -i --follow-symlinks "s/\(^[zZ][+]*\)\(\s\+\/run\/log\/journal.*\)/# \1\2/" "$TMPFILES_CONF"
    fi
    echo "Z /run/log/journal ~2750 root systemd-journal - -" >>"$TMPFILES_CONF"
fi

systemd-tmpfiles --create

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Verify Group Who Owns the system journal

Description

Rationale

Remediation - Ansible

Remediation - Shell Script