Verify Owner on the system journal

An XCCDF Rule

Description

Verify the /run/log/journal and /var/log/journal files are owned by "root" by using the following command:

$ sudo find /run/log/journal /var/log/journal  -type f -exec stat -c "%n %U" {} \;

If any output returned is not owned by "root", this is a finding.

Rationale

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.

ID: xccdf_org.ssgproject.content_rule_file_owner_system_journal
Severity: Medium
References: CCI-001314

SRG-APP-000118-CTR-000240

UBTU-22-232090

SV-260503r958566_rule
Updated: 5 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-UBTU-22-232090
  - configure_strategy  - file_owner_system_journal
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Find /run/log/journal/ file(s) matching ^.*$ recursively
  command: find -H /run/log/journal/  -type f ! -uid 0 -regextype posix-extended -regex
    "^.*$"
  register: files_found
  changed_when: false
  failed_when: false
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - DISA-STIG-UBTU-22-232090
  - configure_strategy
  - file_owner_system_journal
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure owner on /run/log/journal/ file(s) matching ^.*$
  file:
    path: '{{ item }}'
    owner: '0'
    state: file
  with_items:
  - '{{ files_found.stdout_lines }}'
  when: '"kernel" in ansible_facts.packages'
  tags:
  - DISA-STIG-UBTU-22-232090
  - configure_strategy
  - file_owner_system_journal
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Find /var/log/journal/ file(s) matching ^.*$ recursively
  command: find -H /var/log/journal/  -type f ! -uid 0 -regextype posix-extended -regex
    "^.*$"
  register: files_found
  changed_when: false
  failed_when: false
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - DISA-STIG-UBTU-22-232090
  - configure_strategy
  - file_owner_system_journal
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure owner on /var/log/journal/ file(s) matching ^.*$
  file:
    path: '{{ item }}'
    owner: '0'
    state: file
  with_items:
  - '{{ files_found.stdout_lines }}'
  when: '"kernel" in ansible_facts.packages'
  tags:
  - DISA-STIG-UBTU-22-232090
  - configure_strategy
  - file_owner_system_journal
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}
' 'kernel' 2>/dev/null | grep -q installed; then

TMPFILES_CONF="/usr/lib/tmpfiles.d/systemd.conf"
if ! grep -q 'Z /var/log/journal ~2750 root systemd-journal - -' "$TMPFILES_CONF"; then
    if grep -qP "^[zZ][+]*\s+\/var\/log\/journal" "$TMPFILES_CONF"; then
        sed -i --follow-symlinks "s/\(^[zZ][+]*\)\(\s\+\/var\/log\/journal.*\)/# \1\2/" "$TMPFILES_CONF"
    fi
    echo "Z /var/log/journal ~2750 root systemd-journal - -" >>"$TMPFILES_CONF"
fi

if ! grep -q 'Z /run/log/journal ~2750 root systemd-journal - -' "$TMPFILES_CONF"; then
    if grep -qP "^[zZ][+]*\s+\/run\/log\/journal" "$TMPFILES_CONF"; then
        sed -i --follow-symlinks "s/\(^[zZ][+]*\)\(\s\+\/run\/log\/journal.*\)/# \1\2/" "$TMPFILES_CONF"
    fi
    echo "Z /run/log/journal ~2750 root systemd-journal - -" >>"$TMPFILES_CONF"
fi

systemd-tmpfiles --create

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Verify Owner on the system journal

Description

Rationale

Remediation - Ansible

Remediation - Shell Script