Verify Permissions on the journal command

An XCCDF Rule

Description

Verify that the "journalctl" command has a permission set of "740" by using the following command:

 $ sudo find /usr/bin/journalctl -exec stat -c "%n %a" {} \;

If "journalctl" is not set to "740", this is a finding.

Rationale

Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization.

ID: xccdf_org.ssgproject.content_rule_file_permissions_journalctl
Severity: Medium
References: CCI-001312

UBTU-22-232140

SV-260512r958564_rule
Updated: 5 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-UBTU-22-232140
  - configure_strategy  - file_permissions_journalctl
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Test for existence /usr/bin/journalctl
  stat:
    path: /usr/bin/journalctl
  register: file_exists
  when: '"kernel" in ansible_facts.packages'
  tags:
  - DISA-STIG-UBTU-22-232140
  - configure_strategy
  - file_permissions_journalctl
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure permission u-s,g-xws,o-xwrt on /usr/bin/journalctl
  file:
    path: /usr/bin/journalctl
    mode: u-s,g-xws,o-xwrt
  when:
  - '"kernel" in ansible_facts.packages'
  - file_exists.stat is defined and file_exists.stat.exists
  tags:
  - DISA-STIG-UBTU-22-232140
  - configure_strategy
  - file_permissions_journalctl
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}
' 'kernel' 2>/dev/null | grep -q installed; then

chmod u-s,g-xws,o-xwrt /usr/bin/journalctl
else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Verify Permissions on the journal command

Description

Rationale

Remediation - Ansible

Remediation - Shell Script