Verify Permissions on the system journal

An XCCDF Rule

Description

Verify all files in the /run/log/journal and /var/log/journal directories have permissions set to "640" or less permissive by using the following command:

$ sudo find /run/log/journal /var/log/journal  -type f -exec stat -c "%n %a" {} \;

If any output returned has a permission set greater than "640", this is a finding.

Rationale

Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization.

ID: xccdf_org.ssgproject.content_rule_file_permissions_system_journal
Severity: Medium
References: CCI-001312

SRG-APP-000118-CTR-000240

UBTU-22-232027

SV-260490r958564_rule
Updated: 5 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-UBTU-22-232027
  - configure_strategy  - file_permissions_system_journal
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Find /run/log/journal/ file(s) recursively
  command: find -H /run/log/journal/  -perm /u+xs,g+xws,o+xwrt  -type f -regextype
    posix-extended -regex "^.*$"
  register: files_found
  changed_when: false
  failed_when: false
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - DISA-STIG-UBTU-22-232027
  - configure_strategy
  - file_permissions_system_journal
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Set permissions for /run/log/journal/ file(s)
  file:
    path: '{{ item }}'
    mode: u-xs,g-xws,o-xwrt
    state: file
  with_items:
  - '{{ files_found.stdout_lines }}'
  when: '"kernel" in ansible_facts.packages'
  tags:
  - DISA-STIG-UBTU-22-232027
  - configure_strategy
  - file_permissions_system_journal
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Find /var/log/journal/ file(s) recursively
  command: find -H /var/log/journal/  -perm /u+xs,g+xws,o+xwrt  -type f -regextype
    posix-extended -regex "^.*$"
  register: files_found
  changed_when: false
  failed_when: false
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - DISA-STIG-UBTU-22-232027
  - configure_strategy
  - file_permissions_system_journal
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Set permissions for /var/log/journal/ file(s)
  file:
    path: '{{ item }}'
    mode: u-xs,g-xws,o-xwrt
    state: file
  with_items:
  - '{{ files_found.stdout_lines }}'
  when: '"kernel" in ansible_facts.packages'
  tags:
  - DISA-STIG-UBTU-22-232027
  - configure_strategy
  - file_permissions_system_journal
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}
' 'kernel' 2>/dev/null | grep -q installed; then

TMPFILES_CONF="/usr/lib/tmpfiles.d/systemd.conf"
if ! grep -q 'Z /var/log/journal ~2750 root systemd-journal - -' "$TMPFILES_CONF"; then
    if grep -qP "^[zZ][+]*\s+\/var\/log\/journal" "$TMPFILES_CONF"; then
        sed -i --follow-symlinks "s/\(^[zZ][+]*\)\(\s\+\/var\/log\/journal.*\)/# \1\2/" "$TMPFILES_CONF"
    fi
    echo "Z /var/log/journal ~2750 root systemd-journal - -" >>"$TMPFILES_CONF"
fi

if ! grep -q 'Z /run/log/journal ~2750 root systemd-journal - -' "$TMPFILES_CONF"; then
    if grep -qP "^[zZ][+]*\s+\/run\/log\/journal" "$TMPFILES_CONF"; then
        sed -i --follow-symlinks "s/\(^[zZ][+]*\)\(\s\+\/run\/log\/journal.*\)/# \1\2/" "$TMPFILES_CONF"
    fi
    echo "Z /run/log/journal ~2750 root systemd-journal - -" >>"$TMPFILES_CONF"
fi

systemd-tmpfiles --create

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Verify Permissions on the system journal

Description

Rationale

Remediation - Ansible

Remediation - Shell Script