Verify Permissions on lastlog Command

An XCCDF Rule

Description

To properly set the permissions of /usr/bin/lastlog, run the command:

$ sudo chmod 0750 /usr/bin/lastlog

Rationale

Unauthorized disclosure of the contents of the /var/log/lastlog file can reveal system data to attackers, thus compromising its confidentiality.

ID: xccdf_org.ssgproject.content_rule_file_permissions_lastlog
Severity: Medium
References: CCI-001314

SI-11(b) SI-11(c) SI-11.1(iv)

SRG-OS-000206-GPOS-00084

OL08-00-020262

SV-248705r779681_rule
Updated: about 1 year ago

- name: Test for existence /usr/bin/lastlog
  stat:
    path: /usr/bin/lastlog
  register: file_exists
  tags:
  - DISA-STIG-OL08-00-020262  - NIST-800-53-SI-11(b)
  - NIST-800-53-SI-11(c)
  - NIST-800-53-SI-11.1(iv)
  - configure_strategy
  - file_permissions_lastlog
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure permission u-s,g-ws,o-xwrt on /usr/bin/lastlog
  file:
    path: /usr/bin/lastlog
    mode: u-s,g-ws,o-xwrt
  when: file_exists.stat is defined and file_exists.stat.exists
  tags:
  - DISA-STIG-OL08-00-020262
  - NIST-800-53-SI-11(b)
  - NIST-800-53-SI-11(c)
  - NIST-800-53-SI-11.1(iv)
  - configure_strategy
  - file_permissions_lastlog
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed






chmod u-s,g-ws,o-xwrt /usr/bin/lastlog

Verify Permissions on lastlog Command

Description

Rationale

Remediation - Ansible

Remediation - Shell Script