Verify Permissions of Local Logs of audit Tools

An XCCDF Rule

Description

The SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access. Check that "permissions.local" file contains the correct permissions rules with the following command:

grep "^/usr/sbin/au" /etc/permissions.local

/usr/sbin/audispd root:root 0750
/usr/sbin/auditctl root:root 0750
/usr/sbin/auditd root:root 0750
/usr/sbin/ausearch root:root 0755
/usr/sbin/aureport root:root 0755
/usr/sbin/autrace root:root 0750
/usr/sbin/augenrules root:root 0750

Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Rationale

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. SUSE operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools.

ID: xccdf_org.ssgproject.content_rule_permissions_local_audit_binaries
Severity: Medium
References: CCI-001493 CCI-001494 CCI-001495

SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098 SRG-OS-000258-GPOS-00099

SLES-15-030620

CCE-85609-6

SV-234961r991557_rule
Updated: over 1 year ago

Remediation Templates

- name: Configure permission for /usr/sbin/audispd
  lineinfile:
    path: /etc/permissions.local
    create: true
    regexp: ^\/usr\/sbin\/audispd\s+root.*
    line: /usr/sbin/audispd root:root 0750    state: present
  register: update_permissions_local_result_audispd
  tags:
  - CCE-85609-6
  - DISA-STIG-SLES-15-030620
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - permissions_local_audit_binaries
- name: Correct file permissions after update /usr/sbin/audispd
  shell: |
    set -o pipefail chkstat --set --system
  when: update_permissions_local_result_audispd.changed
  tags:
  - CCE-85609-6
  - DISA-STIG-SLES-15-030620
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - permissions_local_audit_binaries

- name: Configure permission for /usr/sbin/auditctl
  lineinfile:
    path: /etc/permissions.local
    create: true
    regexp: ^\/usr\/sbin\/auditctl\s+root.*
    line: /usr/sbin/auditctl root:root 0750
    state: present
  register: update_permissions_local_result_auditctl
  tags:
  - CCE-85609-6
  - DISA-STIG-SLES-15-030620
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - permissions_local_audit_binaries

- name: Correct file permissions after update /usr/sbin/auditctl
  shell: |
    set -o pipefail chkstat --set --system
  when: update_permissions_local_result_auditctl.changed
  tags:
  - CCE-85609-6
  - DISA-STIG-SLES-15-030620
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - permissions_local_audit_binaries

- name: Configure permission for /usr/sbin/auditd
  lineinfile:
    path: /etc/permissions.local
    create: true
    regexp: ^\/usr\/sbin\/auditd\s+root.*
    line: /usr/sbin/auditd root:root 0750
    state: present
  register: update_permissions_local_result_auditd
  tags:
  - CCE-85609-6
  - DISA-STIG-SLES-15-030620
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - permissions_local_audit_binaries

- name: Correct file permissions after update /usr/sbin/auditd
  shell: |
    set -o pipefail chkstat --set --system
  when: update_permissions_local_result_auditd.changed
  tags:
  - CCE-85609-6
  - DISA-STIG-SLES-15-030620
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - permissions_local_audit_binaries

- name: Configure permission for /usr/sbin/ausearch
  lineinfile:
    path: /etc/permissions.local
    create: true
    regexp: ^\/usr\/sbin\/ausearch\s+root.*
    line: /usr/sbin/ausearch root:root 0755
    state: present
  register: update_permissions_local_result_ausearch
  tags:
  - CCE-85609-6
  - DISA-STIG-SLES-15-030620
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - permissions_local_audit_binaries

- name: Correct file permissions after update /usr/sbin/ausearch
  shell: |
    set -o pipefail chkstat --set --system
  when: update_permissions_local_result_ausearch.changed
  tags:
  - CCE-85609-6
  - DISA-STIG-SLES-15-030620
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - permissions_local_audit_binaries

- name: Configure permission for /usr/sbin/aureport
  lineinfile:
    path: /etc/permissions.local
    create: true
    regexp: ^\/usr\/sbin\/aureport\s+root.*
    line: /usr/sbin/aureport root:root 0755
    state: present
  register: update_permissions_local_result_aureport
  tags:
  - CCE-85609-6
  - DISA-STIG-SLES-15-030620
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - permissions_local_audit_binaries

- name: Correct file permissions after update /usr/sbin/aureport
  shell: |
    set -o pipefail chkstat --set --system
  when: update_permissions_local_result_aureport.changed
  tags:
  - CCE-85609-6
  - DISA-STIG-SLES-15-030620
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - permissions_local_audit_binaries

- name: Configure permission for /usr/sbin/autrace
  lineinfile:
    path: /etc/permissions.local
    create: true
    regexp: ^\/usr\/sbin\/autrace\s+root.*
    line: /usr/sbin/autrace root:root 0750
    state: present
  register: update_permissions_local_result_autrace
  tags:
  - CCE-85609-6
  - DISA-STIG-SLES-15-030620
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - permissions_local_audit_binaries

- name: Correct file permissions after update /usr/sbin/autrace
  shell: |
    set -o pipefail chkstat --set --system
  when: update_permissions_local_result_autrace.changed
  tags:
  - CCE-85609-6
  - DISA-STIG-SLES-15-030620
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - permissions_local_audit_binaries

- name: Configure permission for /usr/sbin/augenrules
  lineinfile:
    path: /etc/permissions.local
    create: true
    regexp: ^\/usr\/sbin\/augenrules\s+root.*
    line: /usr/sbin/augenrules root:root 0750
    state: present
  register: update_permissions_local_result_augenrules
  tags:
  - CCE-85609-6
  - DISA-STIG-SLES-15-030620
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - permissions_local_audit_binaries

- name: Correct file permissions after update /usr/sbin/augenrules
  shell: |
    set -o pipefail chkstat --set --system
  when: update_permissions_local_result_augenrules.changed
  tags:
  - CCE-85609-6
  - DISA-STIG-SLES-15-030620
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - permissions_local_audit_binaries

current_permissions_rules=$(grep "^/usr/sbin/au" /etc/permissions.local)
if [ ${#current_permissions_rules} -eq 0 ]
then
  echo "There are no permission rules for audit information files and folders. We will add them"
  echo "/usr/sbin/audispd root:root 0750" >> /etc/permissions.local
  echo "/usr/sbin/auditctl root:root 0750" >> /etc/permissions.local  echo "/usr/sbin/auditd root:root 0750" >> /etc/permissions.local
  echo "/usr/sbin/ausearch root:root 0755" >> /etc/permissions.local
  echo "/usr/sbin/aureport root:root 0755" >> /etc/permissions.local
  echo "/usr/sbin/autrace root:root 0750" >> /etc/permissions.local
  echo "/usr/sbin/augenrules root:root 0750" >> /etc/permissions.local
fi

check_stats=$(chkstat /etc/permissions.local)
if [ ${#check_stats} -gt 0 ]
then
  echo "Audit information files and folders don't have correct permissions.We will set them"
  chkstat --set /etc/permissions.local
fi

Verify Permissions of Local Logs of audit Tools

Description

Rationale

Remediation Templates

An Ansible Snippet

A Shell Script