content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

Incorrect error for "Verify Permissions on the system journal" (Ubuntu 22.04 STIG)

Open jaredledvina opened this issue 1 year ago • 10 comments

Description of problem:

The Verify Permissions on the system journal check for the Ubuntu 22.04 STIG ruleset is slightly off. The check at https://github.com/ComplianceAsCode/content/blob/21a4c72c55245b055fbf2d767beb7e7e704e37e7/linux_os/guide/system/logging/journald/file_permissions_system_journal/rule.yml#L66 checks for 0640 as the permissions. However, the fix text in v2r2 of the STIG states:

"Configure Ubuntu 22.04 LTS to set the appropriate permissions to the files and directories used by the systemd journal: 
 
Add or modify the following lines in the ""/etc/tmpfiles.d/systemd.conf"" file: 
z /run/log/journal 2750 root systemd-journal - - 
Z /run/log/journal/%m ~2750 root systemd-journal - - 
z /var/log/journal 2750 root systemd-journal - - 
z /var/log/journal/%m 2750 root systemd-journal - - 
z /var/log/journal/%m/system.journal 0750 root systemd-journal - - 
 
Restart the system for the changes to take effect."

Which explicitly sets /var/log/journal/%m/system.journal to 0750.

Details:

This content is not aligned with content from

The misalignment affects these profiles:

  • Ubuntu 22.04 DISA STIG

The misalignment affects these rules:

  • xccdf_org.ssgproject.content_rule_file_permissions_system_journal

Outcome:

  • [x] This project's content can be improved:
    • [x] Check needs to be improved.
    • [ ] Remediation needs to be improved.
  • [ ] The external content's check is faulty - the other party needs to be notified, they have work to do.

SCAP Security Guide Version: Unsure...where is this located?

External Content's Version: v2r2

jaredledvina avatar Oct 30 '24 20:10 jaredledvina

Hi @jaredledvina , thanks for pointing out this issue. I find it unlikely that the regular journal file should be marked with executable bits (750). It is possible that this is a issue with the STIG manual. I can see that from V2R1 to V2R2, the permissions were changed from 640 to 750:

z /run/log/journal 2640 root systemd-journal - - 
Z /run/log/journal/%m ~2640 root systemd-journal - - 
z /var/log/journal 2640 root systemd-journal - - 
z /var/log/journal/%m 2640 root systemd-journal - - 
z /var/log/journal/%m/system.journal 0640 root systemd-journal - - 
---
z /run/log/journal 2750 root systemd-journal - - 
Z /run/log/journal/%m ~2750 root systemd-journal - - 
z /var/log/journal 2750 root systemd-journal - - 
z /var/log/journal/%m 2750 root systemd-journal - - 
z /var/log/journal/%m/system.journal 0750 root systemd-journal - -

I suspect that this change fixes missing executable bits on directories (e.g. /var/log/journal), but also introduces incorrect permissions for /var/log/journal/%m/system.journal.

mpurg avatar Dec 02 '24 09:12 mpurg

@mpurg - Yeah, I had a similar thought but was surprised that it's the only change they made from v2r1 to v2r2 so figured maybe it was explicit.

Do you have a way to ask them about this in particular?

For now, I've implemented what's in the actual STIG versus what we're checking here but, I agree an executable bit on the system.journal feels like a bad copy-paste error.

jaredledvina avatar Dec 02 '24 15:12 jaredledvina

I've already sent a request to DISA to consider changing this permission. One more thing to note is that /usr/lib/tmpfiles.d/systemd.conf was replaced by /etc/tmpfiles.d/systemd.conf, which will have the unfortunate side effect of overriding the original config along with some of its unrelated settings. I've suggested to DISA to also revert this change.

mpurg avatar Dec 02 '24 16:12 mpurg

@mpurg - I just wanted to see if you heard back for DISA on this one

jaredledvina avatar Dec 17 '24 17:12 jaredledvina

Sorry for late reply. I've heard back, the suggestion was considered and will likely be included in a future release.

mpurg avatar Jan 13 '25 08:01 mpurg

Ah cool!

jaredledvina avatar Jan 13 '25 18:01 jaredledvina

Hi @jaredledvina Looks like this was addressed in the latest revision (V2R4):

Configure Ubuntu 22.04 LTS to set the appropriate permissions to the files and directories used by the systemd journal: 
 
Add or modify the following lines in the "`/usr/lib/tmpfiles.d/systemd.conf" file: 
z /run/log/journal 2750 root systemd-journal - - 
Z /run/log/journal/%m ~2750 root systemd-journal - - 
z /var/log/journal 2750 root systemd-journal - - 
z /var/log/journal/%m 2750 root systemd-journal - - 
z /var/log/journal/%m/system.journal 0640 root systemd-journal - - 

Restart the system for the changes to take effect.

mpurg avatar Apr 14 '25 16:04 mpurg

Nice yeah, it's good to see them differentiate between directories and the system.journal file correctly. Does https://github.com/ComplianceAsCode/content/blob/f1703f91486bc55f2bfe09349eb9fbf4354b9de2/linux_os/guide/system/logging/journald/file_permissions_system_journal/rule.yml#L56-L62 need to be adjusted to match the latest config? Seems like it's not checking for the 2750 bits if I'm reading it correctly.

jaredledvina avatar Apr 15 '25 00:04 jaredledvina

Hi @jaredledvina There is two separate rule for system_journal: One as you mentioned which is for files under the dirs The other one is here which is for dirs: https://github.com/ComplianceAsCode/content/blob/6d48cf09c9b33bb7ca49bf16ca0074af77fdbe01/linux_os/guide/system/logging/journald/dir_permissions_system_journal/rule.yml#L36-L43

alanmcanonical avatar Apr 16 '25 10:04 alanmcanonical

Ah! Okay cool, I missed the separate directory specific rule. Thanks!

jaredledvina avatar Apr 16 '25 12:04 jaredledvina

I'm closing this ticket since this was already addressed. Let us know in case of any issues.

dodys avatar Jul 15 '25 11:07 dodys