usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-03-05 01:23:18 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

created and updated check/fix for asl and newsyslog permissions

Browse Source
This commit is contained in:
Bob Gendler
2021-06-23 17:14:57 -04:00
parent 42a3ef844a
commit 4b2e1d5067
4 changed files with 155 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
rules/os/os_asl_log_files_owner_group_configure.yaml Normal file
View File

@@ -0,0 +1,38 @@
id: os_asl_log_files_owner_group_configure
title: "Configure Apple System Log Files Owned by Root and Group to Wheel"
discussion: |
The Apple System Logs (ASL) _MUST_ be owned by root.
ASL logs contain sensitive data about the system and users. If ASL log files are set to only be readable and writable by system administrators, the risk is mitigated.
check: |
/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '
fix: |
[source,bash]
----
/usr/sbin/chown root:wheel $(/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/awk -F":" '!/^root:wheel:/{print $3}')
----
references:
cce:
- N/A
cci:
- CCI-001314
800-53r5:
- SI-11
800-53r4:
- SI-11
srg:
- SRG-OS-000206-GPOS-00084
disa_stig:
- APPL-11-004001
800-171r2:
- N/A
macOS:
- "11.0"
tags:
- 800-53r5_moderate
- 800-53r5_high
- manual
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

38
rules/os/os_asl_log_files_permissions_configure.yaml Normal file
View File

@@ -0,0 +1,38 @@
id: os_asl_log_files_permissions_configure
title: "Configure Apple System Log Files To Mode 640 or Less Permissive"
discussion: |
The Apple System Logs (ASL) _MUST_ be configured to be writable by root and readable only by the root user and group wheel. To achieve this, ASL log files _MUST_ be configured to mode 640 permissive or less; thereby preventing normal users from reading, modifying or deleting audit logs. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk.
check: |
/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '
result:
integer: 0
fix: |
[source,bash]
----
/bin/chmod 640 $(/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk -F":" '!/640/{print $2}')
----
references:
cce:
- N/A
cci:
- CCI-001314
800-53r5:
- SI-11
800-53r4:
- SI-11
srg:
- SRG-OS-000206-GPOS-00084
disa_stig:
- APPL-11-004002
800-171r2:
- N/A
macOS:
- "11.0"
tags:
- 800-53r5_moderate
- 800-53r5_high
- manual
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

40
rules/os/os_newsyslog_files_owner_group_configure.yaml Normal file
View File

@@ -0,0 +1,40 @@
id: os_newsyslog_files_owner_group_configure
title: "Configure System Log Files Owned by Root and Group to Wheel"
discussion: |
The system log files _MUST_ be owned by root.
System logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated.
check: |
/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '
result:
integer: 0
fix: |
[source,bash]
----
/usr/sbin/chown root:wheel $(/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk -F":" '!/^root:wheel:/{print $3}')
----
references:
cce:
- N/A
cci:
- CCI-001314
800-53r5:
- SI-11
800-53r4:
- SI-11
srg:
- SRG-OS-000206-GPOS-00084
disa_stig:
- APPL-11-004001
800-171r2:
- N/A
macOS:
- "11.0"
tags:
- 800-53r5_moderate
- 800-53r5_high
- manual
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info:

39
rules/os/os_newsyslog_files_permissions_configure.yaml Normal file
View File

@@ -0,0 +1,39 @@
id: os_newsyslog_files_permissions_configure
title: "Configure System Log Files to Mode 640 or Less Permissive"
discussion: |
The system logs _MUST_ be configured to be writable by root and readable only by the root user and group wheel. To achieve this, system log files _MUST_ be configured to mode 640 permissive or less; thereby preventing normal users from reading, modifying or deleting audit logs. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk.
check: |
/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '
result:
integer: 0
fix: |
[source,bash]
----
/bin/chmod 640 $(/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | awk -F":" '!/640/{print $2}')
----
references:
cce:
- N/A
cci:
- CCI-001314
800-53r5:
- SI-11
800-53r4:
- SI-11
srg:
- SRG-OS-000206-GPOS-00084
disa_stig:
- APPL-11-004002
800-171r2:
- N/A
macOS:
- "11.0"
tags:
- 800-53r5_moderate
- 800-53r5_high
- manual
- stig
severity: "medium"
mobileconfig: false
mobileconfig_info: