From 4b2e1d5067b0240b4db64fa3feec876eadce94e3 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 23 Jun 2021 17:14:57 -0400 Subject: [PATCH] created and updated check/fix for asl and newsyslog permissions --- ...s_asl_log_files_owner_group_configure.yaml | 38 ++++++++++++++++++ ...s_asl_log_files_permissions_configure.yaml | 38 ++++++++++++++++++ ...newsyslog_files_owner_group_configure.yaml | 40 +++++++++++++++++++ ...newsyslog_files_permissions_configure.yaml | 39 ++++++++++++++++++ 4 files changed, 155 insertions(+) create mode 100644 rules/os/os_asl_log_files_owner_group_configure.yaml create mode 100644 rules/os/os_asl_log_files_permissions_configure.yaml create mode 100644 rules/os/os_newsyslog_files_owner_group_configure.yaml create mode 100644 rules/os/os_newsyslog_files_permissions_configure.yaml diff --git a/rules/os/os_asl_log_files_owner_group_configure.yaml b/rules/os/os_asl_log_files_owner_group_configure.yaml new file mode 100644 index 00000000..c80c96ed --- /dev/null +++ b/rules/os/os_asl_log_files_owner_group_configure.yaml @@ -0,0 +1,38 @@ +id: os_asl_log_files_owner_group_configure +title: "Configure Apple System Log Files Owned by Root and Group to Wheel" +discussion: | + The Apple System Logs (ASL) _MUST_ be owned by root. + + ASL logs contain sensitive data about the system and users. If ASL log files are set to only be readable and writable by system administrators, the risk is mitigated. +check: | + /usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' +fix: | + [source,bash] + ---- + /usr/sbin/chown root:wheel $(/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/awk -F":" '!/^root:wheel:/{print $3}') + ---- +references: + cce: + - N/A + cci: + - CCI-001314 + 800-53r5: + - SI-11 + 800-53r4: + - SI-11 + srg: + - SRG-OS-000206-GPOS-00084 + disa_stig: + - APPL-11-004001 + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_moderate + - 800-53r5_high + - manual + - stig +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_asl_log_files_permissions_configure.yaml b/rules/os/os_asl_log_files_permissions_configure.yaml new file mode 100644 index 00000000..5657f4d2 --- /dev/null +++ b/rules/os/os_asl_log_files_permissions_configure.yaml @@ -0,0 +1,38 @@ +id: os_asl_log_files_permissions_configure +title: "Configure Apple System Log Files To Mode 640 or Less Permissive" +discussion: | + The Apple System Logs (ASL) _MUST_ be configured to be writable by root and readable only by the root user and group wheel. To achieve this, ASL log files _MUST_ be configured to mode 640 permissive or less; thereby preventing normal users from reading, modifying or deleting audit logs. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk. +check: | + /usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' +result: + integer: 0 +fix: | + [source,bash] + ---- + /bin/chmod 640 $(/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk -F":" '!/640/{print $2}') + ---- +references: + cce: + - N/A + cci: + - CCI-001314 + 800-53r5: + - SI-11 + 800-53r4: + - SI-11 + srg: + - SRG-OS-000206-GPOS-00084 + disa_stig: + - APPL-11-004002 + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_moderate + - 800-53r5_high + - manual + - stig +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_newsyslog_files_owner_group_configure.yaml b/rules/os/os_newsyslog_files_owner_group_configure.yaml new file mode 100644 index 00000000..30c01dd4 --- /dev/null +++ b/rules/os/os_newsyslog_files_owner_group_configure.yaml @@ -0,0 +1,40 @@ +id: os_newsyslog_files_owner_group_configure +title: "Configure System Log Files Owned by Root and Group to Wheel" +discussion: | + The system log files _MUST_ be owned by root. + + System logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated. +check: | + /usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' +result: + integer: 0 +fix: | + [source,bash] + ---- + /usr/sbin/chown root:wheel $(/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk -F":" '!/^root:wheel:/{print $3}') + ---- +references: + cce: + - N/A + cci: + - CCI-001314 + 800-53r5: + - SI-11 + 800-53r4: + - SI-11 + srg: + - SRG-OS-000206-GPOS-00084 + disa_stig: + - APPL-11-004001 + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_moderate + - 800-53r5_high + - manual + - stig +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_newsyslog_files_permissions_configure.yaml b/rules/os/os_newsyslog_files_permissions_configure.yaml new file mode 100644 index 00000000..07004f65 --- /dev/null +++ b/rules/os/os_newsyslog_files_permissions_configure.yaml @@ -0,0 +1,39 @@ +id: os_newsyslog_files_permissions_configure +title: "Configure System Log Files to Mode 640 or Less Permissive" +discussion: | + The system logs _MUST_ be configured to be writable by root and readable only by the root user and group wheel. To achieve this, system log files _MUST_ be configured to mode 640 permissive or less; thereby preventing normal users from reading, modifying or deleting audit logs. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk. + +check: | + /usr/bin/stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' +result: + integer: 0 +fix: | + [source,bash] + ---- + /bin/chmod 640 $(/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | awk -F":" '!/640/{print $2}') + ---- +references: + cce: + - N/A + cci: + - CCI-001314 + 800-53r5: + - SI-11 + 800-53r4: + - SI-11 + srg: + - SRG-OS-000206-GPOS-00084 + disa_stig: + - APPL-11-004002 + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - 800-53r5_moderate + - 800-53r5_high + - manual + - stig +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file