Merge pull request #14443 from mpurg/ubuntu_cis_log_perms

Align /var/log ownership rules with Ubuntu CIS

Author: Mab879

linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/bash/shared.sh

@@ -7,6 +7,18 @@
 # see https://workbench.cisecurity.org/benchmarks/18959/tickets/23964
 # regarding sssd and gdm exclusions
 
+declare -A valid_shells
+while read -r line; do
+    [[ "$line" == /* ]] && valid_shells["$line"]=1
+done < /etc/shells
+
+declare -A users_with_valid_shells
+while IFS=: read -r user _ _ _ _ _ shell; do
+    if [[ ${valid_shells["$shell"]} == 1 ]]; then
+        users_with_valid_shells["$user"]=1
+    fi
+done < /etc/passwd
+
 find -P /var/log/ -type f -regextype posix-extended \
     ! -group root ! -group adm  \
     ! -name 'gdm' ! -name 'gdm3' \
@@ -26,4 +38,11 @@ find -P /var/log/ -type f -regextype posix-extended \
     ! -regex '.*/localmessages(.*)' \
     ! -regex '.*/secure(.*)' \
     ! -regex '.*/waagent.log(.*)' \
-    -regex '.*' -exec chgrp --no-dereference root {} \;
+    -print0 | while IFS= read -r -d '' log_file
+    do
+        # Set to root if owned by a user with a valid shell
+        user=$(stat -c "%U" "$log_file")
+        if [[ "${users_with_valid_shells["$user"]}" == "1" ]]; then
+            chgrp --no-dereference root "$log_file"
+        fi
+    done

linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/oval/shared.xml

@@ -21,8 +21,8 @@
     <unix:object object_ref="object_group_ownership_var_log" />
     <unix:state state_ref="state_group_ownership_adm_var_log_auth_log"/>
     <unix:state state_ref="state_group_ownership_root_var_log_auth_log"/>
-    {{%- if product == "ubuntu2204" %}}
-    <unix:state state_ref="{{{ rule_id }}}_group_only_has_sys_uids"/>
+    {{%- if 'ubuntu' in product %}}
+    <unix:state state_ref="{{{ rule_id }}}_state_owner_is_system_user"/>
     {{%- endif %}}
   </unix:file_test>
   <unix:file_object comment="/var/log/*" id="object_group_ownership_var_log" version="1">
@@ -96,47 +96,43 @@
   <unix:file_state id="{{{ rule_id }}}_exclude_files_waagent" version="1">
     <unix:filename operation="pattern match">^waagent\.log.*$</unix:filename>
   </unix:file_state>
-  {{%- if product == "ubuntu2204" %}}
-  <unix:file_state id="{{{ rule_id }}}_group_only_has_sys_uids" version="1">
-    <unix:group_id datatype="int" var_ref="empty_group_ids" var_check="at least one"/>
+  {{%- if 'ubuntu' in product %}}
+  <unix:file_state id="{{{ rule_id }}}_state_owner_is_system_user" version="1">
+    <unix:group_id datatype="int" operation="equals" var_ref="{{{ rule_id }}}_var_system_gids" var_check="at least one" />
   </unix:file_state>
 
-  <local_variable id="empty_group_ids" comment="Group IDs with no members" datatype="int" version="1">
-    <object_component item_field="subexpression" object_ref="empty_members_in_etc_group"/>
-  </local_variable>
-
-  <ind:textfilecontent54_object comment="Groups with no members" id="empty_members_in_etc_group" version="1">
-    <ind:filepath>/etc/group</ind:filepath>
-     <ind:pattern operation="pattern match" var_ref="variable_{{{ rule_id }}}_group_regex" var_check="at least one"/>
+  <!-- Fetch all shells designated as valid login shells from /etc/shells -->
+  <ind:textfilecontent54_object id="{{{ rule_id }}}_object_valid_shells" version="1" comment="valid shells">
+    <ind:filepath>/etc/shells</ind:filepath>
+    <ind:pattern operation="pattern match">^(/.*)$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 
-  <local_variable id="variable_{{{ rule_id }}}_group_regex" datatype="string" version="1" comment="gid rows retrieved from /etc/passwd">
-    <concat>
-      <literal_component>^[^:]+:[^:]*:(</literal_component>
-      <object_component item_field="subexpression" object_ref="obj_{{{ rule_id }}}_gids_with_only_sys_uids" />
-      <literal_component>):$</literal_component>
-    </concat>
+  <local_variable id="{{{ rule_id }}}_var_valid_shells" comment="list of valid shells" datatype="string" version="1">
+    <object_component item_field="subexpression" object_ref="{{{ rule_id }}}_object_valid_shells" />
   </local_variable>
-
-  <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_gids_with_only_sys_uids" version="1">
+  
+  <ind:textfilecontent54_object id="{{{ rule_id }}}_object_system_users" version="1" comment="users who have an invalid shell">
     <ind:filepath>/etc/passwd</ind:filepath>
-    <ind:pattern operation="pattern match" var_ref="variable_{{{ rule_id }}}_regex" var_check="at least one"/>
+    <ind:pattern operation="pattern match">^[^:]+:[^:]+:[0-9]+:([0-9]+):.*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+    <filter action="exclude">{{{ rule_id }}}_state_shell_is_valid</filter>
   </ind:textfilecontent54_object>
 
-  <local_variable id="variable_{{{ rule_id }}}_regex" datatype="string" version="1" comment="uid rows retrieved from /etc/passwd">
+  <ind:textfilecontent54_state id="{{{ rule_id }}}_state_shell_is_valid" version="1">
+    <ind:text operation="pattern match" var_ref="{{{ rule_id }}}_var_valid_shells_regex" var_check="at least one"></ind:text>
+  </ind:textfilecontent54_state>
+  
+  <local_variable id="{{{ rule_id }}}_var_valid_shells_regex" datatype="string" version="1" comment="regex of valid shells">
     <concat>
-      <literal_component>^[^:]*:[^:]*:</literal_component>
-        <object_component item_field="subexpression" object_ref="obj_{{{ rule_id }}}_sys_uid" />
-      <literal_component>:(\d+):.*$</literal_component>
+      <literal_component>^.*:(</literal_component>
+        <object_component item_field="subexpression" object_ref="{{{ rule_id }}}_object_valid_shells" />
+      <literal_component>)$</literal_component>
     </concat>
   </local_variable>
 
-  <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_sys_uid" version="1">
-    <ind:filepath>/etc/passwd</ind:filepath>
-    <ind:pattern operation="pattern match">^[^:]+:[^:]*:(\d\d?\d?):.*$</ind:pattern>
-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-  </ind:textfilecontent54_object>
+  <local_variable id="{{{ rule_id }}}_var_system_gids" comment="GIDs of users with invalid shells" datatype="int" version="1">
+    <object_component item_field="subexpression" object_ref="{{{ rule_id }}}_object_system_users" />
+  </local_variable>
   {{%- endif %}}
 </def-group>

linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/excluded_files.pass.sh

@@ -1,6 +1,5 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
-# packages = rsyslog
 
 chgrp root -R /var/log/*
 

linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_adm.pass.sh

@@ -1,6 +1,5 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
-# packages = rsyslog
 
 chgrp root -R /var/log/*
 

linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_nobody.fail.sh

@@ -1,6 +1,5 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
-# packages = rsyslog
 
 chgrp root -R /var/log/*
 

linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_non_sys_acc_grp.fail.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+useradd -m -s /bin/bash test_user_with_shell
+
+chown root:root -R /var/log/*
+
+touch /var/log/test_log_file
+chgrp test_user_with_shell /var/log/test_log_file

linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_root.pass.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+useradd -m -s /usr/sbin/nologin test_user_no_shell
+
+chown root:root -R /var/log/*
+
+touch /var/log/test_log_file
+chgrp test_user_no_shell /var/log/test_log_file