Verify Group Who Owns /var/log/secure File

Docs > Plateforme de sécurité Datadog > OOTB Rules > Verify Group Who Owns /var/log/secure File

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

To properly set the group owner of /var/log/secure, run the command:

$ sudo chgrp adm /var/log/secure

$ sudo chgrp root /var/log/secure

Rationale

The /var/log/secure file contains information related to authentication and authorization privileges and should only be accessed by authorized personnel.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

if getent group "adm" >/dev/null 2>&1; then
  newgroup="adm"
elif getent group "root" >/dev/null 2>&1; then
  newgroup="root"
fi
if [[ -z ${newgroup} ]]; then
  echo "adm and root is not a defined group on the system"
  exit 1
fi

find -L /var/log/ -maxdepth 1 -type f  ! -group adm ! -group root -regextype posix-extended -regex '.*secure(.*[-\.].*)?' -exec chgrp -L $newgroup {} \;

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Check that the adm group is defined
  getent:
    database: group
    key: adm
  ignore_errors: true
  when: file_groupowner_var_log_secure_newgroup is undefined
  tags:
  - configure_strategy
  - file_groupowner_var_log_secure
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Set the file_groupowner_var_log_secure_newgroup variable if adm found
  set_fact:
    file_groupowner_var_log_secure_newgroup: adm
  when: ansible_facts.getent_group["adm"] is defined
  tags:
  - configure_strategy
  - file_groupowner_var_log_secure
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Check that the root group is defined
  getent:
    database: group
    key: root
  ignore_errors: true
  when: file_groupowner_var_log_secure_newgroup is undefined
  tags:
  - configure_strategy
  - file_groupowner_var_log_secure
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Set the file_groupowner_var_log_secure_newgroup variable if root found
  set_fact:
    file_groupowner_var_log_secure_newgroup: root
  when: ansible_facts.getent_group["root"] is defined
  tags:
  - configure_strategy
  - file_groupowner_var_log_secure
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Find /var/log/ file(s) matching .*secure(.*[-\.].*)?
  command: find -L /var/log/ -maxdepth 1 -type f  ! -group adm ! -group root -regextype
    posix-extended -regex ".*secure(.*[-\.].*)?"
  register: files_found
  changed_when: false
  failed_when: false
  check_mode: false
  tags:
  - configure_strategy
  - file_groupowner_var_log_secure
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure group owner on /var/log/ file(s) matching .*secure(.*[-\.].*)?
  file:
    path: '{{ item }}'
    group: '{{ file_groupowner_var_log_secure_newgroup }}'
    state: file
  with_items:
  - '{{ files_found.stdout_lines }}'
  tags:
  - configure_strategy
  - file_groupowner_var_log_secure
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed