Verify Group Who Owns /var/log/auth.log File

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

To properly set the group owner of /var/log/auth.log, run the command:

$ sudo chgrp adm /var/log/auth.log

or

$ sudo chgrp root /var/log/auth.log

Rationale

The /var/log/auth.log file contains records information about user login attempts and authentication processes and should only be accessed by authorized personnel.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

newgroup=""
if getent group "adm" >/dev/null 2>&1; then
  newgroup="adm"
elif getent group "root" >/dev/null 2>&1; then
  newgroup="root"
fi

if [[ -z "${newgroup}" ]]; then
  >&2 echo "adm and root is not a defined group on the system"
else
if ! stat -c "%g %G" "/var/log/auth.log" | grep -E -w -q "adm|root"; then
    chgrp --no-dereference "$newgroup" /var/log/auth.log
fi

fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Check that the adm group is defined
  ansible.builtin.getent:
    database: group
    key: adm
  ignore_errors: true
  when: file_groupowner_var_log_auth_newgroup is undefined
  tags:
  - configure_strategy
  - file_groupowner_var_log_auth
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Set the file_groupowner_var_log_auth_newgroup variable if adm found
  ansible.builtin.set_fact:
    file_groupowner_var_log_auth_newgroup: adm
  when: ansible_facts.getent_group["adm"] is defined
  tags:
  - configure_strategy
  - file_groupowner_var_log_auth
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Check that the root group is defined
  ansible.builtin.getent:
    database: group
    key: root
  ignore_errors: true
  when: file_groupowner_var_log_auth_newgroup is undefined
  tags:
  - configure_strategy
  - file_groupowner_var_log_auth
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Set the file_groupowner_var_log_auth_newgroup variable if root found
  ansible.builtin.set_fact:
    file_groupowner_var_log_auth_newgroup: root
  when: ansible_facts.getent_group["root"] is defined
  tags:
  - configure_strategy
  - file_groupowner_var_log_auth
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Test for existence /var/log/auth.log
  ansible.builtin.stat:
    path: /var/log/auth.log
  register: file_exists
  tags:
  - configure_strategy
  - file_groupowner_var_log_auth
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure group owner on /var/log/auth.log
  ansible.builtin.file:
    path: /var/log/auth.log
    follow: false
    group: '{{ file_groupowner_var_log_auth_newgroup }}'
  when: file_exists.stat is defined and file_exists.stat.exists
  tags:
  - configure_strategy
  - file_groupowner_var_log_auth
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed