Incorrect error for "Verify Permissions on the system journal" (Ubuntu 22.04 STIG)

[jaredledvina]

Description of problem:

The Verify Permissions on the system journal check for the Ubuntu 22.04 STIG ruleset is slightly off. The check at

content/linux_os/guide/system/logging/journald/file_permissions_system_journal/rule.yml

Line 66 in 21a4c72

filemode: '0640'

checks for 0640 as the permissions. However, the fix text in v2r2 of the STIG states:

"Configure Ubuntu 22.04 LTS to set the appropriate permissions to the files and directories used by the systemd journal: 
 
Add or modify the following lines in the ""/etc/tmpfiles.d/systemd.conf"" file: 
z /run/log/journal 2750 root systemd-journal - - 
Z /run/log/journal/%m ~2750 root systemd-journal - - 
z /var/log/journal 2750 root systemd-journal - - 
z /var/log/journal/%m 2750 root systemd-journal - - 
z /var/log/journal/%m/system.journal 0750 root systemd-journal - - 
 
Restart the system for the changes to take effect."

Which explicitly sets /var/log/journal/%m/system.journal to 0750.

Details:

This content is not aligned with content from

The misalignment affects these profiles:

• Ubuntu 22.04 DISA STIG

The misalignment affects these rules:

• xccdf_org.ssgproject.content_rule_file_permissions_system_journal

Outcome:

• This project's content can be improved:
  • Check needs to be improved.
  • Remediation needs to be improved.
• The external content's check is faulty - the other party needs to be notified, they have work to do.

SCAP Security Guide Version: Unsure...where is this located?

External Content's Version: v2r2

[mpurg]

Hi @jaredledvina , thanks for pointing out this issue.
I find it unlikely that the regular journal file should be marked with executable bits (750).
It is possible that this is a issue with the STIG manual. I can see that from V2R1 to V2R2, the permissions were changed from 640 to 750:

z /run/log/journal 2640 root systemd-journal - - 
Z /run/log/journal/%m ~2640 root systemd-journal - - 
z /var/log/journal 2640 root systemd-journal - - 
z /var/log/journal/%m 2640 root systemd-journal - - 
z /var/log/journal/%m/system.journal 0640 root systemd-journal - - 
---
z /run/log/journal 2750 root systemd-journal - - 
Z /run/log/journal/%m ~2750 root systemd-journal - - 
z /var/log/journal 2750 root systemd-journal - - 
z /var/log/journal/%m 2750 root systemd-journal - - 
z /var/log/journal/%m/system.journal 0750 root systemd-journal - - 

I suspect that this change fixes missing executable bits on directories (e.g. /var/log/journal), but also introduces incorrect permissions for /var/log/journal/%m/system.journal.

[jaredledvina]

@mpurg - Yeah, I had a similar thought but was surprised that it's the only change they made from v2r1 to v2r2 so figured maybe it was explicit.

Do you have a way to ask them about this in particular?

For now, I've implemented what's in the actual STIG versus what we're checking here but, I agree an executable bit on the system.journal feels like a bad copy-paste error.

[mpurg]

I've already sent a request to DISA to consider changing this permission.
One more thing to note is that /usr/lib/tmpfiles.d/systemd.conf was replaced by /etc/tmpfiles.d/systemd.conf,
which will have the unfortunate side effect of overriding the original config along with some of its unrelated settings.
I've suggested to DISA to also revert this change.

[jaredledvina]

@mpurg - I just wanted to see if you heard back for DISA on this one

[mpurg]

Sorry for late reply. I've heard back, the suggestion was considered and will likely be included in a future release.

[jaredledvina]

Ah cool!