From 13207a7ef936151a8298d6678f72911ffbfee3ce Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Mon, 16 Dec 2024 09:21:04 +0100 Subject: [PATCH 1/2] Implement rule accounts_umask_root - checks that umask in /root/.bashrc and /root/.profile is 027 or stricter - satisfies Ubuntu 24.04 CIS v1 control 5.4.2.6 --- components/bash.yml | 1 + components/pam.yml | 1 + .../accounts_umask_root/bash/shared.sh | 3 +++ .../accounts_umask_root/oval/shared.xml | 21 +++++++++++++++++++ .../user_umask/accounts_umask_root/rule.yml | 18 ++++++++++++++++ .../tests/commented.pass.sh | 5 +++++ .../tests/correct_bashrc.pass.sh | 4 ++++ .../tests/correct_profile.pass.sh | 4 ++++ .../accounts_umask_root/tests/lenient.fail.sh | 4 ++++ .../tests/lenient2.fail.sh | 4 ++++ .../lenient_bashrc_correct_profile.fail.sh | 5 +++++ .../tests/lenient_threedigit.fail.sh | 4 ++++ .../accounts_umask_root/tests/missing.pass.sh | 4 ++++ .../accounts_umask_root/tests/strict.pass.sh | 4 ++++ 14 files changed, 82 insertions(+) create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/bash/shared.sh create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/commented.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/correct_bashrc.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/correct_profile.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient2.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient_bashrc_correct_profile.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient_threedigit.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/missing.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/strict.pass.sh diff --git a/components/bash.yml b/components/bash.yml index 9aac203b60d..f47e7db605c 100644 --- a/components/bash.yml +++ b/components/bash.yml @@ -3,3 +3,4 @@ packages: - bash rules: - accounts_umask_etc_bashrc +- accounts_umask_root diff --git a/components/pam.yml b/components/pam.yml index 577d57e6682..4f3ecb90788 100644 --- a/components/pam.yml +++ b/components/pam.yml @@ -92,6 +92,7 @@ rules: - accounts_umask_etc_login_defs - accounts_umask_etc_profile - accounts_umask_interactive_users +- accounts_umask_root - accounts_user_dot_group_ownership - accounts_user_dot_no_world_writable_programs - accounts_user_dot_user_ownership diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/bash/shared.sh new file mode 100644 index 00000000000..2e428131e18 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/bash/shared.sh @@ -0,0 +1,3 @@ +# platform = multi_platform_all + +sed -i -E -e "s/^([^#]*\bumask)[[:space:]]+[[:digit:]]+/\1 0027/g" /root/.bashrc /root/.profile diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/oval/shared.xml new file mode 100644 index 00000000000..01a2608bc6f --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/oval/shared.xml @@ -0,0 +1,21 @@ + + + {{{ oval_metadata("The umask for root user of the bash shell") }}} + + + + + + + ^(/root/.bashrc|/root/.profile)$ + ^[^#]*\bumask\s+[0-7]?[0-7]([0-1][0-7]|[0-7][0-6])\s*$ + 1 + + + + + + + diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/rule.yml new file mode 100644 index 00000000000..cf4a34d68f4 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/rule.yml @@ -0,0 +1,18 @@ +documentation_complete: true + +title: 'Ensure the Root Bash Umask is Set Correctly' + +description: |- + To ensure the root user's umask of the Bash shell is set properly, + add or correct the umask setting in /root/.bashrc + or /root/.bashrc to read as follows: +
umask 0027
+ +rationale: |- + The umask value influences the permissions assigned to files when they are created. + A misconfigured umask value could result in files with excessive permissions that can be read or + written to by unauthorized users. + +severity: medium + +platform: package[bash] diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/commented.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/commented.pass.sh new file mode 100644 index 00000000000..91faf04839a --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/commented.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +sed '/umask/d' -i /root/.bashrc /root/.profile +echo "# umask 0022" >> /root/.bashrc + diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/correct_bashrc.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/correct_bashrc.pass.sh new file mode 100644 index 00000000000..29026a5f21f --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/correct_bashrc.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +sed '/umask/d' -i /root/.bashrc /root/.profile +echo "umask 0027" >> /root/.bashrc diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/correct_profile.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/correct_profile.pass.sh new file mode 100644 index 00000000000..620dbc9c4d4 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/correct_profile.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +sed '/umask/d' -i /root/.bashrc /root/.profile +echo "umask 0027" >> /root/.profile diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient.fail.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient.fail.sh new file mode 100644 index 00000000000..ccc049a4d76 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +sed '/umask/d' -i /root/.bashrc /root/.profile +echo "umask 0022" >> /root/.profile diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient2.fail.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient2.fail.sh new file mode 100644 index 00000000000..50fab84e3c7 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient2.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +sed '/umask/d' -i /root/.bashrc /root/.profile +echo "umask 0017" >> /root/.profile diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient_bashrc_correct_profile.fail.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient_bashrc_correct_profile.fail.sh new file mode 100644 index 00000000000..365ba205150 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient_bashrc_correct_profile.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +sed '/umask/d' -i /root/.bashrc /root/.profile +echo "umask 0000" >> /root/.bashrc +echo "umask 0027" >> /root/.profile diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient_threedigit.fail.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient_threedigit.fail.sh new file mode 100644 index 00000000000..1278e99d4d9 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient_threedigit.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +sed '/umask/d' -i /root/.bashrc /root/.profile +echo "umask 022" >> /root/.profile diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/missing.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/missing.pass.sh new file mode 100644 index 00000000000..23af6a9487e --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/missing.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +sed '/umask/d' -i /root/.bashrc /root/.profile + diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/strict.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/strict.pass.sh new file mode 100644 index 00000000000..916ea2ed59d --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/strict.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +sed '/umask/d' -i /root/.bashrc /root/.profile +echo "umask 0777" >> /root/.profile From 9d9eee2ec75e237137f4f8707c509c99f6d7d24b Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Mon, 16 Dec 2024 09:27:04 +0100 Subject: [PATCH 2/2] Add rules to ubuntu2404 CIS control 5.4.2.6 --- controls/cis_ubuntu2404.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index c72af22cb84..eb617cb9a4a 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -2163,8 +2163,9 @@ controls: levels: - l1_server - l1_workstation - status: planned - notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile. + rules: + - accounts_umask_root + status: automated - id: 5.4.2.7 title: Ensure system accounts do not have a valid login shell (Automated)