Skip to content

Commit

Permalink
bloodhound: Add Bottlerocket 4.1.2 check
Browse files Browse the repository at this point in the history 
This adds CIS 4.1.2 to verify file permissions on journal files.

Signed-off-by: Sean McGinnis <[email protected]>
  • Loading branch information
@stmcginnis
stmcginnis committed Jun 19, 2023
1 parent 450ab90 commit 63efa64
Show file tree
Hide file tree
Showing 5 changed files with 46 additions and 1 deletion.
2 changes: 1 addition & 1 deletion packages/os/os.spec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -388,7 +388,7 @@ for p in \
br01010101 br01030100 br01040100 br01040200 br01040300 br01040400 \
br01050100 br01050200 br02010101 br03010100 br03020100 br03020200 \
br03020300 br03020400 br03020500 br03020600 br03020700 br03030100 \
br03040101 br03040102 br03040201 br03040202 br04010101 \
br03040101 br03040102 br03040201 br03040202 br04010101 br04010200 \
; do
ln -rs %{buildroot}%{_cross_bindir}/bottlerocket-checks %{buildroot}%{_cross_libexecdir}/cis-checks/bottlerocket/${p}
done
Expand Down
1 change: 1 addition & 0 deletions sources/Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions sources/bloodhound/Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ argh = "0.1"
chrono = { version = "0.4", default-features = false, features = ["clock"] }
serde = { version = "1", features = ["derive"] }
serde_json = "1"
walkdir = "2"

[dev-dependencies]
tempfile = "3"
Expand Down
42 changes: 42 additions & 0 deletions sources/bloodhound/src/bin/bottlerocket-checks/checks.rs
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
use bloodhound::results::{CheckStatus, Checker, CheckerMetadata, CheckerResult, Mode};
use bloodhound::*;
use std::os::unix::fs::PermissionsExt;
use std::process::Command;
use walkdir::WalkDir;

const PROC_MODULES_FILE: &str = "/proc/modules";
const PROC_CMDLINE_FILE: &str = "/proc/cmdline";
Expand Down Expand Up @@ -848,3 +850,43 @@ impl Checker for BR04010101Checker {
}
}
}

// =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<=

pub struct BR04010200Checker {}

impl Checker for BR04010200Checker {
fn execute(&self) -> CheckerResult {
let mut result = CheckerResult::default();

// Recursively walk over all files in /var/log/journal and check perms
for file in WalkDir::new("/var/log/journal")
.into_iter()
.filter_map(|file| file.ok())
{
if let Ok(metadata) = file.metadata() {
if !metadata.is_file() {
continue;
}

if (metadata.permissions().mode() & 0b111) > 0 {
result.error = format!("file {:?} has permissions for 'other'", file.path());
result.status = CheckStatus::FAIL;
break;
}
}
}

result
}

fn metadata(&self) -> CheckerMetadata {
CheckerMetadata {
title: "Ensure permissions on journal files are configured".to_string(),
id: "4.1.2".to_string(),
level: 1,
name: "br04010200".to_string(),
mode: Mode::Automatic,
}
}
}
1 change: 1 addition & 0 deletions sources/bloodhound/src/bin/bottlerocket-checks/main.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ fn main() {
level: 1,
}),
"br04010101" => Box::new(BR04010101Checker {}),
"br04010200" => Box::new(BR04010200Checker {}),
&_ => {
eprintln!("Command {} is not supported.", cmd_name);
return;
Expand Down

0 comments on commit 63efa64

Please sign in to comment.