From 63efa64fc724674a4dddd2db77971105cfd65b10 Mon Sep 17 00:00:00 2001 From: Sean McGinnis Date: Tue, 28 Mar 2023 20:43:16 +0000 Subject: [PATCH] bloodhound: Add Bottlerocket 4.1.2 check This adds CIS 4.1.2 to verify file permissions on journal files. Signed-off-by: Sean McGinnis --- packages/os/os.spec | 2 +- sources/Cargo.lock | 1 + sources/bloodhound/Cargo.toml | 1 + .../src/bin/bottlerocket-checks/checks.rs | 42 +++++++++++++++++++ .../src/bin/bottlerocket-checks/main.rs | 1 + 5 files changed, 46 insertions(+), 1 deletion(-) diff --git a/packages/os/os.spec b/packages/os/os.spec index 9e6fc24077f..a1490f6eb75 100644 --- a/packages/os/os.spec +++ b/packages/os/os.spec @@ -388,7 +388,7 @@ for p in \ br01010101 br01030100 br01040100 br01040200 br01040300 br01040400 \ br01050100 br01050200 br02010101 br03010100 br03020100 br03020200 \ br03020300 br03020400 br03020500 br03020600 br03020700 br03030100 \ - br03040101 br03040102 br03040201 br03040202 br04010101 \ + br03040101 br03040102 br03040201 br03040202 br04010101 br04010200 \ ; do ln -rs %{buildroot}%{_cross_bindir}/bottlerocket-checks %{buildroot}%{_cross_libexecdir}/cis-checks/bottlerocket/${p} done diff --git a/sources/Cargo.lock b/sources/Cargo.lock index 233580630e2..3f2b62e1666 100644 --- a/sources/Cargo.lock +++ b/sources/Cargo.lock @@ -1006,6 +1006,7 @@ dependencies = [ "serde", "serde_json", "tempfile", + "walkdir", ] [[package]] diff --git a/sources/bloodhound/Cargo.toml b/sources/bloodhound/Cargo.toml index 6c678773869..b71ee8a8261 100644 --- a/sources/bloodhound/Cargo.toml +++ b/sources/bloodhound/Cargo.toml @@ -13,6 +13,7 @@ argh = "0.1" chrono = { version = "0.4", default-features = false, features = ["clock"] } serde = { version = "1", features = ["derive"] } serde_json = "1" +walkdir = "2" [dev-dependencies] tempfile = "3" diff --git a/sources/bloodhound/src/bin/bottlerocket-checks/checks.rs b/sources/bloodhound/src/bin/bottlerocket-checks/checks.rs index 65813b93b77..63e1c7aa916 100644 --- a/sources/bloodhound/src/bin/bottlerocket-checks/checks.rs +++ b/sources/bloodhound/src/bin/bottlerocket-checks/checks.rs @@ -1,6 +1,8 @@ use bloodhound::results::{CheckStatus, Checker, CheckerMetadata, CheckerResult, Mode}; use bloodhound::*; +use std::os::unix::fs::PermissionsExt; use std::process::Command; +use walkdir::WalkDir; const PROC_MODULES_FILE: &str = "/proc/modules"; const PROC_CMDLINE_FILE: &str = "/proc/cmdline"; @@ -848,3 +850,43 @@ impl Checker for BR04010101Checker { } } } + +// =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= + +pub struct BR04010200Checker {} + +impl Checker for BR04010200Checker { + fn execute(&self) -> CheckerResult { + let mut result = CheckerResult::default(); + + // Recursively walk over all files in /var/log/journal and check perms + for file in WalkDir::new("/var/log/journal") + .into_iter() + .filter_map(|file| file.ok()) + { + if let Ok(metadata) = file.metadata() { + if !metadata.is_file() { + continue; + } + + if (metadata.permissions().mode() & 0b111) > 0 { + result.error = format!("file {:?} has permissions for 'other'", file.path()); + result.status = CheckStatus::FAIL; + break; + } + } + } + + result + } + + fn metadata(&self) -> CheckerMetadata { + CheckerMetadata { + title: "Ensure permissions on journal files are configured".to_string(), + id: "4.1.2".to_string(), + level: 1, + name: "br04010200".to_string(), + mode: Mode::Automatic, + } + } +} diff --git a/sources/bloodhound/src/bin/bottlerocket-checks/main.rs b/sources/bloodhound/src/bin/bottlerocket-checks/main.rs index 1b23a592c70..46209ae1eda 100644 --- a/sources/bloodhound/src/bin/bottlerocket-checks/main.rs +++ b/sources/bloodhound/src/bin/bottlerocket-checks/main.rs @@ -62,6 +62,7 @@ fn main() { level: 1, }), "br04010101" => Box::new(BR04010101Checker {}), + "br04010200" => Box::new(BR04010200Checker {}), &_ => { eprintln!("Command {} is not supported.", cmd_name); return;