From 7307987f653b1be705560a14353735deccb76bc6 Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Fri, 12 Apr 2024 17:20:49 +0200
Subject: [PATCH] Add rule file_permissions_journalctl

- New rule for auditing permissions of journalctl command
- Satisfies STIG requirement UBTU-22-232140
- Based on file_permissions_system_journal
---
 components/systemd.yml                        |  1 +
 .../file_permissions_journalctl/rule.yml      | 34 +++++++++++++++++++
 products/ubuntu2204/profiles/stig.profile     |  4 +--
 3 files changed, 36 insertions(+), 3 deletions(-)
 create mode 100644 linux_os/guide/system/logging/journald/file_permissions_journalctl/rule.yml

diff --git a/components/systemd.yml b/components/systemd.yml
index 8e60b65dbf47..8c592764eca1 100644
--- a/components/systemd.yml
+++ b/components/systemd.yml
@@ -14,6 +14,7 @@ rules:
 - file_owner_etc_crypttab
 - file_owner_system_journal
 - file_permissions_etc_crypttab
+- file_permissions_journalctl
 - file_permissions_system_journal
 - journald_compress
 - journald_forward_to_syslog
diff --git a/linux_os/guide/system/logging/journald/file_permissions_journalctl/rule.yml b/linux_os/guide/system/logging/journald/file_permissions_journalctl/rule.yml
new file mode 100644
index 000000000000..6c7ec146a272
--- /dev/null
+++ b/linux_os/guide/system/logging/journald/file_permissions_journalctl/rule.yml
@@ -0,0 +1,34 @@
+documentation_complete: true
+
+title: 'Verify Permissions on the journal command'
+
+description: |-
+    Verify that the "journalctl" command has a permission set of "740" by
+    using the following command:
+    <pre>
+     $ sudo find /usr/bin/journalctl -exec stat -c "%n %a" {} \;
+    </pre>
+    If "journalctl" is not set to "740", this is a finding.
+
+rationale: |-
+    Any operating system providing too much information in error messages risks
+    compromising the data and security of the structure, and content of error messages
+    needs to be carefully considered by the organization.
+
+references:
+    disa: CCI-001312
+    stigid@ubuntu2204: UBTU-22-232140
+
+severity: medium
+
+fixtext: |
+    Configure "journalctl" to have a permission set of "740":
+    <pre>
+    $ sudo chmod 740 /usr/bin/journalctl
+    </pre>
+
+template:
+    name: file_permissions
+    vars:
+        filepath: /usr/bin/journalctl
+        filemode: '0740'
diff --git a/products/ubuntu2204/profiles/stig.profile b/products/ubuntu2204/profiles/stig.profile
index 5fe21f5c71f0..ecd3657ecc5b 100644
--- a/products/ubuntu2204/profiles/stig.profile
+++ b/products/ubuntu2204/profiles/stig.profile
@@ -664,7 +664,5 @@ selections:
     # Similar to file_group_ownership_var_log_audit
     # UBTU-22-232105 The Ubuntu operating system must be configured so that the "journalctl" command is group-owned by "root"
 
-    ### TODO (rule needed)
-    # Similar to file_permissions_var_log_audit
     # UBTU-22-232140 The Ubuntu operating system must be configured so that the "journalctl" command is not accessible by unauthorized users
-
+    - file_permissions_journalctl