diff --git a/linux_os/guide/system/logging/journald/file_groupowner_system_journal/rule.yml b/linux_os/guide/system/logging/journald/file_groupowner_system_journal/rule.yml
index 0c8d6e4fac1..48f448d828d 100644
--- a/linux_os/guide/system/logging/journald/file_groupowner_system_journal/rule.yml
+++ b/linux_os/guide/system/logging/journald/file_groupowner_system_journal/rule.yml
@@ -3,18 +3,50 @@ documentation_complete: true
title: 'Verify Group Who Owns the system journal'
-description: '{{{ describe_file_group_owner(file="/var/log/journal/.*/system.journal", group="systemd-journal") }}}'
+description: |-
+ {{%- if 'ubuntu' in product %}}
+ Verify the /run/log/journal and /var/log/journal files are group-owned by
+ "systemd-journal" by using the following command:
+
+ $ sudo find /run/log/journal /var/log/journal -type f -exec stat -c "%n %G" {} \;
+
+ If any output returned is not group-owned by "systemd-journal", this is a finding.
+ {{%- else %}}
+ '{{{ describe_file_group_owner(file="/var/log/journal/.*/system.journal", group="systemd-journal") }}}'
+ {{%- endif %}}
rationale: |-
- RHCOS must protect system journal file from any type of unauthorized access by setting file group ownership.
+ {{%- if 'ubuntu' in product %}}
+ Only authorized personnel should be aware of errors and the details of the errors.
+ Error messages are an indicator of an organization's operational state or can
+ identify the operating system or platform. Additionally, personally identifiable
+ information (PII) and operational information must not be revealed through error
+ messages to unauthorized personnel or their designated representatives.
+ {{%- else %}}
+ RHCOS must protect system journal file from any type of unauthorized access by setting file group ownership.
+
+ {{%- endif %}}
identifiers:
- cce@rhcos4: CCE-86221-9
+ cce@rhcos4: CCE-86221-9
severity: medium
+fixtext: |
+ {{%- if 'ubuntu' in product %}}
+ Configure the system to set the appropriate group-ownership to the files
+ used by the systemd journal:
+ Add or modify the following lines in the "/etc/tmpfiles.d/systemd.conf" file:
+
+ z /var/log/journal/%m/system.journal 0640 root systemd-journal - -
+
+ Restart the system for the changes to take effect.
+ {{%- endif %}}
+
references:
- srg: SRG-APP-000118-CTR-000240
+ disa: CCI-001314
+ srg: SRG-APP-000118-CTR-000240
+ stigid@ubuntu2204: UBTU-22-232095
ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/journal/.*/system.journal", group="systemd-journal") }}}'
@@ -24,6 +56,17 @@ ocil: |-
template:
name: file_groupowner
vars:
+ {{%- if 'ubuntu' in product %}}
+ filepath:
+ - /run/log/journal/
+ - /var/log/journal/
+ recursive: 'true'
+ file_regex: ^.*$
+ gid_or_name: systemd-journal
+
+ {{%- else %}}
filepath: ^/var/log/journal/.*/system.journal$
gid_or_name: systemd-journal
filepath_is_regex: "true"
+
+ {{%- endif %}}
diff --git a/products/ubuntu2204/profiles/stig.profile b/products/ubuntu2204/profiles/stig.profile
index 5fe21f5c71f..ba6d8ff31c7 100644
--- a/products/ubuntu2204/profiles/stig.profile
+++ b/products/ubuntu2204/profiles/stig.profile
@@ -652,9 +652,9 @@ selections:
# Analogous to file_ownership_var_log_audit
# UBTU-22-232090 The Ubuntu operating system must configure the files used by the system journal to be owned by "root"
- ### TODO (rule needed)
- # Analogous to file_group_ownership_var_log_audit
+ ### TODO (incomplete remediation - tmpfiles.d)
# UBTU-22-232095 The Ubuntu operating system must configure the files used by the system journal to be group-owned by "systemd-journal"
+ - file_groupowner_system_journal
### TODO (rule needed)
# Similar to file_ownership_var_log_audit