os-11 fails on vanilla Ubuntu 16.04/18.04

[IceBear2k]

os-11 fails on vanilla Ubuntu 16.04/18.04

Tested with ansible-os-hardening

Expected behavior:

os-11 should succeed on vanilla Ubuntu 16.04/18.04 (at least after running ansible-os-hardening)

Actual behavior:

os-11 fails due to group permission

×  os-11: Protect log-directory (1 failed)
✔  File /var/log should be directory
✔  File /var/log should be owned by "root"
×  File /var/log should be grouped into "syslog"
expected `File /var/log.grouped_into?("syslog")` to return true, got false

Details

The package rsyslog is not installed by default on Ubuntu 16.04 or 18.04 resulting in /var/log being grouped into root instead of syslog. For Ubuntu 14.04 it was still the default, therefore it is working correctly there.

$ docker run -it ubuntu:14.04 ls -ld /var/log
drwxrwxr-x 5 root syslog 4096 Aug  7 06:18 /var/log
$ docker run -it ubuntu:16.04 ls -ld /var/log
drwxr-xr-x 4 root root 4096 Aug  8 02:03 /var/log
$ docker run -it ubuntu:18.04 ls -ld /var/log
drwxr-xr-x 3 root root 4096 Aug 21 21:12 /var/log

Using Kitchen on ansible-os-hardening succeeds because the used Docker images by rndmh3ro include rsyslog: https://github.com/rndmh3ro/docker-ansible/blob/master/ubuntu1604-ansible-latest/Dockerfile#L9

Suggested fix

https://github.com/dev-sec/linux-baseline/blob/master/controls/os_spec.rb#L21 should only apply to 14.04 and use root otherwise (this will break compatibility with rndmh3ro Docker images and rsyslog installations)

OR

Check whether /var/log is owned by either root or syslog (this will keep compatibility with rndmh3ro Docker images and rsyslog installations)

[artem-sidorenko]

@IceBear2k thanks for raising this issue!

It makes sense and we faced this issue already several times.
We can resolve it by using should match and a simple regular expression. May I ask you to provide a PR here?

[artem-sidorenko]

resolved by #105