Detections
Analytics
5.1.3 Ensure all logfiles have appropriate permissions and ownership
Information
Log files contain information from many services on the local system, or in the event of a centralized log server, others system's logs as well. In general log files are found in /var/log/ although application can be configured to store logs elsewhere. Should your application store its logs in another location, ensure to run the same test on that location.It is important that log files have the correct permissions to ensure that sensitive data is protected and that only the appropriate users / groups have access to them.
Solution
Run the following script to update permissions and ownership on files in /var/logAlthough the script is not destructive, ensure that the output of the audit procedure is captured in the event that the remediation causes issues.
#!/usr/bin/env bash
{
echo -e "
- Start remediation - logfiles have appropriate permissions and ownership"
UID_MIN=$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)
find /var/log -type f | while read -r fname; do
bname="$(basename "$fname")"
fugname="$(stat -Lc "%U %G" "$fname")"
funame="$(awk '{print $1}' <<< "$fugname")"
fugroup="$(awk '{print $2}' <<< "$fugname")"
fuid="$(stat -Lc "%u" "$fname")"
fmode="$(stat -Lc "%a" "$fname")"
case "$bname" in
lastlog | lastlog.* | wtmp | wtmp.* | wtmp-* | btmp | btmp.* | btmp-*)
! grep -Pq -- '^h*[0,2,4,6][0,2,4,6][0,4]h*$' <<< "$fmode" && echo -e "- changing mode on \"$fname\"" && chmod ug-x,o-wx "$fname"
! grep -Pq -- '^h*rooth*$' <<< "$funame" && echo -e "- changing owner on \"$fname\"" && chown root "$fname"
! grep -Pq -- '^h*(utmp|root)h*$' <<< "$fugroup" && echo -e "- changing group on \"$fname\"" && chgrp root "$fname"
;;
secure | auth.log | syslog | messages)
! grep -Pq -- '^h*[0,2,4,6][0,4]0h*$' <<< "$fmode" && echo -e "- changing mode on \"$fname\"" && chmod u-x,g-wx,o-rwx "$fname"
! grep -Pq -- '^h*(syslog|root)h*$' <<< "$funame" && echo -e "- changing owner on \"$fname\"" && chown root "$fname"
! grep -Pq -- '^h*(adm|root)h*$' <<< "$fugroup" && echo -e "- changing group on \"$fname\"" && chgrp root "$fname"
;;
SSSD | sssd)
! grep -Pq -- '^h*[0,2,4,6][0,2,4,6]0h*$' <<< "$fmode" && echo -e "- changing mode on \"$fname\"" && chmod ug-x,o-rwx "$fname"
! grep -Piq -- '^h*(SSSD|root)h*$' <<< "$funame" && echo -e "- changing owner on \"$fname\"" && chown root "$fname"
! grep -Piq -- '^h*(SSSD|root)h*$' <<< "$fugroup" && echo -e "- changing group on \"$fname\"" && chgrp root "$fname"
;;
gdm | gdm3)
! grep -Pq -- '^h*[0,2,4,6][0,2,4,6]0h*$' <<< "$fmode" && echo -e "- changing mode on \"$fname\"" && chmod ug-x,o-rwx
! grep -Pq -- '^h*rooth*$' <<< "$funame" && echo -e "- changing owner on \"$fname\"" && chown root "$fname"
! grep -Pq -- '^h*(gdm3?|root)h*$' <<< "$fugroup" && echo -e "- changing group on \"$fname\"" && chgrp root "$fname"
;;
*.journal | *.journal~)
! grep -Pq -- '^h*[0,2,4,6][0,4]0h*$' <<< "$fmode" && echo -e "- changing mode on \"$fname\"" && chmod u-x,g-wx,o-rwx "$fname"
! grep -Pq -- '^h*rooth*$' <<< "$funame" && echo -e "- changing owner on \"$fname\"" && chown root "$fname"
! grep -Pq -- '^h*(systemd-journal|root)h*$' <<< "$fugroup" && echo -e "- changing group on \"$fname\"" && chgrp root "$fname"
;;
*)
! grep -Pq -- '^h*[0,2,4,6][0,4]0h*$' <<< "$fmode" && echo -e "- changing mode on \"$fname\"" && chmod u-x,g-wx,o-rwx "$fname"
if [ "$fuid" -ge "$UID_MIN" ] || ! grep -Pq -- '(adm|root|'"$(id -gn "$funame")"')' <<< "$fugroup"; then
if [ -n "$(awk -v grp="$fugroup" -F: '$1==grp {print $4}' /etc/group)" ] || ! grep -Pq '(syslog|root)' <<< "$funame"; then
[ "$fuid" -ge "$UID_MIN" ] && echo -e "- changing owner on \"$fname\"" && chown root "$fname"
! grep -Pq -- '^h*(adm|root)h*$' <<< "$fugroup" && echo -e "- changing group on \"$fname\"" && chgrp root "$fname"
fi
fi
;;
esac
done
echo -e "- End remediation - logfiles have appropriate permissions and ownership
"
}
Note: You may also need to change the configuration for your logging software or services for any logs that had incorrect permissions.
If there are services that log to other locations, ensure that those log files have the appropriate permissions.
See Also
Item Details
Audit Name: CIS Amazon Linux 2023 Server L1 v1.0.0
Category: ACCESS CONTROL, MEDIA PROTECTION
References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6
Plugin: Unix
Control ID: 38155b470aa105e62b4a3918abc9541d9c8ad3747a0120f8d10df10fb7d79377