Detections
Analytics

5.1.4 Ensure all logfiles have appropriate access configured

Information

Log files stored in /var/log/ contain logged information from many services on the system and potentially from other logged hosts as well.

It is important that log files have the correct permissions to ensure that sensitive data is protected and that only the appropriate users / groups have access to them.

Solution

Run the following script to update permissions and ownership on files in /var/log

Although the script is not destructive, ensure that the output is captured in the event that the remediation causes issues.

#!/usr/bin/env bash

{
 l_op2="" l_output2=""
 l_uidmin="$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)"
 file_test_fix()
 {
 l_op2=""
 l_fuser="root"
 l_fgroup="root"
 if [ $(( $l_mode & $perm_mask )) -gt 0 ]; then
 l_op2="$l_op2
 - Mode: \"$l_mode\" should be \"$maxperm\" or more restrictive
 - Removing excess permissions"
 chmod "$l_rperms" "$l_fname"
 fi
 if [[ ! "$l_user" =~ $l_auser ]]; then
 l_op2="$l_op2
 - Owned by: \"$l_user\" and should be owned by \"${l_auser//|/ or }\"
 - Changing ownership to: \"$l_fuser\""
 chown "$l_fuser" "$l_fname"
 fi
 if [[ ! "$l_group" =~ $l_agroup ]]; then
 l_op2="$l_op2
 - Group owned by: \"$l_group\" and should be group owned by \"${l_agroup//|/ or }\"
 - Changing group ownership to: \"$l_fgroup\""
 chgrp "$l_fgroup" "$l_fname"
 fi
 [ -n "$l_op2" ] && l_output2="$l_output2
 - File: \"$l_fname\" is:$l_op2
"
 }
 unset a_file && a_file=() # clear and initialize array
 # Loop to create array with stat of files that could possibly fail one of the audits
 while IFS= read -r -d $'0' l_file; do
 [ -e "$l_file" ] && a_file+=("$(stat -Lc '%n^%#a^%U^%u^%G^%g' "$l_file")")
 done < <(find -L /var/log -type f ( -perm /0137 -o ! -user root -o ! -group root ) -print0)
 while IFS="^" read -r l_fname l_mode l_user l_uid l_group l_gid; do
 l_bname="$(basename "$l_fname")"
 case "$l_bname" in
 lastlog | lastlog.* | wtmp | wtmp.* | wtmp-* | btmp | btmp.* | btmp-* | README)
 perm_mask='0113'
 maxperm="$( printf '%o' $(( 0777 &amp; ~$perm_mask)) )"
 l_rperms="ug-x,o-wx"
 l_auser="root"
 l_agroup="(root|utmp)"
 file_test_fix
 ;;
 secure | auth.log | syslog | messages)
 perm_mask='0137'
 maxperm="$( printf '%o' $(( 0777 &amp; ~$perm_mask)) )"
 l_rperms="u-x,g-wx,o-rwx"
 l_auser="(root|syslog)"
 l_agroup="(root|adm)"
 file_test_fix
 ;;
 SSSD | sssd)
 perm_mask='0117'
 maxperm="$( printf '%o' $(( 0777 &amp; ~$perm_mask)) )"
 l_rperms="ug-x,o-rwx"
 l_auser="(root|SSSD)"
 l_agroup="(root|SSSD)"
 file_test_fix
 ;;
 gdm | gdm3)
 perm_mask='0117'
 l_rperms="ug-x,o-rwx"
 maxperm="$( printf '%o' $(( 0777 &amp; ~$perm_mask)) )"
 l_auser="root"
 l_agroup="(root|gdm|gdm3)"
 file_test_fix
 ;;
 *.journal | *.journal~)
 perm_mask='0137'
 maxperm="$( printf '%o' $(( 0777 &amp; ~$perm_mask)) )"
 l_rperms="u-x,g-wx,o-rwx"
 l_auser="root"
 l_agroup="(root|systemd-journal)"
 file_test_fix
 ;;
 *)
 perm_mask='0137'
 maxperm="$( printf '%o' $(( 0777 &amp; ~$perm_mask)) )"
 l_rperms="u-x,g-wx,o-rwx"
 l_auser="(root|syslog)"
 l_agroup="(root|adm)"
 if [ "$l_uid" -lt "$l_uidmin" ] &amp;&amp; [ -z "$(awk -v grp="$l_group" -F: '$1==grp {print $4}' /etc/group)" ]; then
 if [[ ! "$l_user" =~ $l_auser ]]; then
 l_auser="(root|syslog|$l_user)"
 fi
 if [[ ! "$l_group" =~ $l_agroup ]]; then
 l_tst=""
 while l_out3="" read -r l_duid; do
 [ "$l_duid" -ge "$l_uidmin" ] &amp;&amp; l_tst=failed
 done <<< "$(awk -F: '$4=='"$l_gid"' {print $3}' /etc/passwd)"
 [ "$l_tst" != "failed" ] &amp;&amp; l_agroup="(root|adm|$l_group)"
 fi
 fi
 file_test_fix
 ;;
 esac
 done <<< "$(printf '%s
' "${a_file[@]}")"
 unset a_file # Clear array
 # If all files passed, then we report no changes
 if [ -z "$l_output2" ]; then
 echo -e "- All files in \"/var/log/\" have appropriate permissions and ownership
 - No changes required
"
 else
 # print report of changes
 echo -e "
$l_output2"
 fi
}

Note: You may also need to change the configuration for your logging software or services for any logs that had incorrect permissions.

If there are services that log to other locations, ensure that those log files have the appropriate access configured.

See Also

https://workbench.cisecurity.org/benchmarks/15965

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 0a46f2e1155c76c18ca7acf2f57bc666d9cd6fb535e4f3371658376a57919098