4.2.3 Ensure permissions on all logfiles are configured

Information

Log files stored in /var/log/ contain logged information from many services on the system, or on log hosts others as well.

It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected. Other/world should not have the ability to view this information. Group should not have the ability to modify this information.

Solution

Run the following commands to set permissions on all existing log files:

find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-wx,o-rwx "{}" +

Note: The configuration for your logging software or services may need to also be modified for any logs that had incorrect permissions, otherwise, the permissions may be reverted to the incorrect permissions

See Also

https://workbench.cisecurity.org/files/3682

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|5.1

Plugin: Unix

Control ID: b50e03e6f14c8fc514a1bb21b4d350d1ccd7fe5afcea48d399b4825c8041f63e