4.2.3 Ensure permissions on all logfiles are configured (Scored)

[shawndwells]

No description provided.

[alexhaydock]

I've been taking a look at how to implement this logically, but this is a difficult control to implement cleanly. The suggested remediation logic by CIS involves running:

find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" + 

The logic behind which is that it will set restrictive permissions on all logfiles and all subdirectories of /var/log.

The problem with that approach is that the logic provided also matches /var/log itself and removing the world-executable bit from the top-level /var/log directory prevents any users who aren't root from traversing the directory path. This means that even if a service account owns its own logging subdirectory of /var/log and has permissions set accordingly, it won't be able to see its own logfile to write to, because it doesn't have the execute permissions it needs on /var/log to be able to traverse the directory path. In my experience, this ends up breaking a lot of software.

The validation logic inside CIS CAT Assessor also matches /var/log so it's also not just the case that we could run the same logic as above but tweaked to exclude the top-level /var/log directory.

I'm not entirely sure what is the right approach to implementation here, but I wanted to raise that issue while I'm thinking about it.

[yuumasato]

@alexhaydock Very interesting point, would -mindepth 1 work?

find /var/log -mindepth 1 -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" +

From what I tested, this seemed to match the same set of files and dirs, except for /var/log.

[alexhaydock]

@alexhaydock Very interesting point, would -mindepth 1 work?

find /var/log -mindepth 1 -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" +

From what I tested, this seemed to match the same set of files and dirs, except for /var/log.

I think this is a great solution to implement this control and match the wording of the benchmark. Thanks!

It seems from the logic implemented in the CIS CAT Assessor tool that CIS might intend /var/log to be included too (remediating a host with your solution still leads CIS CAT to report a failure for this control), but since the benchmark itself doesn't seem to indicate that /var/log itself is in-scope, I'm willing to suggest that it's more likely that this is a bug in the upstream Assessor tool as the validation seems to test for a higher standard than the actual benchmark calls for.

[marcusburghardt]

#9789 and #10139 recently improved the rsyslog rules. They are aligned to the benchmark requirements.