Ensure System Log Files Have Correct Permissions

An XCCDF Rule

Description

The file permissions for all log files written by rsyslog should be set to 640, or more restrictive. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's permissions:

$ ls -l LOGFILE

If the permissions are not 640 or more restrictive, run the following command to correct this:

$ sudo chmod 640 LOGFILE

Rationale

Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value.

ID: xccdf_org.ssgproject.content_rule_rsyslog_files_permissions
Severity: Medium
References: BP28(R36)

CCI-001314

0988 1405

CIP-003-8 R5.1.1 CIP-003-8 R5.3 CIP-004-6 R2.3 CIP-007-3 R2.1 CIP-007-3 R2.2 CIP-007-3 R2.3 CIP-007-3 R5.1 CIP-007-3 R5.1.1 CIP-007-3 R5.1.2

AC-6(1) CM-6(a)

Req-10.5.1 Req-10.5.2

10.3.1
Updated: about 1 year ago