Verify Permissions on /var/log Directory

An XCCDF Rule

Description

To properly set the permissions of /var/log, run the command:

$ sudo chmod 0755 /var/log

Rationale

The /var/log directory contains files with logs of error messages in the system and should only be accessed by authorized personnel.

ID: xccdf_org.ssgproject.content_rule_file_permissions_var_log
Severity: Medium
References: CCI-001314

SRG-OS-000206-GPOS-00084

SRG-APP-000118-CTR-000240

RHEL-08-010240

SV-230248r627750_rule

CCE-83663-5
Updated: about 1 year ago

- name: Find /var/log/ file(s)
  command: 'find -H /var/log/ -maxdepth 1 -perm /u+s,g+ws,o+wt  -type d '
  register: files_found
  changed_when: false
  failed_when: false
  check_mode: false  tags:
  - CCE-83663-5
  - DISA-STIG-RHEL-08-010240
  - configure_strategy
  - file_permissions_var_log
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Set permissions for /var/log/ file(s)
  file:
    path: '{{ item }}'
    mode: u-s,g-ws,o-wt
    state: directory
  with_items:
  - '{{ files_found.stdout_lines }}'
  tags:
  - CCE-83663-5
  - DISA-STIG-RHEL-08-010240
  - configure_strategy
  - file_permissions_var_log
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed






find -H /var/log/ -maxdepth 1 -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;

Verify Permissions on /var/log Directory

Description

Rationale

Remediation - Ansible

Remediation - Shell Script