Verify Permissions on /var/log Directory

An XCCDF Rule

Description

To properly set the permissions of /var/log, run the command:

$ sudo chmod 0755 /var/log

Rationale

The /var/log directory contains files with logs of error messages in the system and should only be accessed by authorized personnel.

ID: xccdf_org.ssgproject.content_rule_file_permissions_var_log
Severity: Medium
References: CCI-001314

SRG-OS-000206-GPOS-00084

SRG-APP-000118-CTR-000240
Updated: about 1 year ago


chmod 0755 /var/log/

if grep -q "^z \/var\/log " /usr/lib/tmpfiles.d/00rsyslog.conf; then
    sed -i --follow-symlinks "s/\(^z[[:space:]]\+\/var\/log[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10755/" /usr/lib/tmpfiles.d/00rsyslog.conf
fi

- name: Find /var/log/ file(s)
  command: 'find -H /var/log/ -maxdepth 1 -perm /u+s,g+ws,o+wt  -type d '
  register: files_found
  changed_when: false
  failed_when: false
  check_mode: false  tags:
  - configure_strategy
  - file_permissions_var_log
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Set permissions for /var/log/ file(s)
  file:
    path: '{{ item }}'
    mode: u-s,g-ws,o-wt
    state: directory
  with_items:
  - '{{ files_found.stdout_lines }}'
  tags:
  - configure_strategy
  - file_permissions_var_log
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

Verify Permissions on /var/log Directory

Description

Rationale

Remediation - Shell Script

Remediation - Ansible