Verify that local /var/log/messages is not world-readable

An XCCDF Rule

Description

Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need to be read by any non-root user To properly set the permissions of /var/log/messages, run the command:

$ sudo chmod 0640 /var/log/messages

Check that "permissions.local" file contains the correct permissions rules with the following command:

# grep -i messages /etc/permissions.local

/var/log/messages root:root 640

Rationale

The /var/log/messages file contains system error messages. Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SUSE operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.

ID: xccdf_org.ssgproject.content_rule_file_permissions_local_var_log_messages
Severity: Medium
References: CCI-001314

SI-11(c)

SRG-OS-000206-GPOS-00084

SLES-12-010890

CCE-83112-3

SV-217188r958566_rule
Updated: about 1 month ago

Remediation Templates

- name: Configure permission for /var/log/messages
  lineinfile:
    path: /etc/permissions.local
    create: true
    regexp: ^\/var\/log\/messages\s+root.*
    line: /var/log/messages root:root 640    state: present
  register: update_permissions_local_result
  tags:
  - CCE-83112-3
  - DISA-STIG-SLES-12-010890
  - NIST-800-53-SI-11(c)
  - configure_strategy
  - file_permissions_local_var_log_messages
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
- name: Correct file permissions after update /etc/permissions.local
  shell: |
    set -o pipefail chkstat --set --system
  when: update_permissions_local_result.changed
  tags:
  - CCE-83112-3
  - DISA-STIG-SLES-12-010890
  - NIST-800-53-SI-11(c)
  - configure_strategy
  - file_permissions_local_var_log_messages
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

CORRECT_PERMISSIONS="/var/log/messages root:root 640"
err_cnt=0
message_permissions=$(grep -i messages /etc/permissions.local)
if [ ${#message_permissions} -eq 0 ]
then
  echo "There are no permission rules for system errors messages. We will add them"   echo $CORRECT_PERMISSIONS >> /etc/permissions.local
  err_cnt=$((err_cnt+1))
fi

check_message_permissions=$(stat -c "%n %U:%G %a" /var/log/messages)
if [ "$check_message_permissions" != "$CORRECT_PERMISSIONS" ]
then
  echo "The permissions are not correct"
  err_cnt=$((err_cnt+1))
fi

if [ ${#err_cnt} -gt 0 ] 
then
  echo "Set the permissions"
  chkstat --set /etc/permissions.local
fi

Verify that local /var/log/messages is not world-readable

Description

Rationale

Remediation Templates

An Ansible Snippet

A Shell Script