Skip to content

Ensure Log Files Are Owned By Appropriate User

An XCCDF Rule

Description

The owner of all log files written by rsyslog should be syslog. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's owner:

$ ls -l LOGFILE
If the owner is not syslog, run the following command to correct this:
$ sudo chown syslog LOGFILE

Rationale

The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.

ID
xccdf_org.ssgproject.content_rule_rsyslog_files_ownership
Severity
Medium
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# List of log file paths to be inspected for correct permissions
# * Primarily inspect log file paths listed in /etc/rsyslog.conf
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"

Remediation - Ansible

- name: Ensure Log Files Are Owned By Appropriate User - Set rsyslog logfile configuration
    facts
  ansible.builtin.set_fact:
    rsyslog_etc_config: /etc/rsyslog.conf
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags: