Verify that local /var/log/messages is not world-readable
An XCCDF Rule
Description
Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need to be read by any non-root user To properly set the permissions of/var/log/messages, run the command:
$ sudo chmod 0640 /var/log/messagesCheck that "permissions.local" file contains the correct permissions rules with the following command:
# grep -i messages /etc/permissions.local /var/log/messages root:root 640
Rationale
The /var/log/messages file contains system error messages. Only
authorized personnel should be aware of errors and the details of the
errors. Error messages are an indicator of an organization's operational
state or can identify the SUSE operating system or platform. Additionally,
Personally Identifiable Information (PII) and operational information must
not be revealed through error messages to unauthorized personnel or their
designated representatives.
- ID
- xccdf_org.ssgproject.content_rule_file_permissions_local_var_log_messages
- Severity
- Medium
- Updated
Remediation Templates
A Shell Script
CORRECT_PERMISSIONS="/var/log/messages root:root 640"
err_cnt=0
message_permissions=$(grep -i messages /etc/permissions.local)
if [ ${#message_permissions} -eq 0 ]
then
echo "There are no permission rules for system errors messages. We will add them" An Ansible Snippet
- name: Configure permission for /var/log/messages
lineinfile:
path: /etc/permissions.local
create: true
regexp: ^\/var\/log\/messages\s+root.*
line: /var/log/messages root:root 640