rsyslog will create logfiles that do not already exist on the system.
This settings controls what permissions will be applied to these newly
created files.
Rationale
It is important to ensure that log files have the correct permissions
to ensure that sensitive data is archived and protected.
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
readarray -t targets < <(grep -H '^\s*$FileCreateMode' /etc/rsyslog.conf /etc/rsyslog.d/*)
# if $FileCreateMode set in multiple places
if [ ${#targets[@]} -gt 1 ]; then
# delete all and create new entry with expected value
sed -i '/^\s*$FileCreateMode/d' /etc/rsyslog.conf /etc/rsyslog.d/*
echo '$FileCreateMode 0640' > /etc/rsyslog.d/99-rsyslog_filecreatemode.conf
# if $FileCreateMode set in only one place
elif [ "${#targets[@]}" -eq 1 ]; then
filename=$(echo "${targets[0]}" | cut -d':' -f1)
value=$(echo "${targets[0]}" | cut -d' ' -f2)
#convert to decimal and bitwise or operation
result=$((8#$value | 416))
# if more permissive than expected, then set it to 0640
if [ $result -ne 416 ]; then
# if value is wrong remove it
sed -i '/^\s*$FileCreateMode/d' $filename
echo '$FileCreateMode 0640' > $filename
fi
else
echo '$FileCreateMode 0640' > /etc/rsyslog.d/99-rsyslog_filecreatemode.conf
fi
systemctl restart rsyslog.service
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi