Skip to content

4.2.2.4 Ensure rsyslog default file permissions are configured

Audit#

Run the following command: 

# grep ^\$FileCreateMode /etc/rsyslog.conf /etc/rsyslog.d/*.conf

Verify the output matches: 

$FileCreateMode 0640
Should a site policy dictate less restrictive permissions, ensure to follow said policy.

NOTE: More restrictive permissions such as 0600 is implicitly sufficient.

Remediation#

Edit either /etc/rsyslog.conf or a dedicated .conf file in /etc/rsyslog.d/ and set $FileCreateMode to 0640 or more restrictive: 

$FileCreateMode 0640

Restart the service: 

# systemctl restart rsyslog