Skip to content

4.2.3 Ensure all logfiles have appropriate permissions and ownership

Audit#

Run the following script to verify that files in /var/log/ have appropriate permissions and ownership: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#!/usr/bin/env bash
{
 echo -e "\n- Start check - logfiles have appropriate permissions and ownership"
 output=""
 find /var/log -type f | (while read -r fname; do
 bname="$(basename "$fname")"
 case "$bname" in
 lastlog | lastlog.* | wtmp | wtmp.* | btmp | btmp.*)
 if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6][0,4]\h*$'; then
 output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
 fi
 if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*root\h+(utmp|root)\h*$'; then
 output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
 fi
 ;;
 secure | auth.log)
 if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$'; then
 output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
 fi
 if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(syslog|root)\h+(adm|root)\h*$'; then
 output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
 fi
 ;;
 SSSD | sssd)
 if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6]0\h*$'; then
 output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
 fi
 if ! stat -Lc "%U %G" "$fname" | grep -Piq -- '^\h*(SSSD|root)\h+(SSSD|root)\h*$'; then
 output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
 fi
 ;;
 gdm | gdm3)
 if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6]0\h*$'; then
 output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
 fi
 if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(root)\h+(gdm3?|root)\h*$'; then
 output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
 fi
 ;;
 *.journal)
 if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$'; then
 output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
 fi
 if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(root)\h+(systemd-journal|root)\h*$'; then
 output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
 fi
 ;;
 *)
 if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$'; then
 output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
 fi
 if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(syslog|root)\h+(adm|root)\h*$'; then
 output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
 fi
 ;;
 esac
 done
 # If all files passed, then we pass
 if [ -z "$output" ]; then
 echo -e "\n- PASS\n- All files in \"/var/log/\" have appropriate permissions and ownership\n"
 else
 # print the reason why we are failing
 echo -e "\n- FAIL:\n$output"
 fi
 echo -e "- End check - logfiles have appropriate permissions and ownership\n"
 )
}

Remediation#

Run the following script to update permissions and ownership on files in /var/log.

Although the script is not destructive, ensure that the output of the audit procedure is captured in the event that the remediation causes issues.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#!/usr/bin/env bash
{
 echo -e "\n- Start remediation - logfiles have appropriate permissions and ownership"
 find /var/log -type f | while read -r fname; do
 bname="$(basename "$fname")"
 case "$bname" in
 lastlog | lastlog.* | wtmp | wtmp.* | btmp | btmp.*)
 ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6][0,4]\h*$' && echo -e "- changing mode on \"$fname\"" && chmod ug-x,o-wx "$fname"
 ! stat -Lc "%U" "$fname" | grep -Pq -- '^\h*root\h*$' && echo -e "- changing owner on \"$fname\"" && chown root "$fname"
 ! stat -Lc "%G" "$fname" | grep -Pq -- '^\h*(utmp|root)\h*$' && echo -e "- changing group on \"$fname\"" && chgrp root "$fname"
 ;;
 secure | auth.log)
 ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$' && echo -e "- changing mode on \"$fname\"" && chmod u-x,g-wx,o-rwx "$fname"
 ! stat -Lc "%U" "$fname" | grep -Pq -- '^\h*(syslog|root)\h*$' && echo -e "- changing owner on \"$fname\"" && chown root "$fname"
 ! stat -Lc "%G" "$fname" | grep -Pq -- '^\h*(adm|root)\h*$' && echo -e "- changing group on \"$fname\"" && chgrp root "$fname"
 ;;
 SSSD | sssd)
 ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6]0\h*$' && echo -e "- changing mode on \"$fname\"" && chmod ug-x,o-rwx "$fname"
 ! stat -Lc "%U" "$fname" | grep -Piq -- '^\h*(SSSD|root)\h*$' && echo -e "- changing owner on \"$fname\"" && chown root "$fname"
 ! stat -Lc "%G" "$fname" | grep -Piq -- '^\h*(SSSD|root)\h*$' && echo -e "- changing group on \"$fname\"" && chgrp root "$fname"
 ;;
 gdm | gdm3)
 ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6]0\h*$' && echo -e "- changing mode on \"$fname\"" && chmod ug-x,o-rwx
 ! stat -Lc "%U" "$fname" | grep -Pq -- '^\h*root\h*$' && echo -e "- changing owner on \"$fname\"" && chown root "$fname"
 ! stat -Lc "%G" "$fname" | grep -Pq -- '^\h*(gdm3?|root)\h*$' && echo -e "- changing group on \"$fname\"" && chgrp root "$fname"
 ;;
 *.journal)
 ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$' && echo -e "- changing mode on \"$fname\"" && chmod u-x,g-wx,o-rwx "$fname"
 ! stat -Lc "%U" "$fname" | grep -Pq -- '^\h*root\h*$' && echo -e "- changing owner on \"$fname\"" && chown root "$fname"
 ! stat -Lc "%G" "$fname" | grep -Pq -- '^\h*(systemdjournal|root)\h*$' && echo -e "- changing group on \"$fname\"" && chgrp root "$fname"
 ;;
 *)
 ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$' && echo -e "- changing mode on \"$fname\"" && chmod u-x,g-wx,o-rwx "$fname"
 ! stat -Lc "%U" "$fname" | grep -Pq -- '^\h*(syslog|root)\h*$' && echo -e "- changing owner on \"$fname\"" && chown root "$fname"
 ! stat -Lc "%G" "$fname" | grep -Pq -- '^\h*(adm|root)\h*$' && echo -e "- changing group on \"$fname\"" && chgrp root "$fname"
 ;;
 esac
 done
 echo -e "- End remediation - logfiles have appropriate permissions and ownership\n"
}

Note: You may also need to change the configuration for your logging software or services for any logs that had incorrect permissions.

If there are services that log to other locations, ensure that those log files have the appropriate permissions.