logrotate undesired permission change in focal
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Security Certifications |
Fix Released
|
Undecided
|
Richard Maciel Costa |
Bug Description
When running the CIS benchmark in focal we have an issue with a few files in /var/log wher ethe permissions are changed to be more restrictive, but also changes the permission to root:utmp. This therefore leaves file with no content as the relevant services are no longer able to access these files.
Below is an output from ls -lrt which shows the number of files that this effected.
-rw-r----- 1 root utmp 0 Oct 22 10:03 alternatives.log
-rw-r----- 1 root utmp 0 Oct 22 10:03 haproxy.log
-rw-r----- 1 root utmp 0 Oct 22 10:03 dpkg.log
-rw-r----- 1 root utmp 0 Oct 22 10:03 syslog
-rw-r----- 1 root utmp 0 Oct 22 10:03 mail.log
-rw-r----- 1 root utmp 0 Oct 22 10:03 kern.log
-rw-r----- 1 root utmp 0 Oct 22 10:03 auth.log
-rw-r----- 1 root utmp 0 Oct 22 10:03 ubuntu-
This is part of 4.4 of the CIS Benchmark, and the remediation gives an example, but not sure if we should be taking that blindly.
~~~
Edit /etc/logrotate.conf and update the create line to read 0640 or more restrictive, following local site policy
Example:
create 0640 root utmp
~~~
I reckon, we could just do with the following instead
create 0640
The audit procedure does suggest with a grep \s at the end, but I think we could do without that, and should work
~~~
Audit Procedure
WARNING: The contents of this section may not render correctly in the Word Export
Run the following command:
# grep -Es "^\s*create\s+\S+" /etc/logrotate.conf /etc/logrotate.d/* | grep -E -v "\s(0)?
Nothing should be returned
~~~
After I changed logrotate.conf to use "create 640" and removed syslog, re-ran "logrotate -f /etc/logrotate.
tags: | added: sts |
Changed in ubuntu-security-certifications: | |
assignee: | nobody → Richard Maciel Costa (richardmaciel) |
Fix released in ubuntu- security- guides_ 20.04.4. 1