All rsyslog-generated log files must be group-owned by root.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-38519 | RHEL-06-000134 | SV-50320r2_rule | Medium |
| Description |
|---|
| The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 6 Security Technical Implementation Guide | 2015-05-26 |
Details
| Check Text ( C-46076r2_chk ) |
|---|
| The group-owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". To see the group-owner of a given log file, run the following command: $ ls -l [LOGFILE] Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration. If the group-owner is not root, this is a finding. |
| Fix Text (F-43466r1_fix) |
|---|
| The group-owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's group owner: $ ls -l [LOGFILE] If the owner is not "root", run the following command to correct this: # chgrp root [LOGFILE] |