Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/var/log/btmp should be included in group_write_excepts for CIS 4.2.3 #112

Closed
jrbeilke opened this issue Apr 9, 2021 · 4 comments · Fixed by #116
Closed

/var/log/btmp should be included in group_write_excepts for CIS 4.2.3 #112

jrbeilke opened this issue Apr 9, 2021 · 4 comments · Fixed by #116

Comments

@jrbeilke
Copy link

jrbeilke commented Apr 9, 2021

Describe the bug
Inspec failure on a fresh Ubuntu 18.04 system due to permissions on /var/log/btmp and CIS 4.2.3:

    ubuntu1804-ami:   ×  cis-dil-benchmark-4.2.3: Ensure permissions on all logfiles are configured (1 failed)
    ubuntu1804-ami:      ×  File /var/log/btmp should not be writable by group
    ubuntu1804-ami:      expected File /var/log/btmp not to be writable by group

Expected behavior
Seems an exception was added for the CIS 4.2.3 criteria to allow group write permissions for /var/log/lastlog and /var/log/wtmp but not /var/log/btmp
#50

AFAICT 660 permissions on /var/log/btmp are expected and do not seem to be a security issue just like /var/log/wtmp ie.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314956
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/743858

OS / Environment
Ubuntu 18.04

Inspec Version

$ inspec --version
4.18.39

Baseline Version

  - name: cis-dil-benchmark
    git: https://github.com/dev-sec/cis-dil-benchmark.git
    tag: 0.4.10
@deric4
Copy link
Member

deric4 commented Apr 10, 2021

@jrbeilke Ya this control has proven tricky to handle across multiple distros, while the perms on /var/log/btmp will fail the control on Ubuntu 18.04/20.04, it passes on Amazon Linux 2 and Centos 7. Implementing a similar fix as what was done for #33 / #100 might make sense here though.

There are some other services that cause problems for this specific control (i.e. cloud-init, ssm agent). Where other services rely g+r be set, or extremely hard to track down where/how to configure correctly without resorting to dirty tricks for different distros.

Maybe others could weigh in if anything else might make sense to add to the allowed list?

Side Note
@micheelengronne @schurzi @chris-rock
At risk of making the scope of this issue much bigger, this feels like a similar type of problem discussed in #102 , where the friction of handling "one offs" across the different distros makes adopting the profile pretty challenging and potentially forcing users to take on the burden of one of the following to leverage the profile in CI/CD Pipelines, or integrate with tools like Hashicorp Packer, kitchen-inspec, and AWS SSM RunCommand Documents :

  1. Creating a new profile that wraps dev-sec/cis-dil-benchmark and make necessary changes
  2. Forking the profile and make necessary changes
  3. Completely skipping a control via a waiver
  4. Implementing a custom processor of the executions output instead of being able to rely on Inspec's exit codes or default reporter formats.

Spit balling here, but would contributions that provide some sort "escape hatch" via a combination of inputs/conditions beyond just cis_level be welcome to the project? I would think the default configuration must execute controls as strictly defined by the CIS DIL Benchmark for those that expect/need/rely on the current behavior, but still enable users to decide whats best for their workflows.

Providing some Inspec output for a few different "stock" AMIs from Amazon, Canonical, and Marketplace Centos 7, showing which log files would cause the control to fail in addition to /var/log/btmp

Ubuntu 18.04

ImageId: ami-007e276c37b5ff2d7
Name: ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-20210325
Region: us-west-2

  ×  cis-dil-benchmark-4.2.3: Ensure permissions on all logfiles are configured (10 failed)
     ×  File /var/log/btmp is expected not to be writable by group
     ×  File /var/log/cloud-init-output.log is expected not to be readable by other
     ×  File /var/log/amazon/ssm/patch-configuration/patch-states-configuration.json is expected not to be readable by other
     ×  File /var/log/amazon/ssm/patch-configuration/patch-inventory-from-last-operation.json is expected not to be readable by other
     ×  File /var/log/apt/eipp.log.xz is expected not to be readable by other
     ×  File /var/log/apt/history.log is expected not to be readable by other
     ×  File /var/log/landscape/sysinfo.log is expected not to be readable by other
     ×  File /var/log/dpkg.log is expected not to be readable by other
     ×  File /var/log/cloud-init.log is expected not to be readable by other
     ×  File /var/log/unattended-upgrades/unattended-upgrades-shutdown.log is expected not to be readable by other
Click Me: Full Inspec CLI Output 

$ inspec exec https://github.com/dev-sec/cis-dil-benchmark.git -t  ssh://ubuntu@<instance id> --controls=cis-dil-benchmark-4.2.3 --sudo

Profile: CIS Distribution Independent Linux Benchmark Profile (cis-dil-benchmark)
Version: 0.4.11
Target:  ssh://ubuntu@<instance id>:22

  ×  cis-dil-benchmark-4.2.3: Ensure permissions on all logfiles are configured (10 failed)
     ✔  File /var/log/lastlog is expected not to be executable by group
     ✔  File /var/log/lastlog is expected not to be writable by other
     ✔  File /var/log/lastlog is expected not to be executable by other
     ✔  File /var/log/auth.log is expected not to be writable by group
     ✔  File /var/log/auth.log is expected not to be executable by group
     ✔  File /var/log/auth.log is expected not to be readable by other
     ✔  File /var/log/auth.log is expected not to be writable by other
     ✔  File /var/log/auth.log is expected not to be executable by other
     ✔  File /var/log/journal/ec2c60511a638f17fd8f13e100e205b3/system.journal is expected not to be writable by group
     ✔  File /var/log/journal/ec2c60511a638f17fd8f13e100e205b3/system.journal is expected not to be executable by group
     ✔  File /var/log/journal/ec2c60511a638f17fd8f13e100e205b3/system.journal is expected not to be readable by other
     ✔  File /var/log/journal/ec2c60511a638f17fd8f13e100e205b3/system.journal is expected not to be writable by other
     ✔  File /var/log/journal/ec2c60511a638f17fd8f13e100e205b3/system.journal is expected not to be executable by other
     ✔  File /var/log/journal/ec2c60511a638f17fd8f13e100e205b3/user-1000.journal is expected not to be writable by group
     ✔  File /var/log/journal/ec2c60511a638f17fd8f13e100e205b3/user-1000.journal is expected not to be executable by group
     ✔  File /var/log/journal/ec2c60511a638f17fd8f13e100e205b3/user-1000.journal is expected not to be readable by other
     ✔  File /var/log/journal/ec2c60511a638f17fd8f13e100e205b3/user-1000.journal is expected not to be writable by other
     ✔  File /var/log/journal/ec2c60511a638f17fd8f13e100e205b3/user-1000.journal is expected not to be executable by other
     ×  File /var/log/btmp is expected not to be writable by group
     expected File /var/log/btmp not to be writable by group
     ✔  File /var/log/btmp is expected not to be executable by group
     ✔  File /var/log/btmp is expected not to be readable by other
     ✔  File /var/log/btmp is expected not to be writable by other
     ✔  File /var/log/btmp is expected not to be executable by other
     ✔  File /var/log/cloud-init-output.log is expected not to be writable by group
     ✔  File /var/log/cloud-init-output.log is expected not to be executable by group
     ×  File /var/log/cloud-init-output.log is expected not to be readable by other
     expected File /var/log/cloud-init-output.log not to be readable by other
     ✔  File /var/log/cloud-init-output.log is expected not to be writable by other
     ✔  File /var/log/cloud-init-output.log is expected not to be executable by other
     ✔  File /var/log/amazon/ssm/AmazonSSMAgent-update.txt is expected not to be writable by group
     ✔  File /var/log/amazon/ssm/AmazonSSMAgent-update.txt is expected not to be executable by group
     ✔  File /var/log/amazon/ssm/AmazonSSMAgent-update.txt is expected not to be readable by other
     ✔  File /var/log/amazon/ssm/AmazonSSMAgent-update.txt is expected not to be writable by other
     ✔  File /var/log/amazon/ssm/AmazonSSMAgent-update.txt is expected not to be executable by other
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-states-configuration.json is expected not to be writable by group
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-states-configuration.json is expected not to be executable by group
     ×  File /var/log/amazon/ssm/patch-configuration/patch-states-configuration.json is expected not to be readable by other
     expected File /var/log/amazon/ssm/patch-configuration/patch-states-configuration.json not to be readable by other
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-states-configuration.json is expected not to be writable by other
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-states-configuration.json is expected not to be executable by other
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-inventory-from-last-operation.json is expected not to be writable by group
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-inventory-from-last-operation.json is expected not to be executable by group
     ×  File /var/log/amazon/ssm/patch-configuration/patch-inventory-from-last-operation.json is expected not to be readable by other
     expected File /var/log/amazon/ssm/patch-configuration/patch-inventory-from-last-operation.json not to be readable by other
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-inventory-from-last-operation.json is expected not to be writable by other
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-inventory-from-last-operation.json is expected not to be executable by other
     ✔  File /var/log/amazon/ssm/audits/amazon-ssm-agent-audit-2021-04-09 is expected not to be writable by group
     ✔  File /var/log/amazon/ssm/audits/amazon-ssm-agent-audit-2021-04-09 is expected not to be executable by group
     ✔  File /var/log/amazon/ssm/audits/amazon-ssm-agent-audit-2021-04-09 is expected not to be readable by other
     ✔  File /var/log/amazon/ssm/audits/amazon-ssm-agent-audit-2021-04-09 is expected not to be writable by other
     ✔  File /var/log/amazon/ssm/audits/amazon-ssm-agent-audit-2021-04-09 is expected not to be executable by other
     ✔  File /var/log/amazon/ssm/amazon-ssm-agent.log is expected not to be writable by group
     ✔  File /var/log/amazon/ssm/amazon-ssm-agent.log is expected not to be executable by group
     ✔  File /var/log/amazon/ssm/amazon-ssm-agent.log is expected not to be readable by other
     ✔  File /var/log/amazon/ssm/amazon-ssm-agent.log is expected not to be writable by other
     ✔  File /var/log/amazon/ssm/amazon-ssm-agent.log is expected not to be executable by other
     ✔  File /var/log/apt/term.log is expected not to be writable by group
     ✔  File /var/log/apt/term.log is expected not to be executable by group
     ✔  File /var/log/apt/term.log is expected not to be readable by other
     ✔  File /var/log/apt/term.log is expected not to be writable by other
     ✔  File /var/log/apt/term.log is expected not to be executable by other
     ✔  File /var/log/apt/eipp.log.xz is expected not to be writable by group
     ✔  File /var/log/apt/eipp.log.xz is expected not to be executable by group
     ×  File /var/log/apt/eipp.log.xz is expected not to be readable by other
     expected File /var/log/apt/eipp.log.xz not to be readable by other
     ✔  File /var/log/apt/eipp.log.xz is expected not to be writable by other
     ✔  File /var/log/apt/eipp.log.xz is expected not to be executable by other
     ✔  File /var/log/apt/history.log is expected not to be writable by group
     ✔  File /var/log/apt/history.log is expected not to be executable by group
     ×  File /var/log/apt/history.log is expected not to be readable by other
     expected File /var/log/apt/history.log not to be readable by other
     ✔  File /var/log/apt/history.log is expected not to be writable by other
     ✔  File /var/log/apt/history.log is expected not to be executable by other
     ✔  File /var/log/landscape/sysinfo.log is expected not to be writable by group
     ✔  File /var/log/landscape/sysinfo.log is expected not to be executable by group
     ×  File /var/log/landscape/sysinfo.log is expected not to be readable by other
     expected File /var/log/landscape/sysinfo.log not to be readable by other
     ✔  File /var/log/landscape/sysinfo.log is expected not to be writable by other
     ✔  File /var/log/landscape/sysinfo.log is expected not to be executable by other
     ✔  File /var/log/dpkg.log is expected not to be writable by group
     ✔  File /var/log/dpkg.log is expected not to be executable by group
     ×  File /var/log/dpkg.log is expected not to be readable by other
     expected File /var/log/dpkg.log not to be readable by other
     ✔  File /var/log/dpkg.log is expected not to be writable by other
     ✔  File /var/log/dpkg.log is expected not to be executable by other
     ✔  File /var/log/tallylog is expected not to be writable by group
     ✔  File /var/log/tallylog is expected not to be executable by group
     ✔  File /var/log/tallylog is expected not to be readable by other
     ✔  File /var/log/tallylog is expected not to be writable by other
     ✔  File /var/log/tallylog is expected not to be executable by other
     ✔  File /var/log/cloud-init.log is expected not to be writable by group
     ✔  File /var/log/cloud-init.log is expected not to be executable by group
     ×  File /var/log/cloud-init.log is expected not to be readable by other
     expected File /var/log/cloud-init.log not to be readable by other
     ✔  File /var/log/cloud-init.log is expected not to be writable by other
     ✔  File /var/log/cloud-init.log is expected not to be executable by other
     ✔  File /var/log/unattended-upgrades/unattended-upgrades-shutdown.log is expected not to be writable by group
     ✔  File /var/log/unattended-upgrades/unattended-upgrades-shutdown.log is expected not to be executable by group
     ×  File /var/log/unattended-upgrades/unattended-upgrades-shutdown.log is expected not to be readable by other
     expected File /var/log/unattended-upgrades/unattended-upgrades-shutdown.log not to be readable by other
     ✔  File /var/log/unattended-upgrades/unattended-upgrades-shutdown.log is expected not to be writable by other
     ✔  File /var/log/unattended-upgrades/unattended-upgrades-shutdown.log is expected not to be executable by other
     ✔  File /var/log/wtmp is expected not to be executable by group
     ✔  File /var/log/wtmp is expected not to be writable by other
     ✔  File /var/log/wtmp is expected not to be executable by other
     ✔  File /var/log/syslog is expected not to be writable by group
     ✔  File /var/log/syslog is expected not to be executable by group
     ✔  File /var/log/syslog is expected not to be readable by other
     ✔  File /var/log/syslog is expected not to be writable by other
     ✔  File /var/log/syslog is expected not to be executable by other
     ✔  File /var/log/kern.log is expected not to be writable by group
     ✔  File /var/log/kern.log is expected not to be executable by group
     ✔  File /var/log/kern.log is expected not to be readable by other
     ✔  File /var/log/kern.log is expected not to be writable by other
     ✔  File /var/log/kern.log is expected not to be executable by other

Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 96 successful, 10 failures, 0 skipped

Ubuntu 20.04

ImageId: ami-0a62a78cfedc09d76
Name: ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210325
Region: us-west-2

×  cis-dil-benchmark-4.2.3: Ensure permissions on all logfiles are configured (11 failed)
     ×  File /var/log/cloud-init.log is expected not to be readable by other
     ×  File /var/log/btmp is expected not to be writable by group
     ×  File /var/log/amazon/ssm/patch-configuration/patch-states-configuration.json is expected not to be readable by other
     ×  File /var/log/amazon/ssm/patch-configuration/patch-inventory-from-last-operation.json is expected not to be readable by other
     ×  File /var/log/unattended-upgrades/unattended-upgrades-shutdown.log is expected not to be readable by other
     ×  File /var/log/apt/history.log is expected not to be readable by other
     ×  File /var/log/apt/eipp.log.xz is expected not to be readable by other
     ×  File /var/log/dmesg is expected not to be readable by other
     ×  File /var/log/cloud-init-output.log is expected not to be readable by other
     ×  File /var/log/dpkg.log is expected not to be readable by other
     ×  File /var/log/landscape/sysinfo.log is expected not to be readable by other
Click Me: Full Inspec CLI Output 

$ inspec exec https://github.com/dev-sec/cis-dil-benchmark.git -t  ssh://ubuntu@<instance id> --controls=cis-dil-benchmark-4.2.3 --sudo

Profile: CIS Distribution Independent Linux Benchmark Profile (cis-dil-benchmark)
Version: 0.4.11
Target:  ssh://ubuntu@<instance id>:22

  ×  cis-dil-benchmark-4.2.3: Ensure permissions on all logfiles are configured (11 failed)
     ✔  File /var/log/cloud-init.log is expected not to be writable by group
     ✔  File /var/log/cloud-init.log is expected not to be executable by group
     ×  File /var/log/cloud-init.log is expected not to be readable by other
     expected File /var/log/cloud-init.log not to be readable by other
     ✔  File /var/log/cloud-init.log is expected not to be writable by other
     ✔  File /var/log/cloud-init.log is expected not to be executable by other
     ×  File /var/log/btmp is expected not to be writable by group
     expected File /var/log/btmp not to be writable by group
     ✔  File /var/log/btmp is expected not to be executable by group
     ✔  File /var/log/btmp is expected not to be readable by other
     ✔  File /var/log/btmp is expected not to be writable by other
     ✔  File /var/log/btmp is expected not to be executable by other
     ✔  File /var/log/journal/ec2ab99cd6fb9b76482d8e487447e412/user-1000.journal is expected not to be writable by group
     ✔  File /var/log/journal/ec2ab99cd6fb9b76482d8e487447e412/user-1000.journal is expected not to be executable by group
     ✔  File /var/log/journal/ec2ab99cd6fb9b76482d8e487447e412/user-1000.journal is expected not to be readable by other
     ✔  File /var/log/journal/ec2ab99cd6fb9b76482d8e487447e412/user-1000.journal is expected not to be writable by other
     ✔  File /var/log/journal/ec2ab99cd6fb9b76482d8e487447e412/user-1000.journal is expected not to be executable by other
     ✔  File /var/log/journal/ec2ab99cd6fb9b76482d8e487447e412/system.journal is expected not to be writable by group
     ✔  File /var/log/journal/ec2ab99cd6fb9b76482d8e487447e412/system.journal is expected not to be executable by group
     ✔  File /var/log/journal/ec2ab99cd6fb9b76482d8e487447e412/system.journal is expected not to be readable by other
     ✔  File /var/log/journal/ec2ab99cd6fb9b76482d8e487447e412/system.journal is expected not to be writable by other
     ✔  File /var/log/journal/ec2ab99cd6fb9b76482d8e487447e412/system.journal is expected not to be executable by other
     ✔  File /var/log/auth.log is expected not to be writable by group
     ✔  File /var/log/auth.log is expected not to be executable by group
     ✔  File /var/log/auth.log is expected not to be readable by other
     ✔  File /var/log/auth.log is expected not to be writable by other
     ✔  File /var/log/auth.log is expected not to be executable by other
     ✔  File /var/log/amazon/ssm/audits/amazon-ssm-agent-audit-2021-04-09 is expected not to be writable by group
     ✔  File /var/log/amazon/ssm/audits/amazon-ssm-agent-audit-2021-04-09 is expected not to be executable by group
     ✔  File /var/log/amazon/ssm/audits/amazon-ssm-agent-audit-2021-04-09 is expected not to be readable by other
     ✔  File /var/log/amazon/ssm/audits/amazon-ssm-agent-audit-2021-04-09 is expected not to be writable by other
     ✔  File /var/log/amazon/ssm/audits/amazon-ssm-agent-audit-2021-04-09 is expected not to be executable by other
     ✔  File /var/log/amazon/ssm/AmazonSSMAgent-update.txt is expected not to be writable by group
     ✔  File /var/log/amazon/ssm/AmazonSSMAgent-update.txt is expected not to be executable by group
     ✔  File /var/log/amazon/ssm/AmazonSSMAgent-update.txt is expected not to be readable by other
     ✔  File /var/log/amazon/ssm/AmazonSSMAgent-update.txt is expected not to be writable by other
     ✔  File /var/log/amazon/ssm/AmazonSSMAgent-update.txt is expected not to be executable by other
     ✔  File /var/log/amazon/ssm/amazon-ssm-agent.log is expected not to be writable by group
     ✔  File /var/log/amazon/ssm/amazon-ssm-agent.log is expected not to be executable by group
     ✔  File /var/log/amazon/ssm/amazon-ssm-agent.log is expected not to be readable by other
     ✔  File /var/log/amazon/ssm/amazon-ssm-agent.log is expected not to be writable by other
     ✔  File /var/log/amazon/ssm/amazon-ssm-agent.log is expected not to be executable by other
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-states-configuration.json is expected not to be writable by group
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-states-configuration.json is expected not to be executable by group
     ×  File /var/log/amazon/ssm/patch-configuration/patch-states-configuration.json is expected not to be readable by other
     expected File /var/log/amazon/ssm/patch-configuration/patch-states-configuration.json not to be readable by other
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-states-configuration.json is expected not to be writable by other
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-states-configuration.json is expected not to be executable by other
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-inventory-from-last-operation.json is expected not to be writable by group
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-inventory-from-last-operation.json is expected not to be executable by group
     ×  File /var/log/amazon/ssm/patch-configuration/patch-inventory-from-last-operation.json is expected not to be readable by other
     expected File /var/log/amazon/ssm/patch-configuration/patch-inventory-from-last-operation.json not to be readable by other
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-inventory-from-last-operation.json is expected not to be writable by other
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-inventory-from-last-operation.json is expected not to be executable by other
     ✔  File /var/log/unattended-upgrades/unattended-upgrades-shutdown.log is expected not to be writable by group
     ✔  File /var/log/unattended-upgrades/unattended-upgrades-shutdown.log is expected not to be executable by group
     ×  File /var/log/unattended-upgrades/unattended-upgrades-shutdown.log is expected not to be readable by other
     expected File /var/log/unattended-upgrades/unattended-upgrades-shutdown.log not to be readable by other
     ✔  File /var/log/unattended-upgrades/unattended-upgrades-shutdown.log is expected not to be writable by other
     ✔  File /var/log/unattended-upgrades/unattended-upgrades-shutdown.log is expected not to be executable by other
     ✔  File /var/log/kern.log is expected not to be writable by group
     ✔  File /var/log/kern.log is expected not to be executable by group
     ✔  File /var/log/kern.log is expected not to be readable by other
     ✔  File /var/log/kern.log is expected not to be writable by other
     ✔  File /var/log/kern.log is expected not to be executable by other
     ✔  File /var/log/apt/history.log is expected not to be writable by group
     ✔  File /var/log/apt/history.log is expected not to be executable by group
     ×  File /var/log/apt/history.log is expected not to be readable by other
     expected File /var/log/apt/history.log not to be readable by other
     ✔  File /var/log/apt/history.log is expected not to be writable by other
     ✔  File /var/log/apt/history.log is expected not to be executable by other
     ✔  File /var/log/apt/eipp.log.xz is expected not to be writable by group
     ✔  File /var/log/apt/eipp.log.xz is expected not to be executable by group
     ×  File /var/log/apt/eipp.log.xz is expected not to be readable by other
     expected File /var/log/apt/eipp.log.xz not to be readable by other
     ✔  File /var/log/apt/eipp.log.xz is expected not to be writable by other
     ✔  File /var/log/apt/eipp.log.xz is expected not to be executable by other
     ✔  File /var/log/apt/term.log is expected not to be writable by group
     ✔  File /var/log/apt/term.log is expected not to be executable by group
     ✔  File /var/log/apt/term.log is expected not to be readable by other
     ✔  File /var/log/apt/term.log is expected not to be writable by other
     ✔  File /var/log/apt/term.log is expected not to be executable by other
     ✔  File /var/log/dmesg is expected not to be writable by group
     ✔  File /var/log/dmesg is expected not to be executable by group
     ×  File /var/log/dmesg is expected not to be readable by other
     expected File /var/log/dmesg not to be readable by other
     ✔  File /var/log/dmesg is expected not to be writable by other
     ✔  File /var/log/dmesg is expected not to be executable by other
     ✔  File /var/log/wtmp is expected not to be executable by group
     ✔  File /var/log/wtmp is expected not to be writable by other
     ✔  File /var/log/wtmp is expected not to be executable by other
     ✔  File /var/log/cloud-init-output.log is expected not to be writable by group
     ✔  File /var/log/cloud-init-output.log is expected not to be executable by group
     ×  File /var/log/cloud-init-output.log is expected not to be readable by other
     expected File /var/log/cloud-init-output.log not to be readable by other
     ✔  File /var/log/cloud-init-output.log is expected not to be writable by other
     ✔  File /var/log/cloud-init-output.log is expected not to be executable by other
     ✔  File /var/log/lastlog is expected not to be executable by group
     ✔  File /var/log/lastlog is expected not to be writable by other
     ✔  File /var/log/lastlog is expected not to be executable by other
     ✔  File /var/log/dpkg.log is expected not to be writable by group
     ✔  File /var/log/dpkg.log is expected not to be executable by group
     ×  File /var/log/dpkg.log is expected not to be readable by other
     expected File /var/log/dpkg.log not to be readable by other
     ✔  File /var/log/dpkg.log is expected not to be writable by other
     ✔  File /var/log/dpkg.log is expected not to be executable by other
     ✔  File /var/log/landscape/sysinfo.log is expected not to be writable by group
     ✔  File /var/log/landscape/sysinfo.log is expected not to be executable by group
     ×  File /var/log/landscape/sysinfo.log is expected not to be readable by other
     expected File /var/log/landscape/sysinfo.log not to be readable by other
     ✔  File /var/log/landscape/sysinfo.log is expected not to be writable by other
     ✔  File /var/log/landscape/sysinfo.log is expected not to be executable by other
     ✔  File /var/log/syslog is expected not to be writable by group
     ✔  File /var/log/syslog is expected not to be executable by group
     ✔  File /var/log/syslog is expected not to be readable by other
     ✔  File /var/log/syslog is expected not to be writable by other
     ✔  File /var/log/syslog is expected not to be executable by other


Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 95 successful, 11 failures, 0 skipped

Amazon Linux 2

ImageId: ami-0518bb0e75d3619ca
Name: amzn2-ami-hvm-2.0.20210326.0-x86_64-gp2
Region: us-west-2

 ×  cis-dil-benchmark-4.2.3: Ensure permissions on all logfiles are configured (10 failed)
     ×  File /var/log/grubby_prune_debug is expected not to be readable by other
     ×  File /var/log/sa/sa10 is expected not to be readable by other
     ×  File /var/log/amazon/ssm/download/update/6a2c85e681d533b9c6af641eef5c3a24a3343e6a.etag is expected not to be readable by other
     ×  File /var/log/amazon/ssm/download/update/6a2c85e681d533b9c6af641eef5c3a24a3343e6a is expected not to be readable by other
     ×  File /var/log/amazon/ssm/download/update/60de0d5eac3750e61c95f09af27b0083eef00122.etag is expected not to be readable by other
     ×  File /var/log/amazon/ssm/download/update/60de0d5eac3750e61c95f09af27b0083eef00122 is expected not to be readable by other
     ×  File /var/log/amazon/ssm/patch-configuration/patch-states-configuration.json is expected not to be readable by other
     ×  File /var/log/amazon/ssm/patch-configuration/patch-inventory-from-last-operation.json is expected not to be readable by other
     ×  File /var/log/dmesg is expected not to be readable by other
     ×  File /var/log/cloud-init.log is expected not to be readable by other
Click Me: Full Inspec CLI Output 

$ inspec exec https://github.com/dev-sec/cis-dil-benchmark.git -t  ssh://ec2-user@<instance id> --controls=cis-dil-benchmark-4.2.3 --sudo

Profile: CIS Distribution Independent Linux Benchmark Profile (cis-dil-benchmark)
Version: 0.4.11
Target:  ssh://ec2-user@<instance id>:22

 ×  cis-dil-benchmark-4.2.3: Ensure permissions on all logfiles are configured (10 failed)
     ✔  File /var/log/yum.log is expected not to be writable by group
     ✔  File /var/log/yum.log is expected not to be executable by group
     ✔  File /var/log/yum.log is expected not to be readable by other
     ✔  File /var/log/yum.log is expected not to be writable by other
     ✔  File /var/log/yum.log is expected not to be executable by other
     ✔  File /var/log/tallylog is expected not to be writable by group
     ✔  File /var/log/tallylog is expected not to be executable by group
     ✔  File /var/log/tallylog is expected not to be readable by other
     ✔  File /var/log/tallylog is expected not to be writable by other
     ✔  File /var/log/tallylog is expected not to be executable by other
     ✔  File /var/log/grubby_prune_debug is expected not to be writable by group
     ✔  File /var/log/grubby_prune_debug is expected not to be executable by group
     ×  File /var/log/grubby_prune_debug is expected not to be readable by other
     expected File /var/log/grubby_prune_debug not to be readable by other
     ✔  File /var/log/grubby_prune_debug is expected not to be writable by other
     ✔  File /var/log/grubby_prune_debug is expected not to be executable by other
     ✔  File /var/log/lastlog is expected not to be executable by group
     ✔  File /var/log/lastlog is expected not to be writable by other
     ✔  File /var/log/lastlog is expected not to be executable by other
     ✔  File /var/log/btmp is expected not to be writable by group
     ✔  File /var/log/btmp is expected not to be executable by group
     ✔  File /var/log/btmp is expected not to be readable by other
     ✔  File /var/log/btmp is expected not to be writable by other
     ✔  File /var/log/btmp is expected not to be executable by other
     ✔  File /var/log/wtmp is expected not to be executable by group
     ✔  File /var/log/wtmp is expected not to be writable by other
     ✔  File /var/log/wtmp is expected not to be executable by other
     ✔  File /var/log/messages is expected not to be writable by group
     ✔  File /var/log/messages is expected not to be executable by group
     ✔  File /var/log/messages is expected not to be readable by other
     ✔  File /var/log/messages is expected not to be writable by other
     ✔  File /var/log/messages is expected not to be executable by other
     ✔  File /var/log/secure is expected not to be writable by group
     ✔  File /var/log/secure is expected not to be executable by group
     ✔  File /var/log/secure is expected not to be readable by other
     ✔  File /var/log/secure is expected not to be writable by other
     ✔  File /var/log/secure is expected not to be executable by other
     ✔  File /var/log/maillog is expected not to be writable by group
     ✔  File /var/log/maillog is expected not to be executable by group
     ✔  File /var/log/maillog is expected not to be readable by other
     ✔  File /var/log/maillog is expected not to be writable by other
     ✔  File /var/log/maillog is expected not to be executable by other
     ✔  File /var/log/spooler is expected not to be writable by group
     ✔  File /var/log/spooler is expected not to be executable by group
     ✔  File /var/log/spooler is expected not to be readable by other
     ✔  File /var/log/spooler is expected not to be writable by other
     ✔  File /var/log/spooler is expected not to be executable by other
     ✔  File /var/log/sa/sa10 is expected not to be writable by group
     ✔  File /var/log/sa/sa10 is expected not to be executable by group
     ×  File /var/log/sa/sa10 is expected not to be readable by other
     expected File /var/log/sa/sa10 not to be readable by other
     ✔  File /var/log/sa/sa10 is expected not to be writable by other
     ✔  File /var/log/sa/sa10 is expected not to be executable by other
     ✔  File /var/log/audit/audit.log is expected not to be writable by group
     ✔  File /var/log/audit/audit.log is expected not to be executable by group
     ✔  File /var/log/audit/audit.log is expected not to be readable by other
     ✔  File /var/log/audit/audit.log is expected not to be writable by other
     ✔  File /var/log/audit/audit.log is expected not to be executable by other
     ✔  File /var/log/amazon/ssm/audits/amazon-ssm-agent-audit-2021-04-10 is expected not to be writable by group
     ✔  File /var/log/amazon/ssm/audits/amazon-ssm-agent-audit-2021-04-10 is expected not to be executable by group
     ✔  File /var/log/amazon/ssm/audits/amazon-ssm-agent-audit-2021-04-10 is expected not to be readable by other
     ✔  File /var/log/amazon/ssm/audits/amazon-ssm-agent-audit-2021-04-10 is expected not to be writable by other
     ✔  File /var/log/amazon/ssm/audits/amazon-ssm-agent-audit-2021-04-10 is expected not to be executable by other
     ✔  File /var/log/amazon/ssm/amazon-ssm-agent.log is expected not to be writable by group
     ✔  File /var/log/amazon/ssm/amazon-ssm-agent.log is expected not to be executable by group
     ✔  File /var/log/amazon/ssm/amazon-ssm-agent.log is expected not to be readable by other
     ✔  File /var/log/amazon/ssm/amazon-ssm-agent.log is expected not to be writable by other
     ✔  File /var/log/amazon/ssm/amazon-ssm-agent.log is expected not to be executable by other
     ✔  File /var/log/amazon/ssm/download/update/6a2c85e681d533b9c6af641eef5c3a24a3343e6a.etag is expected not to be writable by group
     ✔  File /var/log/amazon/ssm/download/update/6a2c85e681d533b9c6af641eef5c3a24a3343e6a.etag is expected not to be executable by group
     ×  File /var/log/amazon/ssm/download/update/6a2c85e681d533b9c6af641eef5c3a24a3343e6a.etag is expected not to be readable by other
     expected File /var/log/amazon/ssm/download/update/6a2c85e681d533b9c6af641eef5c3a24a3343e6a.etag not to be readable by other
     ✔  File /var/log/amazon/ssm/download/update/6a2c85e681d533b9c6af641eef5c3a24a3343e6a.etag is expected not to be writable by other
     ✔  File /var/log/amazon/ssm/download/update/6a2c85e681d533b9c6af641eef5c3a24a3343e6a.etag is expected not to be executable by other
     ✔  File /var/log/amazon/ssm/download/update/6a2c85e681d533b9c6af641eef5c3a24a3343e6a is expected not to be writable by group
     ✔  File /var/log/amazon/ssm/download/update/6a2c85e681d533b9c6af641eef5c3a24a3343e6a is expected not to be executable by group
     ×  File /var/log/amazon/ssm/download/update/6a2c85e681d533b9c6af641eef5c3a24a3343e6a is expected not to be readable by other
     expected File /var/log/amazon/ssm/download/update/6a2c85e681d533b9c6af641eef5c3a24a3343e6a not to be readable by other
     ✔  File /var/log/amazon/ssm/download/update/6a2c85e681d533b9c6af641eef5c3a24a3343e6a is expected not to be writable by other
     ✔  File /var/log/amazon/ssm/download/update/6a2c85e681d533b9c6af641eef5c3a24a3343e6a is expected not to be executable by other
     ✔  File /var/log/amazon/ssm/download/update/60de0d5eac3750e61c95f09af27b0083eef00122.etag is expected not to be writable by group
     ✔  File /var/log/amazon/ssm/download/update/60de0d5eac3750e61c95f09af27b0083eef00122.etag is expected not to be executable by group
     ×  File /var/log/amazon/ssm/download/update/60de0d5eac3750e61c95f09af27b0083eef00122.etag is expected not to be readable by other
     expected File /var/log/amazon/ssm/download/update/60de0d5eac3750e61c95f09af27b0083eef00122.etag not to be readable by other
     ✔  File /var/log/amazon/ssm/download/update/60de0d5eac3750e61c95f09af27b0083eef00122.etag is expected not to be writable by other
     ✔  File /var/log/amazon/ssm/download/update/60de0d5eac3750e61c95f09af27b0083eef00122.etag is expected not to be executable by other
     ✔  File /var/log/amazon/ssm/download/update/60de0d5eac3750e61c95f09af27b0083eef00122 is expected not to be writable by group
     ✔  File /var/log/amazon/ssm/download/update/60de0d5eac3750e61c95f09af27b0083eef00122 is expected not to be executable by group
     ×  File /var/log/amazon/ssm/download/update/60de0d5eac3750e61c95f09af27b0083eef00122 is expected not to be readable by other
     expected File /var/log/amazon/ssm/download/update/60de0d5eac3750e61c95f09af27b0083eef00122 not to be readable by other
     ✔  File /var/log/amazon/ssm/download/update/60de0d5eac3750e61c95f09af27b0083eef00122 is expected not to be writable by other
     ✔  File /var/log/amazon/ssm/download/update/60de0d5eac3750e61c95f09af27b0083eef00122 is expected not to be executable by other
     ✔  File /var/log/amazon/ssm/AmazonSSMAgent-update.txt is expected not to be writable by group
     ✔  File /var/log/amazon/ssm/AmazonSSMAgent-update.txt is expected not to be executable by group
     ✔  File /var/log/amazon/ssm/AmazonSSMAgent-update.txt is expected not to be readable by other
     ✔  File /var/log/amazon/ssm/AmazonSSMAgent-update.txt is expected not to be writable by other
     ✔  File /var/log/amazon/ssm/AmazonSSMAgent-update.txt is expected not to be executable by other
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-states-configuration.json is expected not to be writable by group
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-states-configuration.json is expected not to be executable by group
     ×  File /var/log/amazon/ssm/patch-configuration/patch-states-configuration.json is expected not to be readable by other
     expected File /var/log/amazon/ssm/patch-configuration/patch-states-configuration.json not to be readable by other
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-states-configuration.json is expected not to be writable by other
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-states-configuration.json is expected not to be executable by other
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-inventory-from-last-operation.json is expected not to be writable by group
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-inventory-from-last-operation.json is expected not to be executable by group
     ×  File /var/log/amazon/ssm/patch-configuration/patch-inventory-from-last-operation.json is expected not to be readable by other
     expected File /var/log/amazon/ssm/patch-configuration/patch-inventory-from-last-operation.json not to be readable by other
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-inventory-from-last-operation.json is expected not to be writable by other
     ✔  File /var/log/amazon/ssm/patch-configuration/patch-inventory-from-last-operation.json is expected not to be executable by other
     ✔  File /var/log/amazon/ssm/errors.log is expected not to be writable by group
     ✔  File /var/log/amazon/ssm/errors.log is expected not to be executable by group
     ✔  File /var/log/amazon/ssm/errors.log is expected not to be readable by other
     ✔  File /var/log/amazon/ssm/errors.log is expected not to be writable by other
     ✔  File /var/log/amazon/ssm/errors.log is expected not to be executable by other
     ✔  File /var/log/journal/ec27041a88f931b46d484ac723cf13ee/system.journal is expected not to be writable by group
     ✔  File /var/log/journal/ec27041a88f931b46d484ac723cf13ee/system.journal is expected not to be executable by group
     ✔  File /var/log/journal/ec27041a88f931b46d484ac723cf13ee/system.journal is expected not to be readable by other
     ✔  File /var/log/journal/ec27041a88f931b46d484ac723cf13ee/system.journal is expected not to be writable by other
     ✔  File /var/log/journal/ec27041a88f931b46d484ac723cf13ee/system.journal is expected not to be executable by other
     ✔  File /var/log/boot.log is expected not to be writable by group
     ✔  File /var/log/boot.log is expected not to be executable by group
     ✔  File /var/log/boot.log is expected not to be readable by other
     ✔  File /var/log/boot.log is expected not to be writable by other
     ✔  File /var/log/boot.log is expected not to be executable by other
     ✔  File /var/log/dmesg is expected not to be writable by group
     ✔  File /var/log/dmesg is expected not to be executable by group
     ×  File /var/log/dmesg is expected not to be readable by other
     expected File /var/log/dmesg not to be readable by other
     ✔  File /var/log/dmesg is expected not to be writable by other
     ✔  File /var/log/dmesg is expected not to be executable by other
     ✔  File /var/log/cloud-init.log is expected not to be writable by group
     ✔  File /var/log/cloud-init.log is expected not to be executable by group
     ×  File /var/log/cloud-init.log is expected not to be readable by other
     expected File /var/log/cloud-init.log not to be readable by other
     ✔  File /var/log/cloud-init.log is expected not to be writable by other
     ✔  File /var/log/cloud-init.log is expected not to be executable by other
     ✔  File /var/log/cloud-init-output.log is expected not to be writable by group
     ✔  File /var/log/cloud-init-output.log is expected not to be executable by group
     ✔  File /var/log/cloud-init-output.log is expected not to be readable by other
     ✔  File /var/log/cloud-init-output.log is expected not to be writable by other
     ✔  File /var/log/cloud-init-output.log is expected not to be executable by other
     ✔  File /var/log/cron is expected not to be writable by group
     ✔  File /var/log/cron is expected not to be executable by group
     ✔  File /var/log/cron is expected not to be readable by other
     ✔  File /var/log/cron is expected not to be writable by other
     ✔  File /var/log/cron is expected not to be executable by other


Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 126 successful, 10 failures, 0 skipped

Centos 7

ImageId: ami-0bc06212a56393ee1
Name: CentOS Linux 7 x86_64 HVM EBS ENA 2002_01-b7ee8a69-ee97-4a49-9e68-afaee216db2e-ami-0042af67f8e4dcc20.4
Region: us-west-2

 ×  cis-dil-benchmark-4.2.3: Ensure permissions on all logfiles are configured (5 failed)
     ×  File /var/log/grubby_prune_debug is expected not to be readable by other
     ×  File /var/log/tuned/tuned.log is expected not to be readable by other
     ×  File /var/log/cron is expected not to be readable by other
     ×  File /var/log/boot.log is expected not to be readable by other
     ×  File /var/log/dmesg is expected not to be readable by other
Click Me: Full Inspec CLI Output 

$ inspec exec https://github.com/dev-sec/cis-dil-benchmark.git -t  ssh://centos@<ip> --controls=cis-dil-benchmark-4.2.3 --sudo

Profile: CIS Distribution Independent Linux Benchmark Profile (cis-dil-benchmark)
Version: 0.4.11
Target:  ssh://centos@<ip>:22

  ×  cis-dil-benchmark-4.2.3: Ensure permissions on all logfiles are configured (5 failed)
     ✔  File /var/log/tallylog is expected not to be writable by group
     ✔  File /var/log/tallylog is expected not to be executable by group
     ✔  File /var/log/tallylog is expected not to be readable by other
     ✔  File /var/log/tallylog is expected not to be writable by other
     ✔  File /var/log/tallylog is expected not to be executable by other
     ✔  File /var/log/grubby_prune_debug is expected not to be writable by group
     ✔  File /var/log/grubby_prune_debug is expected not to be executable by group
     ×  File /var/log/grubby_prune_debug is expected not to be readable by other
     expected File /var/log/grubby_prune_debug not to be readable by other
     ✔  File /var/log/grubby_prune_debug is expected not to be writable by other
     ✔  File /var/log/grubby_prune_debug is expected not to be executable by other
     ✔  File /var/log/lastlog is expected not to be executable by group
     ✔  File /var/log/lastlog is expected not to be writable by other
     ✔  File /var/log/lastlog is expected not to be executable by other
     ✔  File /var/log/btmp is expected not to be writable by group
     ✔  File /var/log/btmp is expected not to be executable by group
     ✔  File /var/log/btmp is expected not to be readable by other
     ✔  File /var/log/btmp is expected not to be writable by other
     ✔  File /var/log/btmp is expected not to be executable by other
     ✔  File /var/log/wtmp is expected not to be executable by group
     ✔  File /var/log/wtmp is expected not to be writable by other
     ✔  File /var/log/wtmp is expected not to be executable by other
     ✔  File /var/log/tuned/tuned.log is expected not to be writable by group
     ✔  File /var/log/tuned/tuned.log is expected not to be executable by group
     ×  File /var/log/tuned/tuned.log is expected not to be readable by other
     expected File /var/log/tuned/tuned.log not to be readable by other
     ✔  File /var/log/tuned/tuned.log is expected not to be writable by other
     ✔  File /var/log/tuned/tuned.log is expected not to be executable by other
     ✔  File /var/log/audit/audit.log is expected not to be writable by group
     ✔  File /var/log/audit/audit.log is expected not to be executable by group
     ✔  File /var/log/audit/audit.log is expected not to be readable by other
     ✔  File /var/log/audit/audit.log is expected not to be writable by other
     ✔  File /var/log/audit/audit.log is expected not to be executable by other
     ✔  File /var/log/messages is expected not to be writable by group
     ✔  File /var/log/messages is expected not to be executable by group
     ✔  File /var/log/messages is expected not to be readable by other
     ✔  File /var/log/messages is expected not to be writable by other
     ✔  File /var/log/messages is expected not to be executable by other
     ✔  File /var/log/secure is expected not to be writable by group
     ✔  File /var/log/secure is expected not to be executable by group
     ✔  File /var/log/secure is expected not to be readable by other
     ✔  File /var/log/secure is expected not to be writable by other
     ✔  File /var/log/secure is expected not to be executable by other
     ✔  File /var/log/maillog is expected not to be writable by group
     ✔  File /var/log/maillog is expected not to be executable by group
     ✔  File /var/log/maillog is expected not to be readable by other
     ✔  File /var/log/maillog is expected not to be writable by other
     ✔  File /var/log/maillog is expected not to be executable by other
     ✔  File /var/log/spooler is expected not to be writable by group
     ✔  File /var/log/spooler is expected not to be executable by group
     ✔  File /var/log/spooler is expected not to be readable by other
     ✔  File /var/log/spooler is expected not to be writable by other
     ✔  File /var/log/spooler is expected not to be executable by other
     ✔  File /var/log/cron is expected not to be writable by group
     ✔  File /var/log/cron is expected not to be executable by group
     ×  File /var/log/cron is expected not to be readable by other
     expected File /var/log/cron not to be readable by other
     ✔  File /var/log/cron is expected not to be writable by other
     ✔  File /var/log/cron is expected not to be executable by other
     ✔  File /var/log/boot.log is expected not to be writable by group
     ✔  File /var/log/boot.log is expected not to be executable by group
     ×  File /var/log/boot.log is expected not to be readable by other
     expected File /var/log/boot.log not to be readable by other
     ✔  File /var/log/boot.log is expected not to be writable by other
     ✔  File /var/log/boot.log is expected not to be executable by other
     ✔  File /var/log/anaconda/anaconda.log is expected not to be writable by group
     ✔  File /var/log/anaconda/anaconda.log is expected not to be executable by group
     ✔  File /var/log/anaconda/anaconda.log is expected not to be readable by other
     ✔  File /var/log/anaconda/anaconda.log is expected not to be writable by other
     ✔  File /var/log/anaconda/anaconda.log is expected not to be executable by other
     ✔  File /var/log/anaconda/syslog is expected not to be writable by group
     ✔  File /var/log/anaconda/syslog is expected not to be executable by group
     ✔  File /var/log/anaconda/syslog is expected not to be readable by other
     ✔  File /var/log/anaconda/syslog is expected not to be writable by other
     ✔  File /var/log/anaconda/syslog is expected not to be executable by other
     ✔  File /var/log/anaconda/program.log is expected not to be writable by group
     ✔  File /var/log/anaconda/program.log is expected not to be executable by group
     ✔  File /var/log/anaconda/program.log is expected not to be readable by other
     ✔  File /var/log/anaconda/program.log is expected not to be writable by other
     ✔  File /var/log/anaconda/program.log is expected not to be executable by other
     ✔  File /var/log/anaconda/packaging.log is expected not to be writable by group
     ✔  File /var/log/anaconda/packaging.log is expected not to be executable by group
     ✔  File /var/log/anaconda/packaging.log is expected not to be readable by other
     ✔  File /var/log/anaconda/packaging.log is expected not to be writable by other
     ✔  File /var/log/anaconda/packaging.log is expected not to be executable by other
     ✔  File /var/log/anaconda/storage.log is expected not to be writable by group
     ✔  File /var/log/anaconda/storage.log is expected not to be executable by group
     ✔  File /var/log/anaconda/storage.log is expected not to be readable by other
     ✔  File /var/log/anaconda/storage.log is expected not to be writable by other
     ✔  File /var/log/anaconda/storage.log is expected not to be executable by other
     ✔  File /var/log/anaconda/ifcfg.log is expected not to be writable by group
     ✔  File /var/log/anaconda/ifcfg.log is expected not to be executable by group
     ✔  File /var/log/anaconda/ifcfg.log is expected not to be readable by other
     ✔  File /var/log/anaconda/ifcfg.log is expected not to be writable by other
     ✔  File /var/log/anaconda/ifcfg.log is expected not to be executable by other
     ✔  File /var/log/anaconda/ks-script-898Bxq.log is expected not to be writable by group
     ✔  File /var/log/anaconda/ks-script-898Bxq.log is expected not to be executable by group
     ✔  File /var/log/anaconda/ks-script-898Bxq.log is expected not to be readable by other
     ✔  File /var/log/anaconda/ks-script-898Bxq.log is expected not to be writable by other
     ✔  File /var/log/anaconda/ks-script-898Bxq.log is expected not to be executable by other
     ✔  File /var/log/anaconda/ks-script-Wnz4e2.log is expected not to be writable by group
     ✔  File /var/log/anaconda/ks-script-Wnz4e2.log is expected not to be executable by group
     ✔  File /var/log/anaconda/ks-script-Wnz4e2.log is expected not to be readable by other
     ✔  File /var/log/anaconda/ks-script-Wnz4e2.log is expected not to be writable by other
     ✔  File /var/log/anaconda/ks-script-Wnz4e2.log is expected not to be executable by other
     ✔  File /var/log/anaconda/ks-script-dyarrY.log is expected not to be writable by group
     ✔  File /var/log/anaconda/ks-script-dyarrY.log is expected not to be executable by group
     ✔  File /var/log/anaconda/ks-script-dyarrY.log is expected not to be readable by other
     ✔  File /var/log/anaconda/ks-script-dyarrY.log is expected not to be writable by other
     ✔  File /var/log/anaconda/ks-script-dyarrY.log is expected not to be executable by other
     ✔  File /var/log/anaconda/ks-script-kPd16m.log is expected not to be writable by group
     ✔  File /var/log/anaconda/ks-script-kPd16m.log is expected not to be executable by group
     ✔  File /var/log/anaconda/ks-script-kPd16m.log is expected not to be readable by other
     ✔  File /var/log/anaconda/ks-script-kPd16m.log is expected not to be writable by other
     ✔  File /var/log/anaconda/ks-script-kPd16m.log is expected not to be executable by other
     ✔  File /var/log/anaconda/journal.log is expected not to be writable by group
     ✔  File /var/log/anaconda/journal.log is expected not to be executable by group
     ✔  File /var/log/anaconda/journal.log is expected not to be readable by other
     ✔  File /var/log/anaconda/journal.log is expected not to be writable by other
     ✔  File /var/log/anaconda/journal.log is expected not to be executable by other
     ✔  File /var/log/dmesg is expected not to be writable by group
     ✔  File /var/log/dmesg is expected not to be executable by group
     ×  File /var/log/dmesg is expected not to be readable by other
     expected File /var/log/dmesg not to be readable by other
     ✔  File /var/log/dmesg is expected not to be writable by other
     ✔  File /var/log/dmesg is expected not to be executable by other
     ✔  File /var/log/cloud-init.log is expected not to be writable by group
     ✔  File /var/log/cloud-init.log is expected not to be executable by group
     ✔  File /var/log/cloud-init.log is expected not to be readable by other
     ✔  File /var/log/cloud-init.log is expected not to be writable by other
     ✔  File /var/log/cloud-init.log is expected not to be executable by other


Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 121 successful, 5 failures, 0 skipped

@jrbeilke
Copy link
Author

Thanks for the detailed write-up @deric4

For now I am having to skip this control and run a custom copy with an exception for /var/log/btmp.

Would like to either see /var/log/btmp added to the list of exceptions in the current control, or an input added that would allow for custom exceptions to be added without needing to bypass/replace the control entirely.

Since this is standard behavior in Ubuntu distributions with /var/log/btmp permissions it's probably best to add that to the list of exceptions in the control, but I also can see the benefit of having an input because there could be other exceptions needed as you mentioned when using different combinations of services (ie. cloud-init).

@schurzi
Copy link
Contributor

schurzi commented Apr 24, 2021

I think adding btmp to the exception list from #50 is a good approach here. Is anyone of you up for a PR?

Regarding all the other logs I like to adhere to the definition from CIS DIL Benchmark. This states, that all logfiles should not be readable by other. If a system has logfiles, that do not satisfy this condition, this is a reported finding which should be corrected.

@bendres97 bendres97 mentioned this issue Dec 16, 2021
Merged
@schurzi
Copy link
Contributor

schurzi commented Mar 7, 2022

@deric4 I really like what you gathered here and I believe some of it warrants further exploration. I have added a link to my notes as I'm unsure on how to continue with this. If you have a good idea on how to continue with your input, you are welcome to open followup issues or PRs. I will also do so, once I find the time. This issue is now closed, because the initial issue is fixed.

@deric4 deric4 mentioned this issue Apr 20, 2022
Open
@deric4 deric4 mentioned this issue Nov 3, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

(4.2.3) Add group write exemption for btmp
3 participants
@jrbeilke @schurzi @deric4