The logs permissions

[amandolo]

Summary

The log files permissions are not configurable

Description

We are hardening our AWS AMIs following CIS Amazon Linux 2 Benchmark v2.0.0 rules. We are unable to remediate at the rule "4.2.4 Ensure permissions on all logfiles are configured".

To be compliant to this rule we have to remove wx for groups and rwx for other/world from all our log files in /var/log/.

The ECS Agent (its log files on /var/log/ecs/ folder) is the only application we are unable to configure to create (and rotate) log files with our custom permissions.

We see in this documentation, lots of other options to configure the agent but not to change log files permissions.

Do you have a quick solution to this issue or do you plan to add this possible configuration?

[mythri-garaga]

@amandolo Thank you for filing this. We will take a look into this and get back soon.

[sharanyad]

@amandolo Could you please explain a bit on what this means?

The ECS Agent (its log files on /var/log/ecs/ folder) is the only application we are unable to configure to create (and rotate) log files with our custom permissions.

What custom permissions were configured on your end?

[chasen-bettinger]

@sharanyad I can provide more color here as I am experiencing the same problem. To adhere to CIS Benchmarks, there can be no files in /var/log with other has no permissions on any files and group does not have write or execute permissions on any files. The remediation that CIS provides for this benchmark is:

find /var/log -type f -exec chmod g-wx,o-rwx {} +

Running this command does conform all files in /var/log to the benchmark. That is until the system reboots. When the system reboots, ecs-agent log files have the following permissions:

 19838    8 -rw-r--r--   1 root     root         4373 Oct 28 15:28 /var/log/ecs/ecs-agent.log
 19447    4 -rw-r--r--   1 root     root          334 Oct 28 15:17 /var/log/ecs/ecs-init.log

Consequently, the audit fails. We need to be able to configure the permissions that the log file is created with. Seems like the only answer is to create a hack that sleeps for an arbitrary period with the hope that after that period, we can overwrite the permissions for the ecs-agent logs.

EDIT:

I actually do not know how much control this library in particular has over this issue. The logging mechanism this library uses Seelog. There is an issue describing this very problem in Seelog. Reading through the code, I don't think we would be able to get away with a quick change (evidence here: https://github.com/cihub/seelog/search?q=defaultFilePermissions).

What I don't understand is, if the default permissions are 666 - why am I seeing file permissions of 644? I have validated my umask is 027.

[amandolo]

Hi @sharanyad, I'm sorry for the delay in my response. I confirm what @chasen-bettinger has explained.

The CIS control checks that all log files in /var/log/ have the permission of 0740, but the ecs-agent rotates the log files using 0644 permissions.

I read the relative bug in Seelog, it isn't resolved yet. Do you have any proposal to resolve this issue?

[chasen-bettinger]

@amandolo I made a cronjob that runs every minute to set the permissions on the logs. It runs this command: find /var/log -type f -exec chmod g-wx,o-rwx {} +. Best I can do for now.

Would be great if this library migrated to a different logging library or Seelog became more customizable.

[angelcar]

As previously mentioned, seelog doesn't allow file permission customization. We will consider changing the logging library in the future in order to address this issue. In the meantime, it seems the proposed work around (cron job) is the best way forward.

Apologies inconvenience.

[hgmiguel]

I'm still having this issue. Are these changes in the roadmap?