jeremy-evidos
commented
3 years ago I concur that the current rule is too restrictive, it simply breaks logging. So please consider merging this pull request, thanks!
Best,
Jeremy
Closed fprina closed 3 years ago
jeremy-evidos
commented
3 years ago I concur that the current rule is too restrictive, it simply breaks logging. So please consider merging this pull request, thanks!
Best,
Jeremy
florianutz
commented
3 years ago Hi guys, I verified this PR with the current CIS Benchmark 1.1.0 for Ubuntu 20.04. The example there is exactly the same as in the current version (with root utmp). Has anyone of you addressed this issue at the CIS Community?
jeremy-evidos
commented
3 years ago Hello Florian,
The example is too restrictive. The remediation suggests that logrotate.conf contains at least create 0640 and that if local site policy demands it one could optionally add root utmp. So presuming the lowest common denominator having at least create 0640 in logrotate.conf should satisfy recommendation 4.4.
florianutz
commented
3 years ago @jeremy-evidos you are totally right. 0640 should be enough. I just wanted to know if CIS knows about their bad sample :)
jeremy-evidos
commented
3 years ago @jeremy-evidos you are totally right. 0640 should be enough. I just wanted to know if CIS knows about their bad sample :)
Hello Florian, they do now: https://workbench.cisecurity.org/community/4/tickets/12693#
create 0640 root utmpcreate not writable files ... at least related to /etc/logrotate.d/rsyslog a the moment a more conservative option iscreate 0640