Closed fprina closed 3 years ago
I concur that the current rule is too restrictive, it simply breaks logging. So please consider merging this pull request, thanks!
Best,
Jeremy
Hi guys, I verified this PR with the current CIS Benchmark 1.1.0 for Ubuntu 20.04. The example there is exactly the same as in the current version (with root utmp
). Has anyone of you addressed this issue at the CIS Community?
Hello Florian,
The example is too restrictive. The remediation suggests that logrotate.conf
contains at least create 0640
and that if local site policy demands it one could optionally add root utmp
. So presuming the lowest common denominator having at least create 0640
in logrotate.conf
should satisfy recommendation 4.4.
@jeremy-evidos you are totally right. 0640 should be enough. I just wanted to know if CIS knows about their bad sample :)
@jeremy-evidos you are totally right. 0640 should be enough. I just wanted to know if CIS knows about their bad sample :)
Hello Florian, they do now: https://workbench.cisecurity.org/community/4/tickets/12693#
create 0640 root utmp
create not writable files ... at least related to /etc/logrotate.d/rsyslog a the moment a more conservative option iscreate 0640