Define a complete security baseline and monitor the baseline's rules. The definition of the baseline should be done in Hiera. The purpose of the module is to give the ability to setup a complete security baseline which not necessarily have to stick to industry security guides like the CIS benchmarks.
Apache License 2.0
15
stars
10
forks
source link
Permissions on /var/log incorrect according to CIS RHEL 8 v2.0.0 benchmark #56
I have found error in cis_security_hardening::rules::logfile_permissions compared to the baseline provided by CIS. I'm comparing the output of your module (and it is a great module), to CIS Red Hat Enterprise Linux 8 Benchmark v2.0.0 which is the latest I believe.
The puppet file resource is used to recursively keep the file permissions in order. However if another application writes it's log files to /var/log it doesn't have permission to open that file. The CIS lockdown remediation does not change the permissions on /var/log only the file contained within.
The resolution may i suggest is to use a puppet another puppet module https://forge.puppet.com/modules/npwalker/recursive_file_permissions/readme
This allows you manage the directory permissions separately from the directory, and have a bonus of being more performant.
Otherwise perhaps an exec resource to perform the action of;
find /var/log/ -type f -perm /g+wx,o+rwx -exec chmod --changes g-wx,o-rwx "{}" +
As per the CIS benchmark?
tom-krieger
commented
1 year ago
Hi Tom,
I have found error in cis_security_hardening::rules::logfile_permissions compared to the baseline provided by CIS. I'm comparing the output of your module (and it is a great module), to CIS Red Hat Enterprise Linux 8 Benchmark v2.0.0 which is the latest I believe. The puppet file resource is used to recursively keep the file permissions in order. However if another application writes it's log files to /var/log it doesn't have permission to open that file. The CIS lockdown remediation does not change the permissions on /var/log only the file contained within.
The resolution may i suggest is to use a puppet another puppet module https://forge.puppet.com/modules/npwalker/recursive_file_permissions/readme This allows you manage the directory permissions separately from the directory, and have a bonus of being more performant. Otherwise perhaps an exec resource to perform the action of; find /var/log/ -type f -perm /g+wx,o+rwx -exec chmod --changes g-wx,o-rwx "{}" + As per the CIS benchmark?