System log files must be mode 640 or less permissive.

From Apple OS X 10.10 (Yosemite) Workstation Security Technical Implementation Guide

Part of SRG-OS-000206

Associated with: CCI-001314

SV-74241r1_rule System log files must be mode 640 or less permissive.

Vulnerability discussion

System logs should only be readable by root or admin users. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk.

Check content

These commands check for log files that exist on the system and print out the log with corresponding permissions. Run them from inside /var/log: sudo stat -f '%A:%N' $(grep -v '^#' /etc/newsyslog.conf | awk '{ print $1 }') 2> /dev/null sudo stat -f '%A:%N' $(grep -e '^>' /etc/asl.conf /etc/asl/* | awk '{ print $2 }') 2> /dev/null The correct permissions on log files should be '640' or less permissive for system logs. Any file with more permissive settings is a finding.

Fix text

For any log file that returns an incorrect permission value, run the following command: sudo chmod 640 [log file] [log file] is the full path to the log file in question. If the file is managed by newsyslog, find the configuration line in the directory /etc/newsyslog.d/ or the file /etc/newsyslog.conf and edit the mode column to be 640 or less permissive. If the file is managed by aslmanager, find the configuration line in the directory /etc/asl/ or the file /etc/asl.conf and add or edit the mode option to be 'mode=0640' or less permissive.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer