What is the practical approach for CIS Benchmark (Ensure permissions on all logfiles are configured)?

Question

I am trying to harden RHEL with CIS benchmark. One of the items states the following:

Ensure permissions on all logfiles are configured

Description: Log files stored in /var/log/ contain logged information from many services on the system, or on log hosts others as well.

Rationale: It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected. Other/world should not have the ability to view this information. Group should not have the ability to modify this information.

My questions:

1. What kind of system logs are considered as sensitive data?
2. Is it acceptable if there are deviations because some system logs permission will be reset during boot?

Answer 1

For the first, it depends on data. One must know its OS and applications. Some apps leak users' passwords when running in debug for example.

For the latter, if you are investigating and you don't have logs you don't have any clue what was going on. You can always send logs to a remote host if you don't want to save logs locally, sending logs to a remote node is always good choice. The next step what an attacker would do is to break into a log host and delete the traces.

Answer 2

In /var/log most of the important system log files reside like boot.log, cron, dmesg, messages, yum.log etc. Other than that, /var/log/audit/audit.log if auditd is enabled, /var/log/secure contains the log of authentication, authorization and unsuccessful/failed logins (ssh, sudo logs etc), /var/log/sa if you run sysstat.

also rsyslog/syslog-ng (you can set log location or send logs to central log server)

In RHEL7 /var/log/dmesg is created at boot time using the default umask, so if you run the solution command provided by the CIS, you'll see that dmesg permission changes after the reboot.