cis-dil-benchmark icon indicating copy to clipboard operation
cis-dil-benchmark copied to clipboard

Published 20 hours ago verified publisher icon dev-sec

Files under /var/log/apt should be included in other_read_excepts for CIS 4.2.3

Open jrbeilke opened this issue 2 years ago • 0 comments

Describe the bug Inspec failure on Ubuntu 20.04 systems due to APT overriding permissions on /var/log/apt files and CIS 4.2.3:

    ubuntu2004-ami:   ×  cis-dil-benchmark-4.2.3: Ensure permissions on all logfiles are configured (1 failed)
    ubuntu2004-ami:      ×  File /var/log/apt/history.log should not be readable by other
    ubuntu2004-ami:      expected File /var/log/apt/history.log not to be readable by other

Expected behavior Seems an exception was added for the CIS 4.2.3 criteria to allow other read permissions for /var/log/lastlog and /var/log/wtmp but seems like files under /var/log/apt may also need to be included: https://github.com/dev-sec/cis-dil-benchmark/pull/90

AFAICT 644 permissions on /var/log/apt files are expected and do not seem to be a security issue ie. https://bugs.launchpad.net/ubuntu/+source/apt/+bug/404724 https://answers.launchpad.net/ubuntu/+source/apt/+question/696930 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=285551

OS / Environment Ubuntu 20.04

Inspec Version

$ inspec --version
4.18.39

Baseline Version

  - name: cis-dil-benchmark
    git: https://github.com/dev-sec/cis-dil-benchmark.git
    tag: 0.4.12

jrbeilke avatar Apr 20 '22 20:04 jrbeilke