Hi Craig, Craig Andrews <[email protected]> ezt írta (időpont: 2023. márc. 8., Sze, 22:29): > > I'm working on evaluating Debian against STIGs and CIS benchmarks and > one of the findings reported is: > > Verify permissions of log files: > http://static.open-scap.org/ssg-guides/ssg-ubuntu2004-guide-stig.html#xccdf_org.ssgproject.content_rule_permissions_local_var_log > > This rule ensure that files in /var/log have 640 permissions. > > The shadow package seems to create/own a number of the files in /var/log > and it sets the file permissions to 644. > > 640 makes more sense to me - there doesn't seem to be any reason for a > regular user to read these logs.
Well, triaging problems without having to become root is comfortable and this the status quo. > Could Debian consider using the more restrictive 640 permissions for the > /var/log/ files, improving security by default? Technically yes, but at the moment I don't see a need for the change. Please discuss the topic with the Debian Security Team and if they are on board with the change it may be implemented. https://security-team.debian.org/contact.html I see you raised the same topic upstream, too. While I share upstream's view Debian can have different defaults and I respect the Security Team's opinion. Cheers, Balint _______________________________________________ Pkg-shadow-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-shadow-devel
