On 04/16/2013 07:59 PM, Jeffrey Blank wrote:
In general, would you claim that an admin would have had to go out of his way to get rsyslog to create a log file with lousy permissions? I think so, but verification would be nice (so that we can say this isn't something we really would worry about).
Yes, I'd say so. The log files' permissions are determined by umask, which is currently set to 0077 in the rsyslog init script. This can also be explicitly overridden in the configuration files. When I think about it now, it would probably be good to always have it explicitly set in rsyslog.conf.
If you'd like to take a shot at creating the OVAL that could grab static files specified by rsyslog.conf, that would be great.
My previous email (crossed with yours by only a minute) contains some pieces which hopefully can be a starting point for this kind of check. The final content wouldn't be much more complex.
Indeed, as an rsyslog expert, if there is any general advice which you believe is incorrect or missing, comments/contributions are always welcome.
I haven't gotten to reading the whole section on logging yet, but I'll get to it.
Tomas _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
