--- title: Ensure Log Files Are Owned By Appropriate User description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > OOTB Rules > Ensure Log Files Are Owned By Appropriate User --- # Ensure Log Files Are Owned By Appropriate User ## Description{% #description %} The owner of all log files written by `rsyslog` should be `root`. These log files are determined by the second part of each Rule line in `/etc/rsyslog.conf` and typically all appear in `/var/log`. For each log file *LOGFILE* referenced in `/etc/rsyslog.conf`, run the following command to inspect the file's owner: ``` $ ls -l LOGFILE ``` If the owner is not `root`, run the following command to correct this: ``` $ sudo chown root LOGFILE ``` ## Rationale{% #rationale %} The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. ## Remediation{% #remediation %} ### Shell script{% #shell-script %} The following script can be run on the host to remediate the issue. ```bash #!/bin/bash # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then # List of log file paths to be inspected for correct permissions # * Primarily inspect log file paths listed in /etc/rsyslog.conf RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" # * And also the log file paths listed after rsyslog's $IncludeConfig directive # (store the result into array for the case there's shell glob used as value of IncludeConfig) readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) readarray -t NEW_INC < <(sed -n '/^\s*include(/,/)/Ip' /etc/rsyslog.conf | sed -n 's@.*file\s*=\s*"\([/[:alnum:][:punct:]]*\)".*@\1@Ip') readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) # Declare an array to hold the final list of different log file paths declare -a LOG_FILE_PATHS # Array to hold all rsyslog config entries RSYSLOG_CONFIGS=() RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") # Get full list of files to be checked # RSYSLOG_CONFIGS may contain globs such as # /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule # So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files. RSYSLOG_CONFIG_FILES=() for ENTRY in "${RSYSLOG_CONFIGS[@]}" do # If directory, rsyslog will search for config files in recursively. # However, files in hidden sub-directories or hidden files will be ignored. if [ -d "${ENTRY}" ] then readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f) RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}") elif [ -f "${ENTRY}" ] then RSYSLOG_CONFIG_FILES+=("${ENTRY}") else echo "Invalid include object: ${ENTRY}" fi done # Browse each file selected above as containing paths of log files # ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}" do # From each of these files extract just particular log file path(s), thus: # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, # * Ignore empty lines, # * Strip quotes and closing brackets from paths. # * Ignore paths that match /dev|/etc.*\.conf, as those are paths, but likely not log files # * From the remaining valid rows select only fields constituting a log file path # Text file column is understood to represent a log file path if and only if all of the # following are met: # * it contains at least one slash '/' character, # * it is preceded by space # * it doesn't contain space (' '), colon (':'), and semicolon (';') characters # Search log file for path(s) only in case it exists! if [[ -f "${LOG_FILE}" ]] then NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}") LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}") FILTERED_PATHS=$(awk '{if(NF>=2&&($NF~/^\//||$NF~/^-\//)){sub(/^-\//,"/",$NF);print $NF}}' <<< "${LINES_WITH_PATHS}") CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}") MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}") # Since above sed command might return more than one item (delimited by newline), split # the particular matches entries into new array specific for this log file readarray -t ARRAY_FOR_LOG_FILE <<< "$MATCHED_ITEMS" # Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with # items from newly created array for this log file LOG_FILE_PATHS+=("${ARRAY_FOR_LOG_FILE[@]}") # Delete the temporary array unset ARRAY_FOR_LOG_FILE fi done # Check for RainerScript action log format which might be also multiline so grep regex is a bit # curly: # extract possibly multiline action omfile expressions # extract File="logfile" expression # match only "logfile" expression for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}" do ACTION_OMFILE_LINES=$(grep -iozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" "${LOG_FILE}") OMFILE_LINES=$(echo "${ACTION_OMFILE_LINES}"| grep -iaoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)") LOG_FILE_PATHS+=("$(echo "${OMFILE_LINES}"| grep -oE "\"([/[:alnum:][:punct:]]*)\""|tr -d "\"")") done # Ensure the correct attribute if file exists FILE_CMD="chown" for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}" do # Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing if [ -z "$LOG_FILE_PATH" ] then continue fi $FILE_CMD "root" "$LOG_FILE_PATH" done else >&2 echo 'Remediation is not applicable, nothing was done' fi ``` ### Ansible playbook{% #ansible-playbook %} The following playbook can be run with Ansible to remediate the issue. ``` - name: Ensure Log Files Are Owned By Appropriate User - Set rsyslog logfile configuration facts ansible.builtin.set_fact: rsyslog_etc_config: /etc/rsyslog.conf when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80189-4 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_ownership - name: Ensure Log Files Are Owned By Appropriate User - Get IncludeConfig directive ansible.builtin.shell: | set -o pipefail grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true register: rsyslog_old_inc changed_when: false when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80189-4 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_ownership - name: Ensure Log Files Are Owned By Appropriate User - Get include files directives ansible.builtin.shell: | set -o pipefail awk '/)/{f=0} /include\(/{f=1} f{ nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){ print nf }}' {{ rsyslog_etc_config }} || true register: rsyslog_new_inc changed_when: false when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80189-4 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_ownership - name: Ensure Log Files Are Owned By Appropriate User - Aggregate rsyslog includes ansible.builtin.set_fact: include_config_output: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}' when: - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - rsyslog_old_inc is not skipped and rsyslog_new_inc is not skipped tags: - CCE-80189-4 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_ownership - name: Ensure Log Files Are Owned By Appropriate User - List all config files ansible.builtin.find: paths: '{{ item | dirname }}' patterns: '{{ item | basename }}' hidden: false follow: true loop: '{{ include_config_output | list + [rsyslog_etc_config] }}' when: - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - include_config_output is defined register: rsyslog_config_files failed_when: false changed_when: false tags: - CCE-80189-4 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_ownership - name: Ensure Log Files Are Owned By Appropriate User - Extract log files old format ansible.builtin.shell: | set -o pipefail grep -oP '^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item.1.path }} | \ awk '{print $NF}' | \ sed -e 's/^-//' || true loop: '{{ rsyslog_config_files.results | default([]) | subelements(''files'') }}' register: log_files_old changed_when: false when: - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - rsyslog_config_files is not skipped tags: - CCE-80189-4 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_ownership - name: Ensure Log Files Are Owned By Appropriate User - Extract log files new format ansible.builtin.shell: | set -o pipefail grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | \ grep -aoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)" | \ grep -oE "\"([/[:alnum:][:punct:]]*)\"" | \ tr -d "\""|| true loop: '{{ rsyslog_config_files.results | default([]) | subelements(''files'') }}' register: log_files_new changed_when: false when: - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - rsyslog_config_files is not skipped tags: - CCE-80189-4 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_ownership - name: Ensure Log Files Are Owned By Appropriate User - Sum all log files found ansible.builtin.set_fact: log_files: '{{ log_files_new.results | map(attribute=''stdout_lines'') | list | flatten | unique + log_files_old.results | map(attribute=''stdout_lines'') | list | flatten | unique }}' when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80189-4 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_ownership - name: Ensure Log Files Are Owned By Appropriate User -Setup log files attribute ansible.builtin.file: path: '{{ item }}' owner: root state: file loop: '{{ log_files | list | flatten | unique }}' failed_when: false when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80189-4 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_ownership ```