Verify Ownership of Files in /var/log/apt

Docs > Datadog Security > OOTB Rules > Verify Ownership of Files in /var/log/apt

Description

To properly set the owner of /var/log/apt/*, run the command:

$ sudo chown root /var/log/apt/*

Rationale

The /var/log/apt directory contains information about APT and should only be accessed by authorized personnel.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

if id "0" >/dev/null 2>&1; then
  newown="0"
fi
if [[ -z ${newown} ]]; then
  echo "0 is not a defined user on the system"
  exit 1
fi

find -L /var/log/apt/ -maxdepth 1 -type f  ! -user 0 -regextype posix-extended -regex '^.*$' -exec chown -L $newown {} \;

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Set the file_ownerships_var_log_apt_newown variable if represented by uid
  set_fact:
    file_ownerships_var_log_apt_newown: '0'
  tags:
  - configure_strategy
  - file_ownerships_var_log_apt
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Find /var/log/apt/ file(s) matching ^.*$
  command: find -L /var/log/apt/ -maxdepth 1 -type f  ! -user 0 -regextype posix-extended
    -regex "^.*$"
  register: files_found
  changed_when: false
  failed_when: false
  check_mode: false
  tags:
  - configure_strategy
  - file_ownerships_var_log_apt
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure owner on /var/log/apt/ file(s) matching ^.*$
  file:
    path: '{{ item }}'
    owner: '{{ file_ownerships_var_log_apt_newown }}'
    state: file
  with_items:
  - '{{ files_found.stdout_lines }}'
  tags:
  - configure_strategy
  - file_ownerships_var_log_apt
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed