Ensure rsyslog Default File Permissions Configured

Docs > Datadog Security > OOTB Rules > Ensure rsyslog Default File Permissions Configured

Classification:

compliance

Framework:

Control:

Description

rsyslog will create logfiles that do not already exist on the system. This settings controls what permissions will be applied to these newly created files.

Rationale

It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

readarray -t targets < <(grep -H '^\s\*$FileCreateMode' /etc/rsyslog.conf /etc/rsyslog.d/\*)

# if $FileCreateMode set in multiple places
if [ ${#targets[@]} -gt 1 ]; then
 # delete all and create new entry with expected value
 sed -i '/^\s\*$FileCreateMode/d' /etc/rsyslog.conf /etc/rsyslog.d/\*
 echo '$FileCreateMode 0640' > /etc/rsyslog.d/99-rsyslog\_filecreatemode.conf
# if $FileCreateMode set in only one place
elif [ "${#targets[@]}" -eq 1 ]; then
 filename=$(echo "${targets[0]}" | cut -d':' -f1)
 value=$(echo "${targets[0]}" | cut -d' ' -f2)
 #convert to decimal and bitwise or operation
 result=$((8#$value | 416))
 # if more permissive than expected, then set it to 0640
 if [ $result -ne 416 ]; then
 # if value is wrong remove it
 sed -i '/^\s\*$FileCreateMode/d' $filename
 echo '$FileCreateMode 0640' > $filename
 fi
else
 echo '$FileCreateMode 0640' > /etc/rsyslog.d/99-rsyslog\_filecreatemode.conf
fi

systemctl restart rsyslog.service

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Ensure rsyslog Default File Permissions Configured - Search for $FileCreateMode
 Parameter in rsyslog Main Config File
 ansible.builtin.find:
 paths: /etc
 pattern: rsyslog.conf
 contains: ^\s\*\$FileCreateMode\s\*\d+
 register: rsyslog\_main\_file\_with\_filecreatemode
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - configure\_strategy
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - rsyslog\_filecreatemode

- name: Ensure rsyslog Default File Permissions Configured - Search for $FileCreateMode
 Parameter in rsyslog Include Files
 ansible.builtin.find:
 paths: /etc/rsyslog.d/
 pattern: '\*.conf'
 contains: ^\s\*\$FileCreateMode\s\*\d+
 register: rsyslog\_includes\_with\_filecreatemode
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - configure\_strategy
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - rsyslog\_filecreatemode

- name: Ensure rsyslog Default File Permissions Configured - Assemble List of rsyslog
 Configuration Files with $FileCreateMode Parameter
 ansible.builtin.set\_fact:
 rsyslog\_filecreatemode\_files: '{{ rsyslog\_main\_file\_with\_filecreatemode.files
 | map(attribute=''path'') | list + rsyslog\_includes\_with\_filecreatemode.files
 | map(attribute=''path'') | list }}'
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - configure\_strategy
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - rsyslog\_filecreatemode

- name: Ensure rsyslog Default File Permissions Configured - Remove $FileCreateMode
 Parameter from Multiple Files to Avoid Conflicts
 ansible.builtin.lineinfile:
 path: '{{ item }}'
 regexp: \$FileCreateMode.\*
 state: absent
 register: result\_rsyslog\_filecreatemode\_removed
 loop: '{{ rsyslog\_filecreatemode\_files }}'
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - rsyslog\_filecreatemode\_files | length > 1
 tags:
 - configure\_strategy
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - rsyslog\_filecreatemode

- name: Ensure rsyslog Default File Permissions Configured - Add $FileCreateMode Parameter
 and Expected Value
 ansible.builtin.lineinfile:
 path: /etc/rsyslog.d/99-rsyslog\_filecreatemode.conf
 line: $FileCreateMode 0640
 mode: 416
 create: true
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - rsyslog\_filecreatemode\_files | length == 0 or result\_rsyslog\_filecreatemode\_removed
 is not skipped
 tags:
 - configure\_strategy
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - rsyslog\_filecreatemode

- name: Ensure rsyslog Default File Permissions Configured - Ensure Correct Value
 of Existing $FileCreateMode Parameter
 ansible.builtin.lineinfile:
 path: '{{ item }}'
 regexp: ^\$FileCreateMode
 line: $FileCreateMode 0640
 loop: '{{ rsyslog\_filecreatemode\_files }}'
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - rsyslog\_filecreatemode\_files | length == 1
 tags:
 - configure\_strategy
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - rsyslog\_filecreatemode