rsyslog.conf : others should not have read permissions¶

Labels: enhancement

GitarPlayer opened issue at 2024-07-18 13:14:¶

Pull Request Details:¶

Type: Enhancement
Impact: Low
Reference to related issue (URL):
How was this pull request tested? Not at all
Description of the changes in this pull request: We have scanners that check that no log is world readable for compliance reasons. The default as it is set now violates this. I currently solve it by fixing the mode with ansible after package install. But since the possibly sensitive nature of this log I think it others should not have read permissions. This is something only a system adminstrator should have a look at.

jsmeix commented at 2024-07-18 13:38:¶

@GitarPlayer
see
https://raw.githubusercontent.com/rear/rear/master/.github/ISSUE_TEMPLATE.md
what info we normally need.

Additionally provide information how to reproduce
your particular issue because for me all seems to be OK:

# grep -v '^#' etc/rear/local.conf 
OUTPUT=ISO
BACKUP=NETFS
BACKUP_URL=file:///other/

# usr/sbin/rear mkrescue
...

# find var/log/rear/ -ls
... drwxr-xr-x 2 root root ... Jul 18 15:32 var/log/rear/
... -rw------- 1 root root ... Jul 18 15:33 var/log/rear/rear-localhost.log

# find /other -ls
... drwxrwxrwx 3 root root ... Jul 18 15:33 /other
... drwxr-x--- 2 root root ... Jul 18 15:33 /other/localhost
... -rw------- 1 root root ... Jul 18 15:33 /other/localhost/rear-localhost.log
... -rw------- 1 root root ... Jul 18 15:33 /other/localhost/.lockfile
... -rw------- 1 root root ... Jul 18 15:33 /other/localhost/VERSION
... -rw------- 1 root root ... Jul 18 15:33 /other/localhost/README
... -rw------- 1 root root ... Jul 18 15:33 /other/localhost/rear-localhost.iso

jsmeix commented at 2024-07-18 13:40:¶

@GitarPlayer
oops - sorry - I falsely thought it is an issue
but it is a pull request...

jsmeix commented at 2024-07-18 13:42:¶

@rear/contributors

I don't know about the intended use case of
usr/share/rear/skel/default/etc/rsyslog.conf
so I cannot properly review the requested change here.

jsmeix commented at 2024-07-18 13:46:¶

@schlomo
according to the output of

git log -p --follow usr/share/rear/skel/default/etc/rsyslog.conf

you are basically the author of it (originated in 2009)
so I dare to ask for your review of this pull request.

schlomo commented at 2024-07-18 13:53:¶

@GitarPlayer thank you for contributing to ReaR!

Can you please provide more context about how your compliance scanner find a file that exists only on the rescue system that runs purely in memory?

The configuration file that you want to change comes into effect only on the rescue system and only if rsyslog is used.

I'd actually recommend against running compliance scanners on the rescue system as the rescue system is very short lived and not a standard Linux distro.

Maybe this is actually a false positive of your scanner, where the scanner finds a file named rsyslog.conf and complains about it even though it is not used on the host system?

GitarPlayer commented at 2024-07-18 14:29:¶

wow thank you both for such prompt replies. So my audit scanner just keeps complaining about world readable log files. So he basically checks if any file in /var/log has the other bit set to anything other than zero. But I think @schlomo is correct that it is probably not that file causing the issue.

But what really confuses me is that now and then I do end up having a other readable log file in /var/log/rear. Just today I received one that was rw-rw-r. But I am not entirely sure how this happens. My rsyslog.conf:

module(load="imuxsock"    # provides support for local system logging (e.g. via logger command)
       SysSock.Use="off") # Turn off message reception via local log socket; 
                          # local messages are retrieved through imjournal now.
module(load="imjournal"             # provides access to the systemd journal
       UsePid="system" # PID nummber is retrieved as the ID of the process the journal entry originates from
       StateFile="imjournal.state") # File to store the position in the journal
global(workDirectory="/var/lib/rsyslog")
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
include(file="/etc/rsyslog.d/*.conf" mode="optional")
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

my rsyslog.d/00-globals.conf:

$FileCreateMode 0640
global(
  DefaultNetstreamDriver="ossl"
  DefaultNetstreamDriverCAFile="/etc/pki/rsyslog/ca-bundle.crt"
)

have you ever encountered something like that in the past with rear? Or am I the only one. I will definitely try to nail down the issue more precisely.

schlomo commented at 2024-07-18 14:41:¶

Here we create the logfile and set the file permissions to be private:
https://github.com/rear/rear/blob/0fa49b3089ad0015f1ab67335c596fc28066f2df/usr/sbin/rear#L658-L660

Maybe your problem is related to how you run ReaR? It doesn't run by itself unless you set that up yourself.

@GitarPlayer I'd suggest you to reach out to us for professional support to help you with this as it seems to be to be not directly a ReaR topic.

[Export of Github issue for rear/rear.]

#3280 PR open: skel/default/etc/rsyslog.conf : others should not have read permissions¶