[BUG] permission of /var/log/azure/<plugin> keeps reverted

Question

[BUG] permission of /var/log/azure/<plugin> keeps reverted

ChoiSD opened this issue 2 years ago · 2 comments

Describe the bug: A clear and concise description of what the bug is.

chmod g-w,o-rwx executed on directories in /var/log as per CIS benchmark, 4.2.3 Ensure permissions on all logfiles are configured. However, permissions get reverted back 755.
Is there any way to fix this?

*** Audit
# find /var/log/ -type f -perm /g+wx,o+rwx -exec ls -l "{}" +

*** Remediation
# find /var/log/ -type f -perm /g+wx,o+rwx -exec chmod --changes g-wx,o-rwx "{}" +

*** Expectation

  4233686      0 drwxr-x---   3  root     root           88 Feb 13 07:56 /var/log/azure/Microsoft.EnterpriseCloud.Monitoring.OmsAgentForLinux
  4233167      0 drwxr-x---   3  root     root           48 Feb 13 08:00 /var/log/azure/Microsoft.GuestConfiguration.ConfigurationforLinux

*** Result

  4233686      0 drwxr-xr-x   3  root     root           88 Feb 13 07:56 /var/log/azure/Microsoft.EnterpriseCloud.Monitoring.OmsAgentForLinux
  4233167      0 drwxr-xr-x   3  root     root           48 Feb 13 08:00 /var/log/azure/Microsoft.GuestConfiguration.ConfigurationforLinux

Distro and WALinuxAgent details (please complete the following information):

Distro and Version: RHEL 8.6
WALinuxAgent version

# waagent --version
WALinuxAgent-2.3.0.2 running on redhat 8.6
Python: 3.6.8
Goal state agent: 2.9.0.4

Log file attached
According to audit log, directory attributes were changed by /usr/bin/python3.6 -u bin/WALinuxAgent-2.9.0.4-py2.7.egg -run-exthandlers.

----
type=PROCTITLE msg=audit(02/20/2023 04:50:04.454:619) : proctitle=/usr/bin/python3.6 -u bin/WALinuxAgent-2.9.0.4-py2.7.egg -run-exthandlers
type=PATH msg=audit(02/20/2023 04:50:04.454:619) : item=0 name=/var/log/azure/Microsoft.EnterpriseCloud.Monitoring.OmsAgentForLinux inode=4233686 dev=fd:03 mode=dir,750 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/20/2023 04:50:04.454:619) : cwd=/var/lib/waagent/WALinuxAgent-2.9.0.4
type=SYSCALL msg=audit(02/20/2023 04:50:04.454:619) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x7fcc507323f8 a1=0755 a2=0x0 a3=0x2 items=1 ppid=7855 pid=7869 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=python3.6 exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:unconfined_service_t:s0 key=cistest
----

Answer 1 · 2023-02-21T19:10:36.000Z

@ChoiSD In your remediation you are using "-type f", and then looking at the access for the directories. Should you also apply your remediation using "-type d"

Answer 2 · 2023-02-24T02:53:36.000Z

@narrieta Thanks for your comment and sorry my bad.
Found there are multiple versions of CIS benchmark and commands are slightly different between them.

*** 4.2.3 Ensure permissions on all logfiles are configured

CIS benchmark	CIS benchmark for Azure
`find /var/log -type f -perm /037 -ls -o -type d -perm /026 -ls`	`find /var/log/ -type f -perm /g+wx,o+rwx -exec ls -l "{}" +`
`find /var/log -type f -exec chmod g-wx,o-rwx '{}' + -o -type d -exec chmod g-w,o-rwx '{}' +`	`find /var/log/ -type f -perm /g+wx,o+rwx -exec chmod --changes g-wx,o-rwx "{}" +`

Thus, Azure version is not interested in directory's permissions. As this is Azure VM, will follow Azure benchmark.
I will close this issue. Thank you!