[BUG] permission of /var/log/azure/<plugin> keeps reverted
ChoiSD opened this issue · 2 comments
Describe the bug: A clear and concise description of what the bug is.
chmod g-w,o-rwx
executed on directories in /var/log
as per CIS benchmark, 4.2.3 Ensure permissions on all logfiles are configured. However, permissions get reverted back 755
.
Is there any way to fix this?
*** Audit
# find /var/log/ -type f -perm /g+wx,o+rwx -exec ls -l "{}" +
*** Remediation
# find /var/log/ -type f -perm /g+wx,o+rwx -exec chmod --changes g-wx,o-rwx "{}" +
*** Expectation
4233686 0 drwxr-x--- 3 root root 88 Feb 13 07:56 /var/log/azure/Microsoft.EnterpriseCloud.Monitoring.OmsAgentForLinux
4233167 0 drwxr-x--- 3 root root 48 Feb 13 08:00 /var/log/azure/Microsoft.GuestConfiguration.ConfigurationforLinux
*** Result
4233686 0 drwxr-xr-x 3 root root 88 Feb 13 07:56 /var/log/azure/Microsoft.EnterpriseCloud.Monitoring.OmsAgentForLinux
4233167 0 drwxr-xr-x 3 root root 48 Feb 13 08:00 /var/log/azure/Microsoft.GuestConfiguration.ConfigurationforLinux
Distro and WALinuxAgent details (please complete the following information):
- Distro and Version: RHEL 8.6
- WALinuxAgent version
# waagent --version
WALinuxAgent-2.3.0.2 running on redhat 8.6
Python: 3.6.8
Goal state agent: 2.9.0.4
Log file attached
According to audit log, directory attributes were changed by /usr/bin/python3.6 -u bin/WALinuxAgent-2.9.0.4-py2.7.egg -run-exthandlers
.
----
type=PROCTITLE msg=audit(02/20/2023 04:50:04.454:619) : proctitle=/usr/bin/python3.6 -u bin/WALinuxAgent-2.9.0.4-py2.7.egg -run-exthandlers
type=PATH msg=audit(02/20/2023 04:50:04.454:619) : item=0 name=/var/log/azure/Microsoft.EnterpriseCloud.Monitoring.OmsAgentForLinux inode=4233686 dev=fd:03 mode=dir,750 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/20/2023 04:50:04.454:619) : cwd=/var/lib/waagent/WALinuxAgent-2.9.0.4
type=SYSCALL msg=audit(02/20/2023 04:50:04.454:619) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x7fcc507323f8 a1=0755 a2=0x0 a3=0x2 items=1 ppid=7855 pid=7869 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=python3.6 exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:unconfined_service_t:s0 key=cistest
----
@ChoiSD In your remediation you are using "-type f", and then looking at the access for the directories. Should you also apply your remediation using "-type d"
@narrieta Thanks for your comment and sorry my bad.
Found there are multiple versions of CIS benchmark and commands are slightly different between them.
*** 4.2.3 Ensure permissions on all logfiles are configured
CIS benchmark | CIS benchmark for Azure |
---|---|
find /var/log -type f -perm /037 -ls -o -type d -perm /026 -ls |
find /var/log/ -type f -perm /g+wx,o+rwx -exec ls -l "{}" + |
find /var/log -type f -exec chmod g-wx,o-rwx '{}' + -o -type d -exec chmod g-w,o-rwx '{}' + |
find /var/log/ -type f -perm /g+wx,o+rwx -exec chmod --changes g-wx,o-rwx "{}" + |
Thus, Azure version is not interested in directory's permissions. As this is Azure VM, will follow Azure benchmark.
I will close this issue. Thank you!