PCI DSS (v3) Linux: Restrict log file viewing (A.1.2.d)

A.1.2.d Verify that viewing of log entries is restricted to the owning entity.

To limit exposure to information, PCI DSS requires access of logging to only the entity owning that log file. In other words, we have to search for those entries which can be seen by others.

By default, most log files on Linux based systems will be stored in /var/log. We can do a quick check for any files which are world readable, by using find.

find /var/log -perm -o=r ! -type l

This will show all files in /var/log or any subdirectory where the other group has read permissions. We skip any symbolic links, as they will show up otherwise.

Changing permissions

Usually it is easy to restrict log file viewing of these entries by changing file permissions. Depending on the software used, it might be wise to test altering the permissions, restart the process and test if the software can continue to work properly.

chmod 640 /var/log/nginx/error.log

Also tools like logrotate might create new log files with inappropriate permissions. So this control has to be reviewed on a regular basis. It is preferred to use an automated solution to test.

Some files may need an exception, like /var/log/wtmp. Running the last command will result in a permission denied error.

$ last
last: /var/log/wtmp: Permission denied

This information is provided as an addition to the PCI DSS plugin for Lynis.

Relevant commands in this article

Like to learn more about the commands that were used in this article? Have a look, for some there is also a cheat sheet available.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon