PCI DSS (v3) Linux: Restrict log file viewing (A.1.2.d)

Restrict log file viewing

A.1.2.d Verify that viewing of log entries is restricted to the owning
entity.

To limit exposure to information, PCI DSS requires access of logging to only the entity owning that log file. In other words, we have to search for those entries which can be seen by others.

Search related log files

By default, most log files on Linux based systems will be stored in /var/log. We can do a quick check for any files which are world readable, by using find.

find /var/log -perm -o=r ! -type l

This will show all files in /var/log or any subdirectory where the other group has read permissions. We skip any symbolic links, as they will show up otherwise.

Changing permissions

Usually it is easy to restrict log file viewing of these entries by changing file permissions. Depending on the software used, it might be wise to test altering the permissions, restart the process and test if the software can continue to work properly.

chmod 640 /var/log/

Also tools like logrotate might create new log files with inappropriate permissions. So this control has to be reviewed on a regular basis. It is preferred to use an automated solution to test.

Some files may need an exception, like /var/log/wtmp. Running the last command will result in a permission denied error.

user@host:~$ last
last: /var/log/wtmp: Permission denied

This information is provided as an addition to the PCI DSS plugin for Lynis.

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)


Leave a Reply

Your email address will not be published. Required fields are marked *