PCI DSS (v3) Linux: Restrict log file viewing (A.1.2.d)

Restrict log file viewing

A.1.2.d Verify that viewing of log entries is restricted to the owning
entity.

To limit exposure to information, PCI DSS requires access of logging to only the entity owning that log file. In other words, we have to search for those entries which can be seen by others.

Search related log files

By default, most log files on Linux based systems will be stored in /var/log. We can do a quick check for any files which are world readable, by using find.

find /var/log -perm -o=r ! -type l

This will show all files in /var/log or any subdirectory where the other group has read permissions. We skip any symbolic links, as they will show up otherwise.

Changing permissions

Usually it is easy to restrict log file viewing of these entries by changing file permissions. Depending on the software used, it might be wise to test altering the permissions, restart the process and test if the software can continue to work properly.

chmod 640 /var/log/

Also tools like logrotate might create new log files with inappropriate permissions. So this control has to be reviewed on a regular basis. It is preferred to use an automated solution to test.

Some files may need an exception, like /var/log/wtmp. Running the last command will result in a permission denied error.

user@host:~$ last
last: /var/log/wtmp: Permission denied

This information is provided as an addition to the PCI DSS plugin for Lynis.

Automate security audits and know your risks
Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series to get Linux and Unix-based systems more secure.

Is system hardening taking a lot of time for you? Don't know where to start? We solved that problem: Lynis Enterprise.


Leave a Reply

Your email address will not be published. Required fields are marked *