Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 18 Jun 2015 11:56:48 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2015-3243 rsyslog: some log files are created world-readable

So /var/log/cron is world readable in RHEL7 which means the complete
command line is logged (so --password=, hostnames, etc.).

In line with this I have made the following proposed change for Fedora
(and by extensions Red Hat products):

https://fedoraproject.org/wiki/Kurtseifried/secure_config_and_log_permissions

Have secure by default permissions for configuration and log files

Proposed change

All configuration files (e.g. files in /etc/) and all log files (e.g.
files in /var/log/) must not be set world-readable unless there is a
functional reason to do so. By default, configuration files should be
chmod 600 or 0640 and log files should be chmod 0600. This is due to a
continuing number of security issues with world readable files that
contain sensitive information (e.g. passwords and access tokens or
logged usernames and commands for example).

Rationale

The number of security issues created by lax permissions on
configuration and log files has resulted in a number of security issues
exploitable by local users. E.g.:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=configuration+file+permissions

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=log+file+permissions

Please note that the above lists are by no means a complete listing of
the security flaws that have resulted from lax permissions.

I would invite other distros/etc to also do this.

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com


Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.