Date: Thu, 18 Jun 2015 11:56:48 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2015-3243 rsyslog: some log files are created world-readable So /var/log/cron is world readable in RHEL7 which means the complete command line is logged (so --password=, hostnames, etc.). In line with this I have made the following proposed change for Fedora (and by extensions Red Hat products): https://fedoraproject.org/wiki/Kurtseifried/secure_config_and_log_permissions Have secure by default permissions for configuration and log files Proposed change All configuration files (e.g. files in /etc/) and all log files (e.g. files in /var/log/) must not be set world-readable unless there is a functional reason to do so. By default, configuration files should be chmod 600 or 0640 and log files should be chmod 0600. This is due to a continuing number of security issues with world readable files that contain sensitive information (e.g. passwords and access tokens or logged usernames and commands for example). Rationale The number of security issues created by lax permissions on configuration and log files has resulted in a number of security issues exploitable by local users. E.g.: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=configuration+file+permissions http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=log+file+permissions Please note that the above lists are by no means a complete listing of the security flaws that have resulted from lax permissions. I would invite other distros/etc to also do this. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.