From aecc8fdebd9eddda933ee7f730943bdd9fecc5db Mon Sep 17 00:00:00 2001 From: Israel Villar Boillos Date: Fri, 5 Jun 2026 20:25:25 +0100 Subject: [PATCH] Fix log file permission rules for Debian (CIS 6.1.3.1) Debian uses group `adm` (not root) and mode 0640 for /var/log/messages, and APT writes log files under /var/log/apt/ that CIS allows at 0644. - file_groupowner_var_log_messages: extend ubuntu2404 condition to all Debian products so the rule accepts group adm|root instead of GID 0. - file_permissions_var_log_messages: extend condition to all Debian products so the rule checks for 0640 instead of 0600. - permissions_local_var_log: add excluded_files@debian13 to skip APT log files and [bw]tmp/lastlog; add recursive@debian13 to also check /var/log/apt/ subdirectory. Co-Authored-By: Claude Sonnet 4.6 --- .../permissions/files/permissions_local_var_log/rule.yml | 2 ++ .../file_groupowner_var_log_messages/rule.yml | 4 ++-- .../file_permissions_var_log_messages/rule.yml | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml index 1be0bd45ad28..192383d53e40 100644 --- a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml @@ -57,10 +57,12 @@ template: excluded_files@slmicro5: ['*[bw]tmp', '*lastlog'] excluded_files@slmicro6: ['*[bw]tmp', '*lastlog'] excluded_files@ubuntu2204: ['history.log*', 'eipp.log.xz*', '[bw]tmp', '[bw]tmp.*', '[bw]tmp-*', 'lastlog', 'lastlog.*'] + excluded_files@debian13: ['history.log*', 'eipp.log.xz*', '[bw]tmp', '[bw]tmp.*', '[bw]tmp-*', 'lastlog', 'lastlog.*'] excluded_files@ubuntu2404: ['history.log*', 'eipp.log.xz*', '[bw]tmp', '[bw]tmp.*', '[bw]tmp-*', 'lastlog', 'lastlog.*', 'cloud-init.log*', 'localmessages*', 'waagent.log*'] file_regex: '.*' filemode: '0640' filepath: /var/log/ + recursive@debian13: 'true' recursive@sle12: 'true' recursive@sle15: 'true' recursive@sle16: 'true' diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml index db4e868bc414..68efa233a2dc 100644 --- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true title: 'Verify Group Who Owns /var/log/messages File' -{{%- if product in ['ubuntu2404'] %}} +{{%- if product in ['ubuntu2404'] or 'debian' in product %}} description: '{{{ describe_file_group_owner(file="/var/log/messages", group="adm|root") }}}' {{%- else %}} description: '{{{ describe_file_group_owner(file="/var/log/messages", group="root") }}}' @@ -23,7 +23,7 @@ references: srg: SRG-OS-000206-GPOS-00084 stigid@ol8: OL08-00-010230 -{{%- if product in ['ubuntu2404'] %}} +{{%- if product in ['ubuntu2404'] or 'debian' in product %}} ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/messages", group="adm|root") }}}' ocil: |- diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml index 1eee00ea1d2e..845a23865cfe 100644 --- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true title: 'Verify Permissions on /var/log/messages File' -{{% if product in ['ubuntu2404','ol9','ol8'] %}} +{{% if product in ['ubuntu2404','ol9','ol8'] or 'debian' in product %}} {{% set target_perms_octal="0640" %}} {{% set target_perms="-rw-r-----" %}} {{% else %}}