- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Verify all files in the /run/log/journal and /var/log/journal directories have permissions set to “640” or less permissive by using the following command:
$ sudo find /run/log/journal /var/log/journal -type f -exec stat -c "%n %a" {} \;
If any output returned has a permission set greater than “640”, this is a finding.
Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization.
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
find -H /run/log/journal/ -perm /u+xs,g+xws,o+xwrt -type f -regex '^.*$' -exec chmod u-xs,g-xws,o-xwrt {} \;
find -H /var/log/journal/ -perm /u+xs,g+xws,o+xwrt -type f -regex '^.*$' -exec chmod u-xs,g-xws,o-xwrt {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
The following playbook can be run with Ansible to remediate the issue.
- name: Find /run/log/journal/ file(s) recursively
command: find -H /run/log/journal/ -perm /u+xs,g+xws,o+xwrt -type f -regex "^.*$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- DISA-STIG-UBTU-22-232027
- configure_strategy
- file_permissions_system_journal
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for /run/log/journal/ file(s)
file:
path: '{{ item }}'
mode: u-xs,g-xws,o-xwrt
state: file
with_items:
- '{{ files_found.stdout_lines }}'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- DISA-STIG-UBTU-22-232027
- configure_strategy
- file_permissions_system_journal
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /var/log/journal/ file(s) recursively
command: find -H /var/log/journal/ -perm /u+xs,g+xws,o+xwrt -type f -regex "^.*$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- DISA-STIG-UBTU-22-232027
- configure_strategy
- file_permissions_system_journal
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for /var/log/journal/ file(s)
file:
path: '{{ item }}'
mode: u-xs,g-xws,o-xwrt
state: file
with_items:
- '{{ files_found.stdout_lines }}'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- DISA-STIG-UBTU-22-232027
- configure_strategy
- file_permissions_system_journal
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed