Set permission on dmesg, wtmp log files

Latest response

As part the hardening process I set certain logs files to 600, all works fine for the usual suspects, cron, secure, kern.log etc.

However when setting the dmesg log file to 600, after every reboot it gets set back to 644, I understand that this log gets re-created after every boot, so where can I set it permanently? Logrotate doesn't seem to fit this use case.

I also have the same issue for wtmp, I did set this to 600 in logrotate, it was already configured at 644, so I changed, after reboot it backs at 644.

/var/log/wtmp {
monthly
create 0600 root utmp
minsize 1M
rotate 1
}

Responses

In RHEL7, the log file /var/log/dmesg is produced at boot time by /usr/lib/systemd/system/rhel-dmesg.service, which simply executes /usr/lib/systemd/rhel-dmesg. That script contains just a few lines:

#!/bin/bash
[ -f /var/log/dmesg ] && mv -f /var/log/dmesg /var/log/dmesg.old
dmesg -s 131072 > /var/log/dmesg

So it just moves the old file away and creates a new one from scratch, using the default umask at that time.

I suggest you follow the standard systemd override procedure: copy /usr/lib/systemd/system/rhel-dmesg.service into /etc/systemd/system/rhel-dmesg.service to override the standard system version and edit the ExecStart= line in its [Service] section to point to a customized version of the script:

ExecStart=/etc/systemd/rhel-dmesg   # or however you choose to name it

(Note: adding "Umask=0077" to the [Service] section does not seem to work, probably because the shell that systemd will start to execute the script will also run /etc/profile, which by default includes umask 022 for root. I tried that in a vanilla RHEL 7.4 VM)

Then copy the /usr/lib/systemd/rhel-dmesg script to /etc/systemd for customization, and add the umask command to it:

#!/bin/bash
umask 0077  # added for hardening
[ -f /var/log/dmesg ] && mv -f /var/log/dmesg /var/log/dmesg.old
dmesg -s 131072 > /var/log/dmesg

Any service file in /etc/systemd/system whose name will exactly match a file in /usr/lib/systemd/system will override /usr/lib/systemd/system version of the file. This is the standard way to customize systemd services in a way that is guaranteed not to be overwritten with RPM updates.

For wtmp, the default permissions are defined in /usr/lib/tmpfiles.d/var.conf: since this is also a systemd component (see man systemd-tmpfiles), I recommend copying /usr/lib/tmpfiles.d/var.conf to /etc/tmpfiles.d/ and modifying the copy to override the default permissions. However, I have not tested this.

Thanks for a great reply Matti. As part of the hardening I've changed the default umask to 0077 in /etc/profile, so I'll try out a custom unit file and see how it goes and report back.

Hey Mike, I'm looking at going down a similar path, care to share your findings?

IIRC I changed the umask in /etc/profile to 077, I didn't have to create a custom unit file.

if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
    umask 077
else
    umask 077
fi

The default I changed from is this

    umask 002
else
    umask 022
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.