Set permission on dmesg, wtmp log files
As part the hardening process I set certain logs files to 600, all works fine for the usual suspects, cron, secure, kern.log etc.
However when setting the dmesg log file to 600, after every reboot it gets set back to 644, I understand that this log gets re-created after every boot, so where can I set it permanently? Logrotate doesn't seem to fit this use case.
I also have the same issue for wtmp, I did set this to 600 in logrotate, it was already configured at 644, so I changed, after reboot it backs at 644.
/var/log/wtmp {
monthly
create 0600 root utmp
minsize 1M
rotate 1
}
Responses
In RHEL7, the log file /var/log/dmesg is produced at boot time by /usr/lib/systemd/system/rhel-dmesg.service, which simply executes /usr/lib/systemd/rhel-dmesg. That script contains just a few lines:
#!/bin/bash
[ -f /var/log/dmesg ] && mv -f /var/log/dmesg /var/log/dmesg.old
dmesg -s 131072 > /var/log/dmesg
So it just moves the old file away and creates a new one from scratch, using the default umask at that time.
I suggest you follow the standard systemd override procedure: copy /usr/lib/systemd/system/rhel-dmesg.service into /etc/systemd/system/rhel-dmesg.service to override the standard system version and edit the ExecStart= line in its [Service] section to point to a customized version of the script:
ExecStart=/etc/systemd/rhel-dmesg # or however you choose to name it
(Note: adding "Umask=0077" to the [Service] section does not seem to work, probably because the shell that systemd will start to execute the script will also run /etc/profile, which by default includes umask 022 for root. I tried that in a vanilla RHEL 7.4 VM)
Then copy the /usr/lib/systemd/rhel-dmesg script to /etc/systemd for customization, and add the umask command to it:
#!/bin/bash
umask 0077 # added for hardening
[ -f /var/log/dmesg ] && mv -f /var/log/dmesg /var/log/dmesg.old
dmesg -s 131072 > /var/log/dmesg
Any service file in /etc/systemd/system whose name will exactly match a file in /usr/lib/systemd/system will override /usr/lib/systemd/system version of the file. This is the standard way to customize systemd services in a way that is guaranteed not to be overwritten with RPM updates.
For wtmp, the default permissions are defined in /usr/lib/tmpfiles.d/var.conf: since this is also a systemd component (see man systemd-tmpfiles), I recommend copying /usr/lib/tmpfiles.d/var.conf to /etc/tmpfiles.d/ and modifying the copy to override the default permissions. However, I have not tested this.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
