{"description": "Files containing sensitive information should be protected by restrictive\npermissions. Most of the time, there is no need that these files need to be read by any non-root user\n\nTo properly set the permissions of <code>/var/log/messages</code>, run the command:\n<pre>$ sudo chmod 0640 /var/log/messages</pre>\n\nCheck that \"permissions.local\" file contains the correct permissions rules with the following command:\n\n<pre># grep -i messages /etc/permissions.local\n\n/var/log/messages root:root 640</pre>", "rationale": "The <tt>/var/log/messages</tt> file contains system error messages. Only\nauthorized personnel should be aware of errors and the details of the\nerrors. Error messages are an indicator of an organization's operational\nstate or can identify the SUSE operating system or platform. Additionally,\nPersonally Identifiable Information (PII) and operational information must\nnot be revealed through error messages to unauthorized personnel or their\ndesignated representatives.", "severity": "medium", "references": {"srg": ["SRG-OS-000206-GPOS-00084"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "Make sure /var/log/messages is not world-readable", "ocil": "To check the permissions of <code>/var/log/messages</code>,\nrun the command:\n<pre>$ ls -l /var/log/messages</pre>\nIf properly configured, the output should indicate the following permissions:\n<code>-rw-r-----</code>\n\nCheck that <tt>permissions.local</tt> file contains the correct permissions rules with the following command:\n\n<pre># grep -i messages /etc/permissions.local\n\n/var/log/messages root:root 640</pre>\n\nIf the command does not return any or different output, this is a finding.\n\nRun the following command to correct the permissions after adding the missing entry:\n\n<pre># sudo chkstat --set --system</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Verify that local /var/log/messages is not world-readable", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/permissions_local/file_permissions_local_var_log_messages/rule.yml", "template": null}