Investigate and correct overly permissive access on a sensitive log file in /var/log using
ownership and permission controls. Validate the result and set a more secure default behavior using
umask.
You’ve received a report that the audit.log file in /var/log is accessible to
users who should not see it. You must inspect the current permissions, adjust ownership, restrict access,
and confirm the system’s default permission behavior.
This is the kind of cleanup you do after an audit finding or a sloppy manual change, before assuming the logging pipeline or service configuration is the real problem.
/var/log/audit.log.chmod.umask and set a more secure default.ls -l as your baseline evidence: owner, group, and permission bits before any change.
640).
umask controls defaults for newly created files. Fixing one file is not the same as fixing the default posture.
ls -l /var/log/audit.logStart by proving the current state. This tells you the owner, group, and permission bits so you can identify exactly what is wrong before changing anything.
# Example (problem state):
-rw-r--r-- 1 root root 4523 Jul 18 14:32 /var/log/audit.logchmod o-r /var/log/audit.logThis is the quickest way to eliminate unintended disclosure without changing owner or group access. It narrows the problem and is a safe first hardening step.
ls -l /var/log/audit.log
# Confirm "other" no longer has 'r'.chgrp adm /var/log/audit.logAssigning a dedicated log-reading group is a common operations pattern. You grant access to the group and manage membership instead of widening file permissions.
ls -l /var/log/audit.log
# Confirm group owner is: admchmod 640 /var/log/audit.log
Using a numeric mode makes your intended end state explicit. 640 sets owner read/write,
group read-only, and no access for others. This is a clean, audit-friendly final state.
ls -l /var/log/audit.log
# Expected pattern:
-rw-r----- 1 root adm ... /var/log/audit.logumask
umask defines which permission bits are removed from newly created files by default.
If your environment is creating files too open, this is part of the root cause.
# Example:
0022umask 0027
0027 is a common secure default. For files, starting from 666 and applying a
mask of 027 results in 640. This aligns with “owner full access, group read-only,
others none.”
umask
# Confirm:
0027Permissions are only one layer. Confirm the user is actually in the group you’re granting access to, and consider SELinux contexts if your distro enforces them.
Verify the file mode includes group read (r). A common mistake is using 600
when you meant 640.
umask 0027 affects the current shell session. If you need persistence, set it in the appropriate
shell profile or system defaults for your environment.
The generating service may be rewriting the file or applying its own settings. Confirm service defaults and any log rotation rules that might be resetting ownership or mode.
This lab changes file permissions and may change the current shell’s default umask. Confirm the
final state matches what you intended.
ls -l /var/log/audit.log
umask
/var/log/audit.log shows -rw-r----- with group adm, and your
umask matches your intended default.
ls -l: Displays file permissions, owner, group, size, and timestamp.
chmod o-r <file>: Removes read permission from “others” without affecting owner and group permissions.
o: Others.-r: Remove read bit.chgrp <group> <file>: Changes a file’s group ownership to control access via group membership.
<group>: Target group (example: adm).chmod 640 <file>: Sets a file to rw-r----- (owner read/write, group read, others none).
6: Owner = read + write.4: Group = read.0: Others = none.umask: Shows the current permission mask applied to newly created files.
umask 0027: Sets a stricter default so new files typically become 640 instead of world-readable.
027: Removes write for group and all permissions for others by default.