Skip to content

Ensure the log file permissions are set correctly

Description

The log_file_mode setting determines the file permissions for log files when logging_collector is enabled.

The parameter value is expected to be a numeric mode specification in the form accepted by the chmod and umask system calls. (To use the customary octal format, the number must start with a 0 (zero).)

The permissions should be set to allow only the necessary access to authorized personnel. In most cases the best setting is 0600, so that only the server owner can read or write the log files.

Rationale

Log files often contain sensitive data. Allowing unnecessary access to log files may inadvertently expose sensitive data to unauthorized personnel.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine postgres

Default Rule

const { checkServerSetting } = module

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if the log file permissions are set correctly
 */

function validate(databaseSettings) {
    const settingName = "log_file_mode"
    const expectedValue = '0600'
    const success = checkServerSetting(databaseSettings, settingName, expectedValue)

    return {
        success,
    }
}

// invoke
validate(databaseSettings);