Files under /var/log/apt should be included in other_read_excepts for CIS 4.2.3 #124
Description
Describe the bug
Inspec failure on Ubuntu 20.04 systems due to APT overriding permissions on /var/log/apt files and CIS 4.2.3:
ubuntu2004-ami: × cis-dil-benchmark-4.2.3: Ensure permissions on all logfiles are configured (1 failed)
ubuntu2004-ami: × File /var/log/apt/history.log should not be readable by other
ubuntu2004-ami: expected File /var/log/apt/history.log not to be readable by other
Expected behavior
Seems an exception was added for the CIS 4.2.3 criteria to allow other read permissions for /var/log/lastlog and /var/log/wtmp but seems like files under /var/log/apt may also need to be included:
#90
AFAICT 644 permissions on /var/log/apt files are expected and do not seem to be a security issue ie.
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/404724
https://answers.launchpad.net/ubuntu/+source/apt/+question/696930
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=285551
OS / Environment
Ubuntu 20.04
Inspec Version
$ inspec --version
4.18.39
Baseline Version
- name: cis-dil-benchmark
git: https://github.com/dev-sec/cis-dil-benchmark.git
tag: 0.4.12