syslog-rsyslog-permission: /etc/syslog and /etc/rsyslog.conf Permission Check

日期: 2025-08-01 | 影响软件: syslog rsyslog | POC: 已公开

漏洞描述

The /etc/syslog.conf or /etc/rsyslog.conf file was not owned by root or had insecure permissions,allowing attackers to manipulate logging settings to evade detection.

PoC代码[已公开]

id: syslog-rsyslog-permission

info:
  name: /etc/syslog and /etc/rsyslog.conf Permission Check
  author: songyaeji
  severity: high
  description: |
    The /etc/syslog.conf or /etc/rsyslog.conf file was not owned by root or had insecure permissions,allowing attackers to manipulate logging settings to evade detection.
  reference:
    - https://isms.kisa.or.kr
  tags: linux,local,kisa,audit,compliance

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      stat -c "%U %G %a" /etc/rsyslog.conf 2>/dev/null || echo "not-found"

  - engine:
      - sh
      - bash
    source: |
      stat -c "%U %G %a" /etc/syslog.conf 2>/dev/null || echo "not-found"

    matchers:
      - type: regex
        name: rsyslog
        part: code_1_response
        regex:
          - '^root\s+root\s+(600|644)$'

      - type: regex
        name: syslog
        part: code_2_response
        regex:
          - '^root\s+root\s+(600|644)$'
# digest: 4a0a00473045022057e616f66cdbb8c514a74c8b3d63748e4a400838e6e53d26b9dc1ff5f86796b2022100a6f9ca4535510294af9c6aef347cb8376c4ab27653abe22dae3bb0ad93d89d9a:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./code/linux/audit/syslog-rsyslog-permission.yaml