Have secure by default permissions for configuration and log files
Proposed change
All configuration files (e.g. files in /etc/) and all log files (e.g. files in /var/log/) must not be set world-readable unless there is a functional reason to do so. By default, configuration files should be chmod 600 or 0640 and log files should be chmod 0600. This is due to a continuing number of security issues with world readable files that contain sensitive information (e.g. passwords and access tokens or logged usernames and commands for example).
Rationale
The number of security issues created by lax permissions on configuration and log files has resulted in a number of security issues exploitable by local users. E.g.:
CVEs for configuration file permissions
Please note that the above lists are by no means a complete listing of the security flaws that have resulted from lax permissions.