From 617b6b78327544003adcf05c033c51f04406d4bc Mon Sep 17 00:00:00 2001
From: Jagatguru Prasad Mishra <jagatguruprasad.mishra@windriver.com>
Date: Tue, 11 Feb 2025 03:58:36 -0500
Subject: [PATCH] Update permission of files under /var/log/

Currently, various file permissions under /var/log/ are more
permissive than 640. To comply with the CIS benchmark
requirements, the permissions should be set to 640 or more
restrictive.

This change updates the permissions and ownership of files
under /var/log/ to 640. Ownership is also set to root:root
wherever possible.

Below are the exception where permissions or ownership are not updated:
 - /var/log/keystone/keystone.log: ownership set to keystone:keystone
 - /var/log/flux/helm-controller.log: ownership set to nobody:nogroup
 - /var/log/flux/source-controller.log: ownership set to nobody:nogroup
 - /var/log/puppet/masterhttp.log: mode set to 660
 - /var/log/puppet/masterhttp.log: ownership set to puppet:puppet

Test Plan:
PASS: Build ISO and deploy AIO-SX.
PASS: Verify that all files under /var/log/, except for those
      listed as exceptions, have 640 or more restrictive permissions
      and ownership as root:root in the AIO-SX deployment.
PASS: AIO-SX: Run the CIS script 3-4 hours after installation to
      confirm that the file permissions and ownership modified by
      this change have not been reverted.
PASS: AIO-SX: Run the CIS benchmark test one day after installation
      to verify that the file permissions and ownership modified by
      this change remain unchanged.

Story: 2011241
Task: 51364

Change-Id: I84109690a21363335726bcbeac68f9f7c332ed36
Signed-off-by: Jagatguru Prasad Mishra <jagatguruprasad.mishra@windriver.com>
---
 puppet-manifests/src/manifests/aio.pp         |   5 +
 puppet-manifests/src/manifests/controller.pp  |   5 +
 puppet-manifests/src/manifests/storage.pp     |   5 +
 puppet-manifests/src/manifests/worker.pp      |   5 +
 .../modules/openstack/manifests/barbican.pp   |   3 +-
 .../templates/barbican-api-logrotate.erb      |   1 +
 .../modules/platform/manifests/collectd.pp    |   3 +-
 .../platform/manifests/logpermission.pp       | 117 ++++++++++++++++++
 8 files changed, 142 insertions(+), 2 deletions(-)
 create mode 100644 puppet-manifests/src/modules/platform/manifests/logpermission.pp

diff --git a/puppet-manifests/src/manifests/aio.pp b/puppet-manifests/src/manifests/aio.pp
index d7c6a3ba1..10ce4f624 100644
--- a/puppet-manifests/src/manifests/aio.pp
+++ b/puppet-manifests/src/manifests/aio.pp
@@ -125,6 +125,11 @@ class { '::platform::config::aio::post':
   stage => post,
 }
 
+class { '::platform::logpermission':
+  stage   => post,
+  require => Class['::platform::config::aio::post'],
+}
+
 if $::osfamily == 'Debian' {
   lookup('classes', {merge => unique}).include
 } else {
diff --git a/puppet-manifests/src/manifests/controller.pp b/puppet-manifests/src/manifests/controller.pp
index 83edbcf8e..57350d007 100644
--- a/puppet-manifests/src/manifests/controller.pp
+++ b/puppet-manifests/src/manifests/controller.pp
@@ -128,6 +128,11 @@ class { '::platform::config::controller::post':
   stage => post,
 }
 
+class { '::platform::logpermission':
+  stage   => post,
+  require => Class['::platform::config::controller::post'],
+}
+
 if $::osfamily == 'Debian' {
   lookup('classes', {merge => unique}).include
 } else {
diff --git a/puppet-manifests/src/manifests/storage.pp b/puppet-manifests/src/manifests/storage.pp
index 0ad0fa3f2..129d19d21 100644
--- a/puppet-manifests/src/manifests/storage.pp
+++ b/puppet-manifests/src/manifests/storage.pp
@@ -46,6 +46,11 @@ class { '::platform::config::storage::post':
   stage => post,
 }
 
+class { '::platform::logpermission':
+  stage   => post,
+  require => Class['::platform::config::storage::post'],
+}
+
 if $::osfamily == 'Debian' {
   lookup('classes', {merge => unique}).include
 } else {
diff --git a/puppet-manifests/src/manifests/worker.pp b/puppet-manifests/src/manifests/worker.pp
index 8759f1edb..7c99c95ae 100644
--- a/puppet-manifests/src/manifests/worker.pp
+++ b/puppet-manifests/src/manifests/worker.pp
@@ -63,6 +63,11 @@ class { '::platform::config::worker::post':
   stage => post,
 }
 
+class { '::platform::logpermission':
+  stage   => post,
+  require => Class['::platform::config::worker::post'],
+}
+
 if $::osfamily == 'Debian' {
   lookup('classes', {merge => unique}).include
 } else {
diff --git a/puppet-manifests/src/modules/openstack/manifests/barbican.pp b/puppet-manifests/src/modules/openstack/manifests/barbican.pp
index e05d710b7..532087b7a 100644
--- a/puppet-manifests/src/modules/openstack/manifests/barbican.pp
+++ b/puppet-manifests/src/modules/openstack/manifests/barbican.pp
@@ -150,7 +150,8 @@ class openstack::barbican::service (
 
   cron { 'barbican-cleaner':
     ensure      => 'present',
-    command     => '/usr/bin/barbican-manage db clean -p -e -L /var/log/barbican/barbican-clean.log',
+    command     => '/usr/bin/barbican-manage db clean -p -e -L /var/log/barbican/barbican-clean.log && \
+                    chmod 640 /var/log/barbican/barbican-clean.log',
     environment => 'PATH=/bin:/usr/bin:/usr/sbin',
     minute      => '50',
     hour        => '*/24',
diff --git a/puppet-manifests/src/modules/openstack/templates/barbican-api-logrotate.erb b/puppet-manifests/src/modules/openstack/templates/barbican-api-logrotate.erb
index ed53ec5c7..84ba599b2 100644
--- a/puppet-manifests/src/modules/openstack/templates/barbican-api-logrotate.erb
+++ b/puppet-manifests/src/modules/openstack/templates/barbican-api-logrotate.erb
@@ -11,4 +11,5 @@
     compress
     notifempty
     copytruncate
+    create 0640 root root
 }
diff --git a/puppet-manifests/src/modules/platform/manifests/collectd.pp b/puppet-manifests/src/modules/platform/manifests/collectd.pp
index 2e7a5aaf4..5b5258eee 100644
--- a/puppet-manifests/src/modules/platform/manifests/collectd.pp
+++ b/puppet-manifests/src/modules/platform/manifests/collectd.pp
@@ -94,7 +94,8 @@ class platform::collectd
     command     => @(EOL/L),
         date --rfc-3339=s >> /var/log/rss-memory.log; \
         ps -e -o ppid,pid,nlwp,rss:10,vsz:10,comm,cmd --sort=-rss \
-        >> /var/log/rss-memory.log
+        >> /var/log/rss-memory.log; \
+        /bin/chmod 0640 /var/log/rss-memory.log
         |- EOL
   }
 
diff --git a/puppet-manifests/src/modules/platform/manifests/logpermission.pp b/puppet-manifests/src/modules/platform/manifests/logpermission.pp
new file mode 100644
index 000000000..2df231a5d
--- /dev/null
+++ b/puppet-manifests/src/modules/platform/manifests/logpermission.pp
@@ -0,0 +1,117 @@
+class platform::logpermission {
+
+  # Set permissions to 640 only for files with less restrictive permissions
+  exec { 'set_log_permissions':
+    command => 'find /var/log -type f \( -perm -004 -o -perm -020 \) -exec chmod 640 {} \;',
+    path    => '/bin:/usr/bin',
+    onlyif  => 'find /var/log -type f \( -perm -004 -o -perm -020 \)',
+  }
+
+  # Set permissions to 750 for directories under /var/log if not already set
+  exec { 'set_log_directory_permissions':
+    command => 'find /var/log -type d \( -perm -001 -o -perm -010 -o -perm -100 \) -exec chmod 750 {} \;',
+    path    => '/bin:/usr/bin',
+    onlyif  => 'find /var/log -type d \( -perm -001 -o -perm -010 -o -perm -100 \)',
+  }
+
+  # Change ownership to root:root for specific log files
+  file { '/var/log/postgresql/postgresql-13-main.log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/nfv-vim-events.log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/nfv-vim-alarms.log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/ceph/ceph-mds.controller-0.log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/ceph/ceph-mgr.controller-0.log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/ceph-manager.log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/rabbitmq/startup_log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/rabbitmq/startup_err':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/rabbitmq/log/crash.log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/rabbitmq/rabbit@localhost_upgrade.log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/rabbitmq/rabbit@localhost.log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/mgr-restful-plugin.log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/barbican/barbican-api.log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  # Use exec to change ownership for /var/log/memcached.log to avoid conflicts with other modules
+  exec { 'set_memcached_log_ownership':
+    command => 'chown root:root /var/log/memcached.log && chmod 640 /var/log/memcached.log',
+    path    => '/bin:/usr/bin',
+    onlyif  => 'stat -c "%U:%G" /var/log/memcached.log | grep -qv "root:root"',
+  }
+}
+
+