Update permission of files under /var/log/

Currently, various file permissions under /var/log/ are more permissive than 640. To comply with the CIS benchmark requirements, the permissions should be set to 640 or more restrictive. This change updates the permissions and ownership of files under /var/log/ to 640. Ownership is also set to root:root wherever possible. Below are the exception where permissions or ownership are not updated: - /var/log/keystone/keystone.log: ownership set to keystone:keystone - /var/log/flux/helm-controller.log: ownership set to nobody:nogroup - /var/log/flux/source-controller.log: ownership set to nobody:nogroup - /var/log/puppet/masterhttp.log: mode set to 660 - /var/log/puppet/masterhttp.log: ownership set to puppet:puppet Test Plan: PASS: Build ISO and deploy AIO-SX. PASS: Verify that all files under /var/log/, except for those listed as exceptions, have 640 or more restrictive permissions and ownership as root:root in the AIO-SX deployment. PASS: AIO-SX: Run the CIS script 3-4 hours after installation to confirm that the file permissions and ownership modified by this change have not been reverted. PASS: AIO-SX: Run the CIS benchmark test one day after installation to verify that the file permissions and ownership modified by this change remain unchanged. Story: 2011241 Task: 51364 Change-Id: I84109690a21363335726bcbeac68f9f7c332ed36 Signed-off-by: Jagatguru Prasad Mishra <jagatguruprasad.mishra@windriver.com>
2025-02-11 03:58:36 -05:00 · 2025-02-11 03:58:36 -05:00 · 617b6b7832
commit 617b6b7832
parent 101d9f469e
8 changed files with 142 additions and 2 deletions
--- a/puppet-manifests/src/manifests/aio.pp
+++ b/puppet-manifests/src/manifests/aio.pp
@ -125,6 +125,11 @@ class { '::platform::config::aio::post':
  stage => post,
 }

+class { '::platform::logpermission':
+  stage   => post,
+  require => Class['::platform::config::aio::post'],
+}
+
 if $::osfamily == 'Debian' {
  lookup('classes', {merge => unique}).include
 } else {
--- a/puppet-manifests/src/manifests/controller.pp
+++ b/puppet-manifests/src/manifests/controller.pp
@ -128,6 +128,11 @@ class { '::platform::config::controller::post':
  stage => post,
 }

+class { '::platform::logpermission':
+  stage   => post,
+  require => Class['::platform::config::controller::post'],
+}
+
 if $::osfamily == 'Debian' {
  lookup('classes', {merge => unique}).include
 } else {
--- a/puppet-manifests/src/manifests/storage.pp
+++ b/puppet-manifests/src/manifests/storage.pp
@ -46,6 +46,11 @@ class { '::platform::config::storage::post':
  stage => post,
 }

+class { '::platform::logpermission':
+  stage   => post,
+  require => Class['::platform::config::storage::post'],
+}
+
 if $::osfamily == 'Debian' {
  lookup('classes', {merge => unique}).include
 } else {
--- a/puppet-manifests/src/manifests/worker.pp
+++ b/puppet-manifests/src/manifests/worker.pp
@ -63,6 +63,11 @@ class { '::platform::config::worker::post':
  stage => post,
 }

+class { '::platform::logpermission':
+  stage   => post,
+  require => Class['::platform::config::worker::post'],
+}
+
 if $::osfamily == 'Debian' {
  lookup('classes', {merge => unique}).include
 } else {
--- a/puppet-manifests/src/modules/openstack/manifests/barbican.pp
+++ b/puppet-manifests/src/modules/openstack/manifests/barbican.pp
@ -150,7 +150,8 @@ class openstack::barbican::service (

  cron { 'barbican-cleaner':
    ensure      => 'present',
-    command     => '/usr/bin/barbican-manage db clean -p -e -L /var/log/barbican/barbican-clean.log',
+    command     => '/usr/bin/barbican-manage db clean -p -e -L /var/log/barbican/barbican-clean.log && \
+                    chmod 640 /var/log/barbican/barbican-clean.log',
    environment => 'PATH=/bin:/usr/bin:/usr/sbin',
    minute      => '50',
    hour        => '*/24',
--- a/puppet-manifests/src/modules/openstack/templates/barbican-api-logrotate.erb
+++ b/puppet-manifests/src/modules/openstack/templates/barbican-api-logrotate.erb
@ -11,4 +11,5 @@
    compress
    notifempty
    copytruncate
+    create 0640 root root
 }
--- a/puppet-manifests/src/modules/platform/manifests/collectd.pp
+++ b/puppet-manifests/src/modules/platform/manifests/collectd.pp
@ -94,7 +94,8 @@ class platform::collectd
    command     => @(EOL/L),
        date --rfc-3339=s >> /var/log/rss-memory.log; \
        ps -e -o ppid,pid,nlwp,rss:10,vsz:10,comm,cmd --sort=-rss \
-        >> /var/log/rss-memory.log
+        >> /var/log/rss-memory.log; \
+        /bin/chmod 0640 /var/log/rss-memory.log
        |- EOL
  }

--- a/puppet-manifests/src/modules/platform/manifests/logpermission.pp
+++ b/puppet-manifests/src/modules/platform/manifests/logpermission.pp
@ -0,0 +1,117 @@
+class platform::logpermission {
+
+  # Set permissions to 640 only for files with less restrictive permissions
+  exec { 'set_log_permissions':
+    command => 'find /var/log -type f \( -perm -004 -o -perm -020 \) -exec chmod 640 {} \;',
+    path    => '/bin:/usr/bin',
+    onlyif  => 'find /var/log -type f \( -perm -004 -o -perm -020 \)',
+  }
+
+  # Set permissions to 750 for directories under /var/log if not already set
+  exec { 'set_log_directory_permissions':
+    command => 'find /var/log -type d \( -perm -001 -o -perm -010 -o -perm -100 \) -exec chmod 750 {} \;',
+    path    => '/bin:/usr/bin',
+    onlyif  => 'find /var/log -type d \( -perm -001 -o -perm -010 -o -perm -100 \)',
+  }
+
+  # Change ownership to root:root for specific log files
+  file { '/var/log/postgresql/postgresql-13-main.log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/nfv-vim-events.log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/nfv-vim-alarms.log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/ceph/ceph-mds.controller-0.log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/ceph/ceph-mgr.controller-0.log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/ceph-manager.log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/rabbitmq/startup_log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/rabbitmq/startup_err':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/rabbitmq/log/crash.log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/rabbitmq/rabbit@localhost_upgrade.log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/rabbitmq/rabbit@localhost.log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/mgr-restful-plugin.log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/barbican/barbican-api.log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  # Use exec to change ownership for /var/log/memcached.log to avoid conflicts with other modules
+  exec { 'set_memcached_log_ownership':
+    command => 'chown root:root /var/log/memcached.log && chmod 640 /var/log/memcached.log',
+    path    => '/bin:/usr/bin',
+    onlyif  => 'stat -c "%U:%G" /var/log/memcached.log | grep -qv "root:root"',
+  }
+}
+
+