617b6b7832
Currently, various file permissions under /var/log/ are more
permissive than 640. To comply with the CIS benchmark
requirements, the permissions should be set to 640 or more
restrictive.
This change updates the permissions and ownership of files
under /var/log/ to 640. Ownership is also set to root:root
wherever possible.
Below are the exception where permissions or ownership are not updated:
- /var/log/keystone/keystone.log: ownership set to keystone:keystone
- /var/log/flux/helm-controller.log: ownership set to nobody:nogroup
- /var/log/flux/source-controller.log: ownership set to nobody:nogroup
- /var/log/puppet/masterhttp.log: mode set to 660
- /var/log/puppet/masterhttp.log: ownership set to puppet:puppet
Test Plan:
PASS: Build ISO and deploy AIO-SX.
PASS: Verify that all files under /var/log/, except for those
listed as exceptions, have 640 or more restrictive permissions
and ownership as root:root in the AIO-SX deployment.
PASS: AIO-SX: Run the CIS script 3-4 hours after installation to
confirm that the file permissions and ownership modified by
this change have not been reverted.
PASS: AIO-SX: Run the CIS benchmark test one day after installation
to verify that the file permissions and ownership modified by
this change remain unchanged.
Story: 2011241
Task: 51364
Change-Id: I84109690a21363335726bcbeac68f9f7c332ed36
Signed-off-by: Jagatguru Prasad Mishra <jagatguruprasad.mishra@windriver.com>
138 lines
3.2 KiB
Puppet
138 lines
3.2 KiB
Puppet
#
|
|
# puppet manifest for controller nodes of AIO system
|
|
#
|
|
|
|
Exec {
|
|
timeout => 600,
|
|
path => '/usr/bin:/usr/sbin:/bin:/sbin:/usr/local/bin:/usr/local/sbin'
|
|
}
|
|
|
|
class { '::firewall':
|
|
ensure => stopped
|
|
}
|
|
|
|
include ::platform::config
|
|
include ::platform::config::iscsi
|
|
include ::platform::config::nvme
|
|
include ::platform::users
|
|
include ::platform::sysctl::controller
|
|
include ::platform::filesystem::controller
|
|
include ::platform::firewall::calico::controller
|
|
include ::platform::dhclient
|
|
include ::platform::partitions
|
|
include ::platform::lvm::aio
|
|
include ::platform::network
|
|
include ::platform::drbd
|
|
include ::platform::exports
|
|
include ::platform::dns
|
|
include ::platform::password
|
|
include ::platform::ldap::server
|
|
include ::platform::ldap::client
|
|
include ::platform::sssd
|
|
include ::platform::ntp::server
|
|
include ::platform::strongswan::apparmor
|
|
include ::platform::ptpinstance
|
|
include ::platform::ptpinstance::nic_clock
|
|
include ::platform::lldp
|
|
include ::platform::amqp::rabbitmq
|
|
include ::platform::postgresql::server
|
|
include ::platform::haproxy::server
|
|
include ::platform::grub
|
|
include ::platform::k8splatform
|
|
include ::platform::etcd
|
|
include ::platform::docker::controller
|
|
include ::platform::dockerdistribution
|
|
include ::platform::containerd::controller
|
|
include ::platform::kubernetes::gate
|
|
include ::platform::helm
|
|
include ::platform::tty
|
|
include ::platform::coredump::k8s_token_handler::controller
|
|
include ::platform::crashdump
|
|
|
|
include ::platform::patching
|
|
include ::platform::patching::api
|
|
|
|
include ::platform::usm
|
|
include ::platform::usm::api
|
|
|
|
include ::platform::remotelogging
|
|
include ::platform::remotelogging::proxy
|
|
|
|
include ::platform::sysinv
|
|
include ::platform::sysinv::api
|
|
include ::platform::sysinv::conductor
|
|
|
|
include ::platform::mtce
|
|
include ::platform::mtce::agent
|
|
|
|
include ::platform::memcached
|
|
|
|
include ::platform::nfv
|
|
include ::platform::nfv::api
|
|
|
|
include ::platform::ceph::controller
|
|
include ::platform::ceph::rgw
|
|
|
|
include ::platform::collectd
|
|
|
|
include ::platform::fm
|
|
include ::platform::fm::api
|
|
|
|
include ::platform::multipath
|
|
include ::platform::client
|
|
include ::openstack::keystone
|
|
include ::openstack::keystone::api
|
|
|
|
include ::openstack::horizon
|
|
|
|
include ::platform::dcmanager
|
|
include ::platform::dcmanager::manager
|
|
|
|
include ::platform::dcorch
|
|
include ::platform::dcorch::engine
|
|
include ::platform::dcorch::api_proxy
|
|
include ::platform::dcmanager::api
|
|
include ::platform::certmon
|
|
include ::platform::certalarm
|
|
|
|
include ::platform::dcdbsync
|
|
include ::platform::dcdbsync::api
|
|
|
|
include ::platform::dcagent
|
|
include ::platform::dcagent::api
|
|
|
|
include ::platform::smapi
|
|
|
|
include ::openstack::barbican
|
|
include ::openstack::barbican::api
|
|
|
|
include ::platform::sm
|
|
|
|
include ::platform::lmon
|
|
include ::platform::rook
|
|
include ::platform::deviceimage
|
|
|
|
include ::platform::compute
|
|
include ::platform::vswitch
|
|
include ::platform::devices
|
|
include ::platform::network::interfaces::sriov::config
|
|
include ::platform::network::interfaces::fpga::config
|
|
include ::platform::worker::storage
|
|
include ::platform::kubernetes::aio
|
|
|
|
|
|
class { '::platform::config::aio::post':
|
|
stage => post,
|
|
}
|
|
|
|
class { '::platform::logpermission':
|
|
stage => post,
|
|
require => Class['::platform::config::aio::post'],
|
|
}
|
|
|
|
if $::osfamily == 'Debian' {
|
|
lookup('classes', {merge => unique}).include
|
|
} else {
|
|
hiera_include('classes')
|
|
}
|