openstack/ansible-hardening
Code Issues Proposed changes

Fix auditd log permission bug

Browse Source 
The tasks for handling auditd log permissions incorrectly set all
log files in /var/log/audit to 0400, which prevents auditd from
writing to the active log file. This prevents auditd from starting and
restarting.

The task now removes any permissions explicitly disallowed by
V-38498. Any files meeting/exceeding the STIG requirements will not be
modified.

Closes-bug: 1584942

Change-Id: I1bb2b91ae8a78b1f0304bd4ce0f9a774d65245bd
This commit is contained in:
Major Hayden 2016-05-23 16:02:36 -05:00
parent 5cd01926c2
commit 490d2f4bd8
3 changed files with 20 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
doc/source/developer-notes/V-38498.rst
View File

@ -1,7 +1,8 @@
Ubuntu 14.04 sets logs in ``/var/log/audit`` to mode ``0400`` by default, Ubuntu and CentOS set the current audit log (the one that is actively being
which makes sense because only the root user should be able to view the written to) to ``0600`` so that only the root user can read and write to it.
logs. No users should ever be adjusting or editing the audit logs. The older, rotated logs are set to ``0400`` since they should not receive
any more writes.
The STIG requirement states that log files must have mode ``0640`` or less. The STIG requirement states that log files must have mode ``0640`` or less. The
The Ansible tasks in this role will set the mode to ``0400`` to match security role will remove any permissions that are not allowed by the STIG
Ubuntu's default. (``u-x,g-wx,o-rwx``).

10
releasenotes/notes/fix-audit-log-permission-bug-81a772e2e6d0a5b3.yaml Normal file
View File

@ -0,0 +1,10 @@
---
fixes:
- |
The security role previously set the permissions on all audit log files in
``/var/log/audit`` to ``0400``, but this prevents the audit daemon from
writing to the active log file. This will prevent ``auditd`` from
starting or restarting cleanly.
The task now removes any permissions that are not allowed by the STIG. Any
log files that meet or exceed the STIG requirements will not be modified.

6
tasks/auditd.yml
View File

@ -261,12 +261,12 @@
- cat2 - cat2
- V-38498 - V-38498
# Ubuntu 14.04 sets these to 0400 by default, so we will stick with that since # On most systems, the active log file is 0600 and the older logs are 0400.
# it exceeds the STIG's requirements. # This task ensures that all logs meet or exceed the STIG requirement.
- name: V-38498 - Audit log files must have mode 0640 or less - name: V-38498 - Audit log files must have mode 0640 or less
file: file:
dest: "/var/log/audit/{{ item }}" dest: "/var/log/audit/{{ item }}"
mode: 0400 mode: "u-x,g-wx,o-rwx"
with_items: "{{ v38498_result.stdout_lines | default([]) }}" with_items: "{{ v38498_result.stdout_lines | default([]) }}"
when: auditd_log_dir.stat.exists | bool when: auditd_log_dir.stat.exists | bool
tags: tags: