Update permission of files under /var/log/

Currently, various file permissions under /var/log/ are more
permissive than 640. To comply with the CIS benchmark
requirements, the permissions should be set to 640 or more
restrictive.

This change updates the permissions and ownership of files
under /var/log/ to 640. Ownership is also set to root:root
wherever possible.

Below are the exception where permissions or ownership are not updated:
 - /var/log/keystone/keystone.log: ownership set to keystone:keystone
   After changing the user and group to root:root, Ansible bootstrap
   is failing as keystone is unable to write to keystone.log.
 - /var/log/flux/helm-controller.log: ownership set to nobody:nogroup
   We can't change  this to root:root because container won't be able
   to write the logs.
 - /var/log/flux/source-controller.log: ownership set to
   nobody:nogroup. We can't change  this to root:root because
   container won't be able to write the logs.
 - /var/log/puppet/masterhttp.log: mode set to 660. Changed
   permission to 640, it reverts to the same permission (660) after
   some time.
 - /var/log/puppet/masterhttp.log: ownership set to puppet:puppet.
   Changed ownership to  "root:root", it reverts to the old
   ownership "puppet:puppet" after some time.
 - /var/log/horizon_sm.log: mode set to 644. Unable to modify it
   because it is generated after this manifest completes execution.
 - /var/log/multus.log: mode set to 644. Unable to modify it because
   it is generated after this manifest completes execution.

Test Plan:
PASS: Build ISO and deploy AIO-SX, AIO-DX, standard, and storage.
PASS: Verify that all files under /var/log/ on all type of nodes
      (controller-0, controller-1, compute), except for
      those listed as exceptions, have 640 or more restrictive
      permissions and ownership as root:root in the standard
      deployment.
PASS: Verify that all files under /var/log/ on controller-0, except
      for those listed as exceptions, have 640 or more restrictive
      permissions and ownership as root:root in the AIO-SX
      deployment.
PASS: Verify that all files under /var/log/ on controller-0 and
      controller-1, except for those listed as exceptions, have
      640 or more restrictive permissions and ownership as
      root:root in the AIO-DX deployment.
PASS: Standard: check ceph health using 'ceph-s' command and verify
      if cluster health is ok.
PASS: Standard: swact the controller and verify if there is no alarm.
      Verify the log permission, it should not be reverted.
PASS: AIO-SX: Run the CIS script as mentioned in the specification
      3-4 hours after installation to confirm that the file
      permissions and ownership modified by this change have not
      been reverted.
PASS: AIO-SX: Run the CIS benchmark test one day after installation
      on controller-0 to verify that the file permissions and
      ownership modified by this change remain unchanged.
PASS: Verify that all files under /var/log/ on storage node, except
      for those listed as exceptions, have 640 or more restrictive
      permissions and ownership as root:root in the storage
      deployment.

Story: 2011241
Task: 51364

Change-Id: Ie15076ff0d66db98d8171fcfac9411ba0f8f8631
Signed-off-by: Jagatguru Prasad Mishra <jagatguruprasad.mishra@windriver.com>

puppet-manifests/src/manifests/aio.pp

@@ -119,7 +119,7 @@ include ::platform::network::interfaces::sriov::config
 include ::platform::network::interfaces::fpga::config
 include ::platform::worker::storage
 include ::platform::kubernetes::aio
-
+include ::platform::logpermission
 
 class { '::platform::config::aio::post':
   stage => post,

puppet-manifests/src/manifests/controller.pp

@@ -124,6 +124,8 @@ include ::platform::rook
 
 include ::platform::deviceimage
 
+include ::platform::logpermission
+
 class { '::platform::config::controller::post':
   stage => post,
 }

puppet-manifests/src/manifests/storage.pp

@@ -41,6 +41,7 @@ include ::platform::ceph::storage
 include ::platform::rook
 include ::platform::tty
 include ::platform::crashdump
+include ::platform::logpermission
 
 class { '::platform::config::storage::post':
   stage => post,

puppet-manifests/src/manifests/worker.pp

@@ -57,7 +57,7 @@ include ::platform::lmon
 include ::platform::rook
 include ::platform::tty
 include ::platform::crashdump
-
+include ::platform::logpermission
 
 class { '::platform::config::worker::post':
   stage => post,

puppet-manifests/src/modules/openstack/manifests/barbican.pp

@@ -150,7 +150,7 @@ class openstack::barbican::service (
 
   cron { 'barbican-cleaner':
     ensure      => 'present',
-    command     => '/usr/bin/barbican-manage db clean -p -e -L /var/log/barbican/barbican-clean.log',
+    command     => '/usr/bin/barbican-manage db clean -p -e -L /var/log/barbican/barbican-clean.log; chmod 640 /var/log/barbican/barbican-clean.log', # lint:ignore:140chars
     environment => 'PATH=/bin:/usr/bin:/usr/sbin',
     minute      => '50',
     hour        => '*/24',

puppet-manifests/src/modules/openstack/templates/barbican-api-logrotate.erb

@@ -11,4 +11,5 @@
     compress
     notifempty
     copytruncate
+    create 0640 root root
 }

puppet-manifests/src/modules/platform/manifests/collectd.pp

@@ -94,7 +94,8 @@ class platform::collectd
     command     => @(EOL/L),
         date --rfc-3339=s >> /var/log/rss-memory.log; \
         ps -e -o ppid,pid,nlwp,rss:10,vsz:10,comm,cmd --sort=-rss \
-        >> /var/log/rss-memory.log
+        >> /var/log/rss-memory.log; \
+        /bin/chmod 0640 /var/log/rss-memory.log
         |- EOL
   }
 

puppet-manifests/src/modules/platform/manifests/logpermission.pp

@@ -0,0 +1,158 @@
+class platform::logpermission {
+
+  include ::platform::params
+
+  # Set permissions to 640 only for files with less restrictive permissions
+  exec { 'set_log_permissions':
+    command => 'find /var/log -type f \( -perm -004 -o -perm -020 \) -exec chmod 640 {} \;',
+    path    => '/bin:/usr/bin',
+    onlyif  => 'find /var/log -type f \( -perm -004 -o -perm -020 \)',
+  }
+
+  # Set permissions to 750 for directories under /var/log if not already set
+  exec { 'set_log_directory_permissions':
+    command => 'find /var/log -type d \( -perm -001 -o -perm -010 -o -perm -100 \) -exec chmod 750 {} \;',
+    path    => '/bin:/usr/bin',
+    onlyif  => 'find /var/log -type d \( -perm -001 -o -perm -010 -o -perm -100 \)',
+  }
+
+  # Change ownership to root:root for specific log files
+  file { "/var/log/ceph/ceph-mds.${::platform::params::hostname}.log":
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { "/var/log/ceph/ceph-mon.${::platform::params::hostname}.log":
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  file { '/var/log/ceph/ceph-process-states.log':
+    ensure => 'file',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+  }
+
+  if $::personality == 'controller' {
+    # Change ownership to root:root for specific log files
+    file { '/var/log/postgresql/postgresql-13-main.log':
+      ensure => 'file',
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0640',
+    }
+
+    file { '/var/log/nfv-vim-events.log':
+      ensure => 'file',
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0640',
+    }
+
+    file { '/var/log/nfv-vim-alarms.log':
+      ensure => 'file',
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0640',
+    }
+
+    file { "/var/log/ceph/ceph-mgr.${::platform::params::hostname}.log":
+      ensure => 'file',
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0640',
+    }
+
+    file { '/var/log/ceph-manager.log':
+      ensure => 'file',
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0640',
+    }
+
+    file { '/var/log/ceph/ceph-osd.0.log':
+      ensure => 'file',
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0640',
+    }
+
+    file { '/var/log/ceph/ceph-osd.1.log':
+      ensure => 'file',
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0640',
+    }
+
+    file { '/var/log/rabbitmq/startup_log':
+      ensure => 'file',
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0640',
+    }
+
+    file { '/var/log/rabbitmq/startup_err':
+      ensure => 'file',
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0640',
+    }
+
+    file { '/var/log/rabbitmq/log/':
+      ensure  => 'directory',
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0755',
+      recurse => true,   # Ensures subdirectories are created if missing
+    }
+
+    file { '/var/log/rabbitmq/log/crash.log':
+      ensure  => 'file',
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0640',
+      require => File['/var/log/rabbitmq/log/'],  # Ensures the directory exists first
+    }
+
+    file { '/var/log/rabbitmq/rabbit@localhost_upgrade.log':
+      ensure => 'file',
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0640',
+    }
+
+    file { '/var/log/rabbitmq/rabbit@localhost.log':
+      ensure => 'file',
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0640',
+    }
+
+    file { '/var/log/mgr-restful-plugin.log':
+      ensure => 'file',
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0640',
+    }
+
+    file { '/var/log/barbican/barbican-api.log':
+      ensure => 'file',
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0640',
+    }
+
+    # Use exec to change ownership for /var/log/memcached.log to avoid conflicts with other modules
+    exec { 'set_memcached_log_ownership':
+      command => 'chown root:root /var/log/memcached.log && chmod 640 /var/log/memcached.log',
+      path    => '/bin:/usr/bin',
+      onlyif  => 'stat -c "%U:%G" /var/log/memcached.log | grep -qv "root:root"',
+    }
+  }
+}
+