Currently, various file permissions under /var/log/ are more
permissive than 640. To comply with the CIS benchmark
requirements, the permissions should be set to 640 or more
restrictive.
This change updates the permissions and ownership of files
under /var/log/ to 640. Ownership is also set to root:root
wherever possible.
Below are the exception where permissions or ownership are not updated:
- /var/log/keystone/keystone.log: ownership set to keystone:keystone
- /var/log/flux/helm-controller.log: ownership set to nobody:nogroup
- /var/log/flux/source-controller.log: ownership set to nobody:nogroup
- /var/log/puppet/masterhttp.log: mode set to 660
- /var/log/puppet/masterhttp.log: ownership set to puppet:puppet
Test Plan:
PASS: Build ISO and deploy AIO-SX.
PASS: Verify that all files under /var/log/, except for those
listed as exceptions, have 640 or more restrictive permissions
and ownership as root:root in the AIO-SX deployment.
PASS: AIO-SX: Run the CIS script 3-4 hours after installation to
confirm that the file permissions and ownership modified by
this change have not been reverted.
PASS: AIO-SX: Run the CIS benchmark test one day after installation
to verify that the file permissions and ownership modified by
this change remain unchanged.
Story: 2011241
Task: 51364
Depends-On: https://review.opendev.org/c/starlingx/integ/+/935493
Depends-On: https://review.opendev.org/c/starlingx/ha/+/935499
Depends-On: https://review.opendev.org/c/starlingx/upstream/+/935495
Change-Id: I32f4341f14b5258ece715c5081d675e34a86e624
Signed-off-by: Jagatguru Prasad Mishra <jagatguruprasad.mishra@windriver.com>
0184254a37