From 13ecf0f821df8c2ecc9e248702eec3edfe00994c Mon Sep 17 00:00:00 2001
From: Don Penney <don.penney@windriver.com>
Date: Mon, 15 Jul 2019 14:52:03 -0400
Subject: [PATCH] Update log file permissions to 640 for specific log files

Log files that may contain secure information should have
restricted permissions. This includes all -api log files,
as well as log files in which the operator login and
authententication attempts are logged.

Change-Id: I56ef476609d65991529ba0a6311ebd29a7710386
Closes-Bug: 1836632
Signed-off-by: Don Penney <don.penney@windriver.com>
---
 .../syslog-ng-config/centos/build_srpm.data   |  2 +-
 .../syslog-ng-config/files/syslog-ng.conf     | 24 +++++++++----------
 .../files/syslog-ng.logrotate                 |  3 ++-
 3 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/config-files/syslog-ng-config/centos/build_srpm.data b/config-files/syslog-ng-config/centos/build_srpm.data
index 619d51041..7430271ca 100644
--- a/config-files/syslog-ng-config/centos/build_srpm.data
+++ b/config-files/syslog-ng-config/centos/build_srpm.data
@@ -1,2 +1,2 @@
 SRC_DIR="files"
-TIS_PATCH_VER=3
+TIS_PATCH_VER=4
diff --git a/config-files/syslog-ng-config/files/syslog-ng.conf b/config-files/syslog-ng-config/files/syslog-ng.conf
index 78a42ac4c..5a491924e 100644
--- a/config-files/syslog-ng-config/files/syslog-ng.conf
+++ b/config-files/syslog-ng-config/files/syslog-ng.conf
@@ -88,7 +88,7 @@ source s_udp { udp(ip(127.0.0.1) port(514)); };
 #
 # First some standard logfile
 #
-destination d_auth      { file("/var/log/auth.log"); };
+destination d_auth      { file("/var/log/auth.log" perm(0640)); };
 destination d_cron      { file("/var/log/cron.log"); };
 destination d_daemon    { file("/var/log/daemon.log"); };
 destination d_daemon_ocf { file("/var/log/daemon-ocf.log" template(t_ocf_log) ); };
@@ -96,7 +96,7 @@ destination d_kern      { file("/var/log/kern.log"); };
 destination d_lpr       { file("/var/log/lpr.log"); };
 destination d_mail      { file("/var/log/mail.log"); };
 destination d_syslog    { file("/var/log/syslog"); };
-destination d_user      { file("/var/log/user.log"); };
+destination d_user      { file("/var/log/user.log" perm(0640)); };
 destination d_uucp      { file("/var/log/uucp.log"); };
 destination d_postgres  { file("/var/log/postgres.log"); };
 destination d_platform  { file("/var/log/platform.log"); };
@@ -104,9 +104,9 @@ destination d_openstack { file("/var/log/openstack.log" template(t_openstack));
 destination d_sm        { file("/var/log/sm.log"); };
 
 # Maintenance Log destinations
-destination d_pmon        { file("/var/log/pmond.log" template(t_mtc)); };
+destination d_pmon        { file("/var/log/pmond.log" template(t_mtc) perm(0640)); };
 destination d_lmon        { file("/var/log/lmond.log" template(t_mtc)); };
-destination d_hostwd      { file("/var/log/hostwd.log" template(t_mtc)); };
+destination d_hostwd      { file("/var/log/hostwd.log" template(t_mtc) perm(0640)); };
 destination d_fsmon       { file("/var/log/fsmond.log" template(t_mtc)); };
 destination d_hwmon       { file("/var/log/hwmond.log" template(t_mtc)); };
 destination d_mtclogd     { file("/var/log/mtclogd.log" template(t_mtc)); };
@@ -118,7 +118,7 @@ destination d_hbsagent    { file("/var/log/hbsAgent.log" template(t_mtc)); };
 destination d_guestagent  { file("/var/log/guestAgent.log" template(t_mtc)); };
 destination d_guestserver { file("/var/log/guestServer.log" template(t_mtc)); };
 destination d_mtcagentalarm { file("/var/log/mtcAgent_alarm.log" template(t_mtc)); };
-destination d_mtcagentapi   { file("/var/log/mtcAgent_api.log" template(t_mtc)); };
+destination d_mtcagentapi   { file("/var/log/mtcAgent_api.log" template(t_mtc) perm(0640)); };
 destination d_mtcagentevent { file("/var/log/mtcAgent_event.log" template(t_mtc)); };
 
 # HAProxy Log destination
@@ -140,8 +140,8 @@ destination d_ima_appraise {
 };
 
 # Sysinv Log destination
-destination d_sysinv { file("/var/log/sysinv.log" template(t_openstack)); };
-destination d_sysinvapi { file("/var/log/sysinv-api.log" template(t_openstack)); };
+destination d_sysinv { file("/var/log/sysinv.log" template(t_openstack) perm(0640)); };
+destination d_sysinvapi { file("/var/log/sysinv-api.log" template(t_openstack) perm(0640)); };
 
 # Distributed Cloud Log destination
 destination d_dcmanager { file("/var/log/dcmanager/dcmanager.log" template(t_openstack)); };
@@ -150,11 +150,11 @@ destination d_dcdbsync { file("/var/log/dcdbsync/dcdbsync.log" template(t_openst
 
 
 # Openstack Log destinations
-destination d_horizon       { file("/var/log/horizon.log" template(t_openstack)); };
+destination d_horizon       { file("/var/log/horizon.log" template(t_openstack) perm(0640)); };
 destination d_libvirtd      { file("/var/log/libvirt/libvirtd.log" template(t_libvirtd)); };
 destination d_keystoneall   { file("/var/log/keystone/keystone-all.log" template(t_openstack)); };
-destination d_keystoneapi   { file("/var/log/keystone/keystone-api.log" template(t_openstack)); };
-destination d_barbicanapi              { file("/var/log/barbican/barbican-api.log" template(t_openstack)); };
+destination d_keystoneapi   { file("/var/log/keystone/keystone-api.log" template(t_openstack) perm(0640)); };
+destination d_barbicanapi   { file("/var/log/barbican/barbican-api.log" template(t_openstack) perm(0640)); };
 destination d_barbicandbsync           { file("/var/log/barbican/barbican-dbsync.log" template(t_openstack)); };
 destination d_barbicankeystonelistener { file("/var/log/barbican/barbican-keystone-listener.log" template(t_openstack)); };
 destination d_barbicanworker           { file("/var/log/barbican/barbican-worker.log" template(t_openstack)); };
@@ -162,7 +162,7 @@ destination d_barbicancleaner          { file("/var/log/barbican/barbican-cleane
 
 # NFV-VIM Log destinations
 destination d_vim           { file("/var/log/nfv-vim.log" template(t_nfv)); };
-destination d_vim_api       { file("/var/log/nfv-vim-api.log" template(t_nfv)); };
+destination d_vim_api       { file("/var/log/nfv-vim-api.log" template(t_nfv) perm(0640)); };
 destination d_vim_webserver { file("/var/log/nfv-vim-webserver.log" template(t_nfv)); };
 
 # Local Log destinations
@@ -215,7 +215,7 @@ destination d_ppp { file("/var/log/ppp.log"); };
 destination d_bash { file("/var/log/bash.log" owner("root") group("root") perm(0600)); };
 
 # SNMP Audit Trail
-destination d_snmpat { file("/var/log/snmp-api.log"); };
+destination d_snmpat { file("/var/log/snmp-api.log" perm(0640)); };
 
 ########################
 # Filters
diff --git a/config-files/syslog-ng-config/files/syslog-ng.logrotate b/config-files/syslog-ng-config/files/syslog-ng.logrotate
index a564f3a7a..818be5f14 100644
--- a/config-files/syslog-ng-config/files/syslog-ng.logrotate
+++ b/config-files/syslog-ng-config/files/syslog-ng.logrotate
@@ -26,7 +26,8 @@
 /var/log/snmp-api.log
 /var/log/dcmanager/*.log
 /var/log/dcorch/*.log
-/var/log/barbican/*.log
+/var/log/barbican/barbican-keystone-listener.log
+/var/log/barbican/barbican-worker.log
 {
         nodateext
         size 10M