Update log file permissions to 640 for specific log files

Log files that may contain secure information should have
restricted permissions. This includes all -api log files,
as well as log files in which the operator login and
authententication attempts are logged.

Change-Id: I56ef476609d65991529ba0a6311ebd29a7710386
Closes-Bug: 1836632
Signed-off-by: Don Penney <don.penney@windriver.com>
This commit is contained in:
Don Penney 2019-07-15 14:52:03 -04:00
parent 8d92b9ed74
commit 13ecf0f821
3 changed files with 15 additions and 14 deletions

View File

@ -1,2 +1,2 @@
SRC_DIR="files" SRC_DIR="files"
TIS_PATCH_VER=3 TIS_PATCH_VER=4

View File

@ -88,7 +88,7 @@ source s_udp { udp(ip(127.0.0.1) port(514)); };
# #
# First some standard logfile # First some standard logfile
# #
destination d_auth { file("/var/log/auth.log"); }; destination d_auth { file("/var/log/auth.log" perm(0640)); };
destination d_cron { file("/var/log/cron.log"); }; destination d_cron { file("/var/log/cron.log"); };
destination d_daemon { file("/var/log/daemon.log"); }; destination d_daemon { file("/var/log/daemon.log"); };
destination d_daemon_ocf { file("/var/log/daemon-ocf.log" template(t_ocf_log) ); }; destination d_daemon_ocf { file("/var/log/daemon-ocf.log" template(t_ocf_log) ); };
@ -96,7 +96,7 @@ destination d_kern { file("/var/log/kern.log"); };
destination d_lpr { file("/var/log/lpr.log"); }; destination d_lpr { file("/var/log/lpr.log"); };
destination d_mail { file("/var/log/mail.log"); }; destination d_mail { file("/var/log/mail.log"); };
destination d_syslog { file("/var/log/syslog"); }; destination d_syslog { file("/var/log/syslog"); };
destination d_user { file("/var/log/user.log"); }; destination d_user { file("/var/log/user.log" perm(0640)); };
destination d_uucp { file("/var/log/uucp.log"); }; destination d_uucp { file("/var/log/uucp.log"); };
destination d_postgres { file("/var/log/postgres.log"); }; destination d_postgres { file("/var/log/postgres.log"); };
destination d_platform { file("/var/log/platform.log"); }; destination d_platform { file("/var/log/platform.log"); };
@ -104,9 +104,9 @@ destination d_openstack { file("/var/log/openstack.log" template(t_openstack));
destination d_sm { file("/var/log/sm.log"); }; destination d_sm { file("/var/log/sm.log"); };
# Maintenance Log destinations # Maintenance Log destinations
destination d_pmon { file("/var/log/pmond.log" template(t_mtc)); }; destination d_pmon { file("/var/log/pmond.log" template(t_mtc) perm(0640)); };
destination d_lmon { file("/var/log/lmond.log" template(t_mtc)); }; destination d_lmon { file("/var/log/lmond.log" template(t_mtc)); };
destination d_hostwd { file("/var/log/hostwd.log" template(t_mtc)); }; destination d_hostwd { file("/var/log/hostwd.log" template(t_mtc) perm(0640)); };
destination d_fsmon { file("/var/log/fsmond.log" template(t_mtc)); }; destination d_fsmon { file("/var/log/fsmond.log" template(t_mtc)); };
destination d_hwmon { file("/var/log/hwmond.log" template(t_mtc)); }; destination d_hwmon { file("/var/log/hwmond.log" template(t_mtc)); };
destination d_mtclogd { file("/var/log/mtclogd.log" template(t_mtc)); }; destination d_mtclogd { file("/var/log/mtclogd.log" template(t_mtc)); };
@ -118,7 +118,7 @@ destination d_hbsagent { file("/var/log/hbsAgent.log" template(t_mtc)); };
destination d_guestagent { file("/var/log/guestAgent.log" template(t_mtc)); }; destination d_guestagent { file("/var/log/guestAgent.log" template(t_mtc)); };
destination d_guestserver { file("/var/log/guestServer.log" template(t_mtc)); }; destination d_guestserver { file("/var/log/guestServer.log" template(t_mtc)); };
destination d_mtcagentalarm { file("/var/log/mtcAgent_alarm.log" template(t_mtc)); }; destination d_mtcagentalarm { file("/var/log/mtcAgent_alarm.log" template(t_mtc)); };
destination d_mtcagentapi { file("/var/log/mtcAgent_api.log" template(t_mtc)); }; destination d_mtcagentapi { file("/var/log/mtcAgent_api.log" template(t_mtc) perm(0640)); };
destination d_mtcagentevent { file("/var/log/mtcAgent_event.log" template(t_mtc)); }; destination d_mtcagentevent { file("/var/log/mtcAgent_event.log" template(t_mtc)); };
# HAProxy Log destination # HAProxy Log destination
@ -140,8 +140,8 @@ destination d_ima_appraise {
}; };
# Sysinv Log destination # Sysinv Log destination
destination d_sysinv { file("/var/log/sysinv.log" template(t_openstack)); }; destination d_sysinv { file("/var/log/sysinv.log" template(t_openstack) perm(0640)); };
destination d_sysinvapi { file("/var/log/sysinv-api.log" template(t_openstack)); }; destination d_sysinvapi { file("/var/log/sysinv-api.log" template(t_openstack) perm(0640)); };
# Distributed Cloud Log destination # Distributed Cloud Log destination
destination d_dcmanager { file("/var/log/dcmanager/dcmanager.log" template(t_openstack)); }; destination d_dcmanager { file("/var/log/dcmanager/dcmanager.log" template(t_openstack)); };
@ -150,11 +150,11 @@ destination d_dcdbsync { file("/var/log/dcdbsync/dcdbsync.log" template(t_openst
# Openstack Log destinations # Openstack Log destinations
destination d_horizon { file("/var/log/horizon.log" template(t_openstack)); }; destination d_horizon { file("/var/log/horizon.log" template(t_openstack) perm(0640)); };
destination d_libvirtd { file("/var/log/libvirt/libvirtd.log" template(t_libvirtd)); }; destination d_libvirtd { file("/var/log/libvirt/libvirtd.log" template(t_libvirtd)); };
destination d_keystoneall { file("/var/log/keystone/keystone-all.log" template(t_openstack)); }; destination d_keystoneall { file("/var/log/keystone/keystone-all.log" template(t_openstack)); };
destination d_keystoneapi { file("/var/log/keystone/keystone-api.log" template(t_openstack)); }; destination d_keystoneapi { file("/var/log/keystone/keystone-api.log" template(t_openstack) perm(0640)); };
destination d_barbicanapi { file("/var/log/barbican/barbican-api.log" template(t_openstack)); }; destination d_barbicanapi { file("/var/log/barbican/barbican-api.log" template(t_openstack) perm(0640)); };
destination d_barbicandbsync { file("/var/log/barbican/barbican-dbsync.log" template(t_openstack)); }; destination d_barbicandbsync { file("/var/log/barbican/barbican-dbsync.log" template(t_openstack)); };
destination d_barbicankeystonelistener { file("/var/log/barbican/barbican-keystone-listener.log" template(t_openstack)); }; destination d_barbicankeystonelistener { file("/var/log/barbican/barbican-keystone-listener.log" template(t_openstack)); };
destination d_barbicanworker { file("/var/log/barbican/barbican-worker.log" template(t_openstack)); }; destination d_barbicanworker { file("/var/log/barbican/barbican-worker.log" template(t_openstack)); };
@ -162,7 +162,7 @@ destination d_barbicancleaner { file("/var/log/barbican/barbican-cleane
# NFV-VIM Log destinations # NFV-VIM Log destinations
destination d_vim { file("/var/log/nfv-vim.log" template(t_nfv)); }; destination d_vim { file("/var/log/nfv-vim.log" template(t_nfv)); };
destination d_vim_api { file("/var/log/nfv-vim-api.log" template(t_nfv)); }; destination d_vim_api { file("/var/log/nfv-vim-api.log" template(t_nfv) perm(0640)); };
destination d_vim_webserver { file("/var/log/nfv-vim-webserver.log" template(t_nfv)); }; destination d_vim_webserver { file("/var/log/nfv-vim-webserver.log" template(t_nfv)); };
# Local Log destinations # Local Log destinations
@ -215,7 +215,7 @@ destination d_ppp { file("/var/log/ppp.log"); };
destination d_bash { file("/var/log/bash.log" owner("root") group("root") perm(0600)); }; destination d_bash { file("/var/log/bash.log" owner("root") group("root") perm(0600)); };
# SNMP Audit Trail # SNMP Audit Trail
destination d_snmpat { file("/var/log/snmp-api.log"); }; destination d_snmpat { file("/var/log/snmp-api.log" perm(0640)); };
######################## ########################
# Filters # Filters

View File

@ -26,7 +26,8 @@
/var/log/snmp-api.log /var/log/snmp-api.log
/var/log/dcmanager/*.log /var/log/dcmanager/*.log
/var/log/dcorch/*.log /var/log/dcorch/*.log
/var/log/barbican/*.log /var/log/barbican/barbican-keystone-listener.log
/var/log/barbican/barbican-worker.log
{ {
nodateext nodateext
size 10M size 10M