Bug 1780020

Summary:	[RFE] ipa-healthcheck should verify owner/perms for important logs in "/var/log" in the ipahealthcheck.ipa.files source
Product:	Red Hat Enterprise Linux 8	Reporter:	Nikhil Dehadrai <ndehadra>
Component:	ipa-healthcheck	Assignee:	Rob Crittenden <rcritten>
Status:	CLOSED ERRATA	QA Contact:	ipa-qe <ipa-qe>
Severity:	unspecified	Docs Contact:
Priority:	medium
Version:	8.1	CC:	fcami, mpolovka, pcech, rcritten, ssidhaye, tscherf
Target Milestone:	rc	Keywords:	FutureFeature, Triaged
Target Release:	8.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ipa-healthcheck-0.7-5.el8	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1961084 (view as bug list)		Environment:
Last Closed:	2021-11-09 18:21:19 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1961084

Description Nikhil Dehadrai 2019-12-05 09:17:54 UTC

Description of problem:
ipa-healthcheck should check path for "/var/log" under ipahealthcheck.ipa.files source. Ipa server uses /var/log directory to update and track all its log files. Currently running command "ipa-healthcheck --source ipahealthcheck.ipa.files" does not capture this information. If there is any change to the permissions of "/var/log" directory then it will be missed. Thus we should also include this.


Version-Release number of selected component (if applicable):
ipa-healthcheck-0.3-4.module+el8.1.0+4098+f286395e.noarch



Console:
[root@master yum.repos.d]# ipa-healthcheck --source ipahealthcheck.ipa.files --output-type=human
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_dirsrv_slapd-IPA-TEST_cert9.db_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_dirsrv_slapd-IPA-TEST_cert9.db_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_dirsrv_slapd-IPA-TEST_cert9.db_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_dirsrv_slapd-IPA-TEST_key4.db_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_dirsrv_slapd-IPA-TEST_key4.db_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_dirsrv_slapd-IPA-TEST_key4.db_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_dirsrv_slapd-IPA-TEST_pkcs11.txt_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_dirsrv_slapd-IPA-TEST_pkcs11.txt_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_dirsrv_slapd-IPA-TEST_pkcs11.txt_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_pki_pki-tomcat_alias_cert9.db_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_pki_pki-tomcat_alias_cert9.db_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_pki_pki-tomcat_alias_cert9.db_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_pki_pki-tomcat_alias_key4.db_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_pki_pki-tomcat_alias_key4.db_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_pki_pki-tomcat_alias_key4.db_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_pki_pki-tomcat_alias_pkcs11.txt_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_pki_pki-tomcat_alias_pkcs11.txt_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_pki_pki-tomcat_alias_pkcs11.txt_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_lib_ipa_ra-agent.pem_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_lib_ipa_ra-agent.pem_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_lib_ipa_ra-agent.pem_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_lib_ipa_ra-agent.key_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_lib_ipa_ra-agent.key_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_lib_ipa_ra-agent.key_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_kerberos_krb5kdc_kdc.crt_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_kerberos_krb5kdc_kdc.crt_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_kerberos_krb5kdc_kdc.crt_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_kerberos_krb5kdc_kdc.key_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_kerberos_krb5kdc_kdc.key_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_kerberos_krb5kdc_kdc.key_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_named.keytab_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_named.keytab_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_named.keytab_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_ipa_dnssec_ipa-dnskeysyncd.keytab_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_ipa_dnssec_ipa-dnskeysyncd.keytab_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_ipa_dnssec_ipa-dnskeysyncd.keytab_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_httpd_alias_ipasession.key_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_httpd_alias_ipasession.key_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_httpd_alias_ipasession.key_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_dirsrv_ds.keytab_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_dirsrv_ds.keytab_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_dirsrv_ds.keytab_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_ipa_ca.crt_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_ipa_ca.crt_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_ipa_ca.crt_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_ipa_custodia_server.keys_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_ipa_custodia_server.keys_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_ipa_custodia_server.keys_group
SUCCESS: ipahealthcheck.ipa.files.TomcatFileCheck._etc_pki_pki-tomcat_password.conf_mode
SUCCESS: ipahealthcheck.ipa.files.TomcatFileCheck._etc_pki_pki-tomcat_password.conf_owner
SUCCESS: ipahealthcheck.ipa.files.TomcatFileCheck._etc_pki_pki-tomcat_password.conf_group
SUCCESS: ipahealthcheck.ipa.files.TomcatFileCheck._var_lib_pki_pki-tomcat_conf_ca_CS.cfg_mode
SUCCESS: ipahealthcheck.ipa.files.TomcatFileCheck._var_lib_pki_pki-tomcat_conf_ca_CS.cfg_owner
SUCCESS: ipahealthcheck.ipa.files.TomcatFileCheck._var_lib_pki_pki-tomcat_conf_ca_CS.cfg_group
SUCCESS: ipahealthcheck.ipa.files.TomcatFileCheck._etc_pki_pki-tomcat_server.xml_mode
SUCCESS: ipahealthcheck.ipa.files.TomcatFileCheck._etc_pki_pki-tomcat_server.xml_owner
SUCCESS: ipahealthcheck.ipa.files.TomcatFileCheck._etc_pki_pki-tomcat_server.xml_group

Comment 4 Rob Crittenden 2021-05-19 19:27:53 UTC

upstream PR https://github.com/freeipa/freeipa-healthcheck/pull/211

Comment 5 Rob Crittenden 2021-06-02 15:36:14 UTC

Fixed upstream in master:
9d6c6a8cb524fb4c10a55d04fa0f6cedecfecd27

Comment 9 Michal Polovka 2021-07-02 10:46:59 UTC

Verified manually using RHEL8.5 machine with ipa-healthcheck-0.7-6.module+el8.5.0+11410+91a33fe4.noarch


# ipa-healthcheck --source ipahealthcheck.ipa.files --output-type=human
No issues found.


# chmod 0644 /var/log/ipaupgrade.log
# ipa-healthcheck --source ipahealthcheck.ipa.files --output-type=human
WARNING: ipahealthcheck.ipa.files.IPAFileCheck._var_log_ipaupgrade.log_mode: Permissions of /var/log/ipaupgrade.log are too permissive: 0644 and should be 0600


Check is present and executed, marking as verified.

Comment 11 errata-xmlrpc 2021-11-09 18:21:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4230