Bug 740346

Summary: boot.log being created with 644 when umask is set to 077
Product: Red Hat Enterprise Linux 6 Reporter: Richard Diekema <rdiekema>
Component: rsyslogAssignee: Tomas Heinrich <theinric>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.0CC: pvrabec
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-12 12:37:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Richard Diekema 2011-09-21 17:39:40 UTC 
As part of applying the CIS baseline hardening standards, boot.log should not be world readable. When setting the umask to 077 with the following commands:

sed -i '1i umask 077' /etc/bashrc
sed -i '1i umask 077' /etc/csh.cshrc
sed -i '1i umask 077' /etc/skel/.bashrc
sed -i '1i umask 077' /root/.bashrc
sed -i '1i umask 077' /root/.cshrc
sed -i '1i umask 077' /root/.tcshrc
sed -i '1i umask 077' /etc/profile
sed -i '1i umask 077' /etc/csh.login
sed -i '1i umask 077' /root/.bash_profile

boot.log is still created on boot with 644 permissions set.

To Reproduce:

Set umask to 077 with the following commands:

sed -i '1i umask 077' /etc/bashrc
sed -i '1i umask 077' /etc/csh.cshrc
sed -i '1i umask 077' /etc/skel/.bashrc
sed -i '1i umask 077' /root/.bashrc
sed -i '1i umask 077' /root/.cshrc
sed -i '1i umask 077' /root/.tcshrc
sed -i '1i umask 077' /etc/profile
sed -i '1i umask 077' /etc/csh.login
sed -i '1i umask 077' /root/.bash_profile

boot.log created with 644 permissions.
Comment 2 RHEL Program Management 2011-09-21 18:08:03 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 3 Jan Kaluža 2011-09-27 08:23:13 UTC 
logrotate is executed by cron which does not read profile from any file. If you want logrotate to create log files with specific permission, you have to use "create" directive in /etc/logrotate.d/syslog config file. Check "man logrotate" for more info.

> boot.log is still created on boot with 644 permissions set.

I think this is not logrotate's problem, because it does not create that file on boot, it just rotates it when it's big/old enough according to config file.

I will reassign this bug to rsyslog owner.
Comment 4 Tomas Heinrich 2011-10-05 08:55:40 UTC 
You may want to try the $FileCreateMode and$umask configuration directives.
http://www.rsyslog.com/doc/rsconf1_filecreatemode.html
Comment 5 Tomas Heinrich 2011-12-12 12:37:32 UTC 
This looks like a configuration issue, closing as not-a-bug. Feel free to reopen.