Description of problem: The directory /var/log/gnocchi is world readable and contains log files that are readable, which can result in the exposure of sensitive information. The 'other readable/execute' bits need to be removed from the /var/log/gnocchi directory. Because no sensitive data was found in the files, this is being raised as a hardening bug, and not a flaw. Version-Release number of selected component (if applicable): openstack-gnocchi-2.1.3-3.el7ost How reproducible: List /var/log directory for openstack-gnocchi: $ ls -la gnocchi total 72 drwxr-xr-x. 2 gnocchi root 67 Mar 7 20:25 . drwxr-xr-x. 29 root root 4096 Mar 12 19:20 .. -rw-r--r--. 1 gnocchi gnocchi 322 Mar 7 20:25 gnocchi-upgrade.log -rw-r--r--. 1 gnocchi gnocchi 26511 Mar 12 19:23 metricd.log -rw-r--r--. 1 gnocchi gnocchi 29540 Mar 12 19:21 statsd.log Actual results: Directory and files are world readable. Expected results: Directory and files should not be world readable.
this has been fixed in master rdo already. I backported to ocata.
[stack@undercloud-0 log]$ ls -la gnocchi ls: cannot open directory gnocchi: Permission denied [stack@undercloud-0 log]$ ls -lart gnocchi ls: cannot open directory gnocchi: Permission denied [stack@undercloud-0 log]$ sudo ls -lart gnocchi total 24 -rw-r--r--. 1 gnocchi gnocchi 1090 Apr 25 06:28 gnocchi-upgrade.log -rw-r--r--. 1 gnocchi gnocchi 611 Apr 25 06:28 statsd.log drwxr-x---. 2 gnocchi root 85 Apr 25 06:31 . -rw-r--r--. 1 gnocchi gnocchi 2683 Apr 25 06:31 app.log drwxr-xr-x. 34 root root 4096 Apr 25 07:09 .. -rw-r--r--. 1 gnocchi gnocchi 4415 Apr 25 07:34 metricd.log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1245