Description of problem: The directory /var/log/ironic is world readable and contains log files that are readable, which can result in the exposure of sensitive information. The 'other readable/execute' bits need to be removed from the /var/log/ironic directory. Because no sensitive data was found in the files, this is being raised as a hardening bug, and not a flaw. Version-Release number of selected component (if applicable): openstack-ironic-7.0.1-0.20170223011831.a13ea4f.el7ost How reproducible: List /var/log directory for openstack-ironic: $ ls -la ironic/ total 1072 drwxr-xr-x. 2 ironic ironic 78 Mar 8 22:35 . drwxr-xr-x. 25 root root 4096 Mar 12 19:44 .. -rw-r--r--. 1 ironic ironic 240138 Mar 12 19:45 ironic-api.log -rw-r--r--. 1 ironic ironic 647216 Mar 12 20:00 ironic-conductor.log -rw-r--r--. 1 root root 0 Mar 8 22:15 ironic-dbsync.log Actual results: Directory and files are world readable. Expected results: Directory and files should not be world readable.
This has been fixed upstream in the RDO packaging https://review.rdoproject.org/r/#/c/5258/
An submitted to Ocata https://review.rdoproject.org/r/#/c/6149/