Description of problem: The directory /var/log/ironic is world readable and contains log files that are readable, which can result in the exposure of sensitive information. The 'other readable/execute' bits need to be removed from the /var/log/ironic directory. Because no sensitive data was found in the files, this is being raised as a hardening bug, and not a flaw. Version-Release number of selected component (if applicable): openstack-ironic-6.2.2-3.el7ost How reproducible: List /var/log directory for openstack-ironic: $ ls -la ironic total 28832 drwxr-xr-x. 3 ironic ironic 4096 Mar 12 03:20 . drwxr-xr-x. 31 root root 4096 Mar 5 18:23 .. drwxr-xr-x. 2 ironic ironic 4096 Feb 17 00:05 deploy -rw-r--r--. 1 ironic ironic 1524729 Mar 12 20:12 ironic-api.log -rw-r--r--. 1 ironic ironic 1976765 Mar 10 03:28 ironic-api.log-20170310.gz -rw-r--r--. 1 ironic ironic 16423530 Mar 12 20:12 ironic-conductor.log -rw-r--r--. 1 ironic ironic 717400 Feb 24 03:47 ironic-conductor.log-20170224.gz -rw-r--r--. 1 root root 0 Feb 16 22:44 ironic-dbsync.log Actual results: Directory and files are world readable. Expected results: Directory and files should not be world readable.
Derek, mind proposing a backport of https://review.rdoproject.org/r/#/c/5258/ please?
It appears that https://review.rdoproject.org/r/#/c/5258/ has merged so moving this to POST. Need to track down whether this is in a z release.
installed latest osp10 with puddle 2017-10-30.3 on 11/1/2017 This bug has been verified environment: openstack-ironic-api-6.2.4-2.el7ost.noarch openstack-ironic-conductor-6.2.4-2.el7ost.noarch openstack-ironic-common-6.2.4-2.el7ost.noarch openstack-ironic-inspector-4.2.2-3.el7ost.noarch [stack@undercloud ~]$ sudo ls -la /var/log/ironic total 836 drwxr-x---. 2 ironic ironic 81 Oct 20 17:10 . drwxr-xr-x. 30 root root 4096 Oct 20 17:02 .. -rw-r--r--. 1 ironic ironic 187066 Oct 20 18:33 ironic-api.log -rw-r--r--. 1 ironic ironic 435477 Oct 20 18:34 ironic-conductor.log -rw-r--r--. 1 ironic ironic 0 Oct 20 17:03 ironic-dbsync.log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:3235