Description of problem: The directory /var/log/ironic-inspector is world readable and contains log files that are readable, which can result in the exposure of sensitive information. The 'other readable/execute' bits need to be removed from the /var/log/ironic directory. Because no sensitive data was found in the files, this is being raised as a hardening bug, and not a flaw. Version-Release number of selected component (if applicable): openstack-ironic-inspector-4.2.1-2.el7ost How reproducible: List /var/log directory for openstack-ironic-inspector: $ ls -la ironic-inspector total 7936 drwxr-xr-x. 3 ironic-inspector ironic-inspector 4096 Mar 10 03:29 . drwxr-xr-x. 31 root root 4096 Mar 5 18:23 .. -rw-r--r--. 1 ironic-inspector ironic-inspector 6789347 Mar 12 21:00 ironic-inspector.log -rw-r--r--. 1 ironic-inspector ironic-inspector 317198 Feb 21 03:27 ironic-inspector.log-20170221.gz -rw-r--r--. 1 ironic-inspector ironic-inspector 354698 Feb 26 03:34 ironic-inspector.log-20170226.gz -rw-r--r--. 1 ironic-inspector ironic-inspector 331045 Mar 5 18:22 ironic-inspector.log-20170305.gz -rw-r--r--. 1 ironic-inspector ironic-inspector 309486 Mar 10 03:28 ironic-inspector.log-20170310.gz drwxr-xr-x. 2 ironic-inspector ironic-inspector 4096 Jan 13 12:38 ramdisk Actual results: Directory and files are world readable. Expected results: Directory and files should not be world readable.
Fix merged in RDO: https://review.rdoproject.org/r/#/c/5793/
Verified in openstack-ironic-inspector-4.2.2-3.el7ost.noarch drwxr-x---. 3 ironic-inspector ironic-inspector 49 Aug 17 17:21 ironic-inspector [stack@host06 log]$ ls -al ironic-inspector ls: cannot open directory ironic-inspector: Permission denied
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2659