Description of problem: The directory /var/log/openvswitch is world readable and contains log files that are readable, which can result in the exposure of sensitive information. The 'other readable/execute' bits need to be removed from the /var/log/openvswitch directory. Because no sensitive data was found in the files, this is being raised as a hardening bug, and not a flaw. Version-Release number of selected component (if applicable): openvswitch-2.4.0-2.el7_2 Steps to reproduce: $ ls -la /var/log/openvswitch total 36 drwxr-xr-x. 2 root root 52 Mar 5 23:44 . drwxr-xr-x. 25 root root 4096 Mar 12 22:04 .. -rw-r--r--. 1 root root 2487 Mar 12 22:04 ovsdb-server.log -rw-r--r--. 1 root root 27615 Mar 12 22:05 ovs-vswitchd.log
[root@localhost ~]# rpm -q openvswitch openvswitch-2.4.1-1.git20160727.el7_2.x86_64 [root@localhost ~]# ls -l /var/log/openvswitch total 0 [root@localhost ~]# ls -ld !$ ls -ld /var/log/openvswitch drwxr-xr-x. 2 root root 6 Jul 26 2016 /var/log/openvswitch ^^^ 'other' world read/execute bits set. [root@localhost ~]# rpm -Uvh openvswitch-2.4.1-2.git20160727.el7ost.x86_64.rpm Preparing... ################################# [100%] Updating / installing... 1:openvswitch-2.4.1-2.git20160727.e################################# [ 50%] Cleaning up / removing... 2:openvswitch-2.4.1-1.git20160727.e################################# [100%] [root@localhost ~]# ls -ld /var/log/openvswitch/ drwxr-x---. 2 root root 6 Jul 25 11:28 /var/log/openvswitch/ ^^^ 'other' world read/execute bits NOT set. Verified with openvswitch-2.4.1-2.git20160727.el7ost.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:2665