1780020 – [RFE] ipa-healthcheck should verify owner/perms for important logs in "/var/log" in the ipahealthcheck.ipa.files source

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1780020 - [RFE] ipa-healthcheck should verify owner/perms for important logs in "/var/log" in the ipahealthcheck.ipa.files source

Summary: [RFE] ipa-healthcheck should verify owner/perms for important logs in "/var/l...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa-healthcheck
Sub Component:
Version:	8.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Rob Crittenden
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1961084
TreeView+	depends on / blocked

Reported:	2019-12-05 09:17 UTC by Nikhil Dehadrai
Modified:	2021-11-09 23:01 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-healthcheck-0.7-5.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1961084 (view as bug list)
Environment:
Last Closed:	2021-11-09 18:21:19 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-7253	0	None	None	None	2021-11-09 00:32:31 UTC
Red Hat Product Errata	RHBA-2021:4230	0	None	None	None	2021-11-09 18:21:38 UTC

Description Nikhil Dehadrai 2019-12-05 09:17:54 UTC

Description of problem:
ipa-healthcheck should check path for "/var/log" under ipahealthcheck.ipa.files source. Ipa server uses /var/log directory to update and track all its log files. Currently running command "ipa-healthcheck --source ipahealthcheck.ipa.files" does not capture this information. If there is any change to the permissions of "/var/log" directory then it will be missed. Thus we should also include this.


Version-Release number of selected component (if applicable):
ipa-healthcheck-0.3-4.module+el8.1.0+4098+f286395e.noarch



Console:
[root@master yum.repos.d]# ipa-healthcheck --source ipahealthcheck.ipa.files --output-type=human
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_dirsrv_slapd-IPA-TEST_cert9.db_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_dirsrv_slapd-IPA-TEST_cert9.db_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_dirsrv_slapd-IPA-TEST_cert9.db_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_dirsrv_slapd-IPA-TEST_key4.db_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_dirsrv_slapd-IPA-TEST_key4.db_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_dirsrv_slapd-IPA-TEST_key4.db_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_dirsrv_slapd-IPA-TEST_pkcs11.txt_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_dirsrv_slapd-IPA-TEST_pkcs11.txt_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_dirsrv_slapd-IPA-TEST_pkcs11.txt_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_pki_pki-tomcat_alias_cert9.db_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_pki_pki-tomcat_alias_cert9.db_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_pki_pki-tomcat_alias_cert9.db_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_pki_pki-tomcat_alias_key4.db_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_pki_pki-tomcat_alias_key4.db_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_pki_pki-tomcat_alias_key4.db_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_pki_pki-tomcat_alias_pkcs11.txt_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_pki_pki-tomcat_alias_pkcs11.txt_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileNSSDBCheck._etc_pki_pki-tomcat_alias_pkcs11.txt_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_lib_ipa_ra-agent.pem_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_lib_ipa_ra-agent.pem_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_lib_ipa_ra-agent.pem_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_lib_ipa_ra-agent.key_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_lib_ipa_ra-agent.key_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_lib_ipa_ra-agent.key_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_kerberos_krb5kdc_kdc.crt_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_kerberos_krb5kdc_kdc.crt_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_kerberos_krb5kdc_kdc.crt_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_kerberos_krb5kdc_kdc.key_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_kerberos_krb5kdc_kdc.key_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._var_kerberos_krb5kdc_kdc.key_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_named.keytab_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_named.keytab_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_named.keytab_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_ipa_dnssec_ipa-dnskeysyncd.keytab_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_ipa_dnssec_ipa-dnskeysyncd.keytab_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_ipa_dnssec_ipa-dnskeysyncd.keytab_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_httpd_alias_ipasession.key_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_httpd_alias_ipasession.key_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_httpd_alias_ipasession.key_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_dirsrv_ds.keytab_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_dirsrv_ds.keytab_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_dirsrv_ds.keytab_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_ipa_ca.crt_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_ipa_ca.crt_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_ipa_ca.crt_group
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_ipa_custodia_server.keys_mode
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_ipa_custodia_server.keys_owner
SUCCESS: ipahealthcheck.ipa.files.IPAFileCheck._etc_ipa_custodia_server.keys_group
SUCCESS: ipahealthcheck.ipa.files.TomcatFileCheck._etc_pki_pki-tomcat_password.conf_mode
SUCCESS: ipahealthcheck.ipa.files.TomcatFileCheck._etc_pki_pki-tomcat_password.conf_owner
SUCCESS: ipahealthcheck.ipa.files.TomcatFileCheck._etc_pki_pki-tomcat_password.conf_group
SUCCESS: ipahealthcheck.ipa.files.TomcatFileCheck._var_lib_pki_pki-tomcat_conf_ca_CS.cfg_mode
SUCCESS: ipahealthcheck.ipa.files.TomcatFileCheck._var_lib_pki_pki-tomcat_conf_ca_CS.cfg_owner
SUCCESS: ipahealthcheck.ipa.files.TomcatFileCheck._var_lib_pki_pki-tomcat_conf_ca_CS.cfg_group
SUCCESS: ipahealthcheck.ipa.files.TomcatFileCheck._etc_pki_pki-tomcat_server.xml_mode
SUCCESS: ipahealthcheck.ipa.files.TomcatFileCheck._etc_pki_pki-tomcat_server.xml_owner
SUCCESS: ipahealthcheck.ipa.files.TomcatFileCheck._etc_pki_pki-tomcat_server.xml_group

Comment 4 Rob Crittenden 2021-05-19 19:27:53 UTC

upstream PR https://github.com/freeipa/freeipa-healthcheck/pull/211

Comment 5 Rob Crittenden 2021-06-02 15:36:14 UTC

Fixed upstream in master:
9d6c6a8cb524fb4c10a55d04fa0f6cedecfecd27

Comment 9 Michal Polovka 2021-07-02 10:46:59 UTC

Verified manually using RHEL8.5 machine with ipa-healthcheck-0.7-6.module+el8.5.0+11410+91a33fe4.noarch


# ipa-healthcheck --source ipahealthcheck.ipa.files --output-type=human
No issues found.


# chmod 0644 /var/log/ipaupgrade.log
# ipa-healthcheck --source ipahealthcheck.ipa.files --output-type=human
WARNING: ipahealthcheck.ipa.files.IPAFileCheck._var_log_ipaupgrade.log_mode: Permissions of /var/log/ipaupgrade.log are too permissive: 0644 and should be 0600


Check is present and executed, marking as verified.

Comment 11 errata-xmlrpc 2021-11-09 18:21:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4230

Note You need to log in before you can comment on or make changes to this bug.