The directory /var/log/heat is world readable and contains log files that are readable, which can result in the exposure of sensitive information. The 'other readable/execute' bits need to be removed from the /var/log/heat directory: [stack@instack ~]$ ls -la /var/log/heat total 39376 drwxr-xr-x. 2 heat root 4096 Feb 9 01:07 . drwxr-xr-x. 31 root root 4096 Feb 9 01:02 .. -rw-r--r--. 1 heat heat 201578 Feb 9 20:09 heat-api-cfn.log -rw-r--r--. 1 heat heat 4899693 Feb 9 20:09 heat-api.log -rw-r--r--. 1 heat heat 35193112 Feb 9 23:40 heat-engine.log
Acknowledgments: Name: Hans Feldt (Ericsson)
Created openstack-heat tracking bugs for this issue: Affects: openstack-rdo [bug 1422265]
This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2017:1243 https://access.redhat.com/errata/RHSA-2017:1243
This issue has been addressed in the following products: Red Hat OpenStack Platform 9.0 (Mitaka) Via RHSA-2017:1464 https://access.redhat.com/errata/RHSA-2017:1464