Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ubuntu 24.04 6.1.4.1 Ensure access to all logfiles has been configured #12991

Draft
wants to merge 13 commits into
base: master
Choose a base branch
from
Draft

Ubuntu 24.04 6.1.4.1 Ensure access to all logfiles has been configured #12991

wants to merge 13 commits into from
+2,719 −18

Conversation

ericeberry
Copy link
Contributor

Description:

  • Ubuntu 24.04 6.1.4.1 Ensure access to all logfiles has been configured

Rationale:

  • Configure file permissions, owner, and group owner of all log files in the /var/log directory.

@openshift-ci openshift-ci bot added do-not-merge/work-in-progress Used by openshift-ci bot. needs-ok-to-test Used by openshift-ci bot. labels Feb 6, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Feb 6, 2025

Hi @ericeberry. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 6, 2025
edited
Loading

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages
+++ xccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages
@@ -3,7 +3,7 @@
 Verify Group Who Owns /var/log/messages File
 
 [description]:
-To properly set the group owner of /var/log/messages, run the command: $ sudo chgrp root /var/log/messages
+To properly set the group owner of /var/log/messages, run the command: $ sudo chgrp adm /var/log/messages
 
 [reference]:
 CCI-001314

New data stream is missing bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages'.
New data stream is missing bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog'.
New data stream is missing bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_var_log_messages'.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog'.
--- xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog
+++ xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog
@@ -3,7 +3,7 @@
 Verify User Who Owns /var/log/syslog File
 
 [description]:
-To properly set the owner of /var/log/syslog, run the command: $ sudo chown syslog /var/log/syslog
+To properly set the owner of /var/log/syslog, run the command: $ sudo chown root /var/log/syslog
 
 [reference]:
 CCI-001314

OCIL for rule 'xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog' differs.
--- ocil:ssg-file_owner_var_log_syslog_ocil:questionnaire:1
+++ ocil:ssg-file_owner_var_log_syslog_ocil:questionnaire:1
@@ -2,6 +2,6 @@
 run the command:
 $ ls -lL /var/log/syslog
 If properly configured, the output should indicate the following owner:
-syslog
-      Is it the case that /var/log/syslog does not have an owner of syslog?
+root
+      Is it the case that /var/log/syslog does not have an owner of root?
       
New data stream is missing bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog'.
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog
+++ xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog
@@ -10,10 +10,10 @@
   - medium_severity
   - no_reboot_needed
 
-- name: Ensure owner 104 on /var/log/syslog
+- name: Ensure owner 0 on /var/log/syslog
   file:
     path: /var/log/syslog
-    owner: '104'
+    owner: '0'
   when: file_exists.stat is defined and file_exists.stat.exists
   tags:
   - configure_strategy

jan-cerny
jan-cerny reviewed Feb 7, 2025
View reviewed changes
...ide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_wbtmp/rule.yml Outdated Show resolved Hide resolved
...e/system/permissions/files/permissions_var_log_dir/file_owner_var_log_secure/oval/shared.xml
@@ -0,0 +1,31 @@
<def-group>
<definition class="compliance" id="{{{ rule_id }}}" version="1">
{{{ oval_metadata("Owner of /var/log/secure should be root or syslog.") }}}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have noticed that a very similar OVAL repeats many times in this PR. Please create a Jinja macro to prevent code duplication.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is the plan. For expediency, the code is duplicated for now.

...x_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_auth/rule.yml Outdated Show resolved Hide resolved
...uide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_cloud_init/rule.yml Outdated Show resolved Hide resolved
@dodys dodys self-assigned this Feb 7, 2025
@codeclimate CodeClimate
Copy link

codeclimate bot commented Feb 13, 2025

Code Climate has analyzed commit 9b3bea2 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-cerny jan-cerny jan-cerny left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@dodys dodys

Labels
do-not-merge/work-in-progress Used by openshift-ci bot. needs-ok-to-test Used by openshift-ci bot.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ericeberry @jan-cerny @dodys