Skip to content

Commit

Permalink
Fixes log file permissions as per CIS benchmark
Browse files Browse the repository at this point in the history
As per CIS benchmark the log file permissions should be 640 for some log
files but if we change /var/log/ipa-custodia.audit.log permissions to
640 then "ipa-healthcheck" reports a permission issue.

Fixes: #325
  • Loading branch information
tscherf committed Mar 13, 2024
1 parent 3d85d43 commit c789a5a
Showing 1 changed file with 5 additions and 3 deletions.
8 changes: 5 additions & 3 deletions src/ipahealthcheck/ipa/files.py
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ def check(self):
self.files.append((filename, 'root', 'root', '0600'))

self.files.append((paths.IPA_CUSTODIA_AUDIT_LOG,
'root', 'root', '0644'))
'root', 'root', '0644', '0640'))

self.files.append((paths.KADMIND_LOG, 'root', 'root',
('0600', '0640')))
Expand All @@ -133,11 +133,13 @@ def check(self):
self.files.append((paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst,
constants.DS_USER, constants.DS_GROUP, '0600'))

self.files.append((paths.VAR_LOG_HTTPD_ERROR, 'root', 'root', '0644'))
self.files.append((paths.VAR_LOG_HTTPD_ERROR, 'root', 'root',
'0644', '0640'))

for globpath in glob.glob("%s/debug*.log" % paths.TOMCAT_CA_DIR):
self.files.append(
(globpath, constants.PKI_USER, constants.PKI_GROUP, "0644")
(globpath, constants.PKI_USER, constants.PKI_GROUP,
"0644", "0640")
)

for globpath in glob.glob(
Expand Down

0 comments on commit c789a5a

Please sign in to comment.