Merge pull request #1366 from stackhpc/bugfix/cis-log-perms

Alex-Welsh · web-flow · commit 69115f7404ca · 2024-11-07T14:32:58.000Z
CIS: Stop recursively setting permissions on logs files
diff --git a/etc/kayobe/inventory/group_vars/cis-hardening/cis b/etc/kayobe/inventory/group_vars/cis-hardening/cis
@@ -51,6 +51,9 @@ rhel9cis_rule_6_1_15: false
 # filesystem.  We do not want to change /var/lib/docker permissions.
 rhel9cis_no_world_write_adjust: false
 
+# Prevent hardening from recursivley changing permissions on log files
+rhel9cis_rule_4_2_3: false
+
 # Configure log rotation to prevent audit logs from filling the disk
 rhel9cis_auditd:
   space_left_action: syslog
@@ -153,6 +156,9 @@ ubtu22cis_no_owner_adjust: false
 ubtu22cis_no_world_write_adjust: false
 ubtu22cis_suid_adjust: false
 
+# Prevent hardening from recursivley changing permissions on log files
+ubtu22cis_rule_4_2_3: false
+
 # Configure log rotation to prevent audit logs from filling the disk
 ubtu22cis_auditd:
   action_mail_acct: root
diff --git a/releasenotes/notes/cis-hardening-no-longer-sets-permissions-on-logs-81a48ab8ed2d6b5f.yaml b/releasenotes/notes/cis-hardening-no-longer-sets-permissions-on-logs-81a48ab8ed2d6b5f.yaml
@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    The CIS hardening scripts no longer change permissions of log files by
+    default. It is preferred to configure these permissions at source i.e on
+    whatever is creating the files. It also suffered from a time-of-check to
+    time-of-use race condition. If you want the old behaviour you can change
+    ``rhel9cis_rule_4_2_3`` and/or ``ubtu22cis_rule_4_2_3`` to ``true``.
