-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.14
-
None
-
None
-
False
-
Description of problem:
After waiting a short time with a cluster with no findings and auto-remediation turned off, log files exist that don't have 600 permissions
Version-Release number of selected component (if applicable):
OCP 4.14 compliance operator
How reproducible:
Always
Steps to Reproduce:
1.Configure compliance operator with the OCP STIGv2
2.Run a scan and apply remediation
3.Turn off auto-remediation
4. Wait until logs are rotated in some of the running pods
5. Run a scan again
Actual results:
there will be findings that log files have incorrect permissions.
Expected results:
Rotated and new log files should be created permissions 600
Additional info:
The customer is not able to turn on auto-remediation because some of the remediation scripts cause rolling reboots after applying a machine config. It would be helpful if the remediation for the log files could configure the cluster to create and rotate the log files with the appropriate permissions
This is the control from compliance as code repo
id: CNTR-OS-000300
levels:
- medium
title: OpenShift must protect pod log files from any type of unauthorized access
by setting owner permissions.
rules:
- file_groupowner_system_journal
- file_groupowner_var_log
- file_owner_groupowner_permissions_pod_logs
- file_owner_system_journal
- file_owner_var_log
- file_ownership_var_log_audit
- file_permissions_system_journal
- file_permissions_var_log
- file_permissions_var_log_audit
status: automated
I'm not sure which rule is applying the changes because the one for var log seems to set it to 755.
