V-38623: rsyslog file permissions

Implements: blueprint security-hardening Change-Id: I168d588f3f1672c600f381ec47909819b122c412
2015-10-13 11:33:26 -05:00 · 2015-10-13 11:33:26 -05:00 · 9363a17f0f
parent d378f1c12e
commit 9363a17f0f
3 changed files with 24 additions and 0 deletions
--- a/doc/source/developer-notes/V-38623.rst
+++ b/doc/source/developer-notes/V-38623.rst
@ -0,0 +1,6 @@
+Ubuntu sets the mode on rsyslog files to ``0640`` by default, but the STIG
+requires ``0600`` or less. The Ansible tasks will adjust the rsyslog
+configuration so that any new log files will have the mode set to ``0600``.
+
+This will take effect the next time that log files are rotated with
+``logrotate`` (configured in V-38624).
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -29,6 +29,11 @@
    name: postfix
    state: restarted

+- name: restart rsyslog
+  service:
+    name: rsyslog
+    state: restarted
+
 - name: restart ssh
  service:
    name: ssh
--- a/tasks/file_perms.yml
+++ b/tasks/file_perms.yml
@ -103,3 +103,16 @@
   - file_perms
   - cat2
   - V-38504
+
+# This change will go into effect on the next log rotation.
+- name: V-38623 - All rsyslog-generated files must have mode 0600 or less
+  lineinfile:
+    dest: /etc/rsyslog.conf
+    regexp: "^(#)?\\$FileCreateMode"
+    line: "$FileCreateMode 0600"
+  notify:
+    - restart rsyslog
+  tags:
+    - file_perms
+    - cat2
+    - V-38623