V-38623: rsyslog file permissions
Implements: blueprint security-hardening Change-Id: I168d588f3f1672c600f381ec47909819b122c412
This commit is contained in:
parent
d378f1c12e
commit
9363a17f0f
|
@ -0,0 +1,6 @@
|
||||||
|
Ubuntu sets the mode on rsyslog files to ``0640`` by default, but the STIG
|
||||||
|
requires ``0600`` or less. The Ansible tasks will adjust the rsyslog
|
||||||
|
configuration so that any new log files will have the mode set to ``0600``.
|
||||||
|
|
||||||
|
This will take effect the next time that log files are rotated with
|
||||||
|
``logrotate`` (configured in V-38624).
|
|
@ -29,6 +29,11 @@
|
||||||
name: postfix
|
name: postfix
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
|
- name: restart rsyslog
|
||||||
|
service:
|
||||||
|
name: rsyslog
|
||||||
|
state: restarted
|
||||||
|
|
||||||
- name: restart ssh
|
- name: restart ssh
|
||||||
service:
|
service:
|
||||||
name: ssh
|
name: ssh
|
||||||
|
|
|
@ -103,3 +103,16 @@
|
||||||
- file_perms
|
- file_perms
|
||||||
- cat2
|
- cat2
|
||||||
- V-38504
|
- V-38504
|
||||||
|
|
||||||
|
# This change will go into effect on the next log rotation.
|
||||||
|
- name: V-38623 - All rsyslog-generated files must have mode 0600 or less
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/rsyslog.conf
|
||||||
|
regexp: "^(#)?\\$FileCreateMode"
|
||||||
|
line: "$FileCreateMode 0600"
|
||||||
|
notify:
|
||||||
|
- restart rsyslog
|
||||||
|
tags:
|
||||||
|
- file_perms
|
||||||
|
- cat2
|
||||||
|
- V-38623
|
||||||
|
|
Loading…
Reference in New Issue