Fix auditd log permission bug

The tasks for handling auditd log permissions incorrectly set all log files in /var/log/audit to 0400, which prevents auditd from writing to the active log file. This prevents auditd from starting and restarting. The task now removes any permissions explicitly disallowed by V-38498. Any files meeting/exceeding the STIG requirements will not be modified. Closes-bug: 1584942 Change-Id: I1bb2b91ae8a78b1f0304bd4ce0f9a774d65245bd
2016-05-23 16:02:36 -05:00 · 2016-05-23 16:02:36 -05:00 · 490d2f4bd8
parent 5cd01926c2
commit 490d2f4bd8
3 changed files with 20 additions and 9 deletions
--- a/doc/source/developer-notes/V-38498.rst
+++ b/doc/source/developer-notes/V-38498.rst
@ -1,7 +1,8 @@
-Ubuntu 14.04 sets logs in ``/var/log/audit`` to mode ``0400`` by default,
-which makes sense because only the root user should be able to view the
-logs. No users should ever be adjusting or editing the audit logs.
+Ubuntu and CentOS set the current audit log (the one that is actively being
+written to) to ``0600`` so that only the root user can read and write to it.
+The older, rotated logs are set to ``0400`` since they should not receive
+any more writes.

-The STIG requirement states that log files must have mode ``0640`` or less.
-The Ansible tasks in this role will set the mode to ``0400`` to match
-Ubuntu's default.
+The STIG requirement states that log files must have mode ``0640`` or less. The
+security role will remove any permissions that are not allowed by the STIG
+(``u-x,g-wx,o-rwx``).
--- a/releasenotes/notes/fix-audit-log-permission-bug-81a772e2e6d0a5b3.yaml
+++ b/releasenotes/notes/fix-audit-log-permission-bug-81a772e2e6d0a5b3.yaml
@ -0,0 +1,10 @@
+---
+fixes:
+  - |
+    The security role previously set the permissions on all audit log files in
+    ``/var/log/audit`` to ``0400``, but this prevents the audit daemon from
+    writing to the active log file. This will prevent ``auditd`` from
+    starting or restarting cleanly.
+
+    The task now removes any permissions that are not allowed by the STIG. Any
+    log files that meet or exceed the STIG requirements will not be modified.
--- a/tasks/auditd.yml
+++ b/tasks/auditd.yml
@ -261,12 +261,12 @@
    - cat2
    - V-38498

-# Ubuntu 14.04 sets these to 0400 by default, so we will stick with that since
-# it exceeds the STIG's requirements.
+# On most systems, the active log file is 0600 and the older logs are 0400.
+# This task ensures that all logs meet or exceed the STIG requirement.
 - name: V-38498 - Audit log files must have mode 0640 or less
  file:
    dest: "/var/log/audit/{{ item }}"
-    mode: 0400
+    mode: "u-x,g-wx,o-rwx"
  with_items: "{{ v38498_result.stdout_lines | default([]) }}"
  when: auditd_log_dir.stat.exists | bool
  tags: