V-38623: rsyslog file permissions

Implements: blueprint security-hardening

Change-Id: I168d588f3f1672c600f381ec47909819b122c412
This commit is contained in:
Major Hayden 2015-10-13 11:33:26 -05:00
parent d378f1c12e
commit 9363a17f0f
3 changed files with 24 additions and 0 deletions

View File

@ -0,0 +1,6 @@
Ubuntu sets the mode on rsyslog files to ``0640`` by default, but the STIG
requires ``0600`` or less. The Ansible tasks will adjust the rsyslog
configuration so that any new log files will have the mode set to ``0600``.
This will take effect the next time that log files are rotated with
``logrotate`` (configured in V-38624).

View File

@ -29,6 +29,11 @@
name: postfix
state: restarted
- name: restart rsyslog
service:
name: rsyslog
state: restarted
- name: restart ssh
service:
name: ssh

View File

@ -103,3 +103,16 @@
- file_perms
- cat2
- V-38504
# This change will go into effect on the next log rotation.
- name: V-38623 - All rsyslog-generated files must have mode 0600 or less
lineinfile:
dest: /etc/rsyslog.conf
regexp: "^(#)?\\$FileCreateMode"
line: "$FileCreateMode 0600"
notify:
- restart rsyslog
tags:
- file_perms
- cat2
- V-38623