We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
os_hardening is setting group=root for /var/log (and every other mount point). This is hard-coded in
os_hardening
group=root
/var/log
ansible-collection-hardening/roles/os_hardening/tasks/minimize_access.yml
Lines 204 to 209 in c1cd6c5
However, in Ubuntu rsyslog is running as user syslogby default and/var/loghasgroup=syslog` and permission 775 by default.
rsyslog is running as user
by default and
has
So with the current implementation os_hardening will prevent rsyslog from creating new logfiles e.g. after installing Postifx or any other MTA.
rsyslog
1. Create a new Ubuntu server (22.04) 2. Apply role `devsec.hardening.os_hardening` 3. Execute `ls -la /var/log`
root@test:/var/log# ls -la /var/log total 1108 drwxr-xr-x 9 root root 4096 Jan 2 18:37 .
root@test:/var/log# ls -la /var/log total 1108 drwxrwxr-x 9 root syslog 4096 Jan 2 19:15 .
Ubuntu 22.04
2.13
8.4.0
No response
The text was updated successfully, but these errors were encountered:
Successfully merging a pull request may close this issue.
Description
os_hardening
is settinggroup=root
for/var/log
(and every other mount point). This is hard-coded inansible-collection-hardening/roles/os_hardening/tasks/minimize_access.yml
Lines 204 to 209 in c1cd6c5
However, in Ubuntu
rsyslog is running as user
syslogby default and
/var/loghas
group=syslog` and permission 775 by default.So with the current implementation
os_hardening
will preventrsyslog
from creating new logfiles e.g. after installing Postifx or any other MTA.Reproduction steps
Current Behavior
Expected Behavior
OS / Environment
Ubuntu 22.04
Ansible Version
Collection Version
Additional information
No response
The text was updated successfully, but these errors were encountered: