How to properly set file-mode for /var/log/cloud-init.log

Posted on

In using the vendor-STIGs for RHEl7, the rsyslog_files_permissions Rule ID wants all files that rsyslog knows about to be set mode 0600 or more secure. I manually remediated the system - setting $umask 0277 in the /etc/rsyslog.conf, stripping rwx from group and other on all files under /var/log and rebooting. When the system reboots, all files remain at mode 0600 except for /var/log/cloud-init.log.

When I run the oscap report, it looks like, because rsyslog knows about this file (via /etc/rsyslog.d/21-cloudinit.conf), it's marking the rule-compliance as failed.

In digging around, it looks like the starting mode for /var/log/cloud-init.log is (re)set by python (rather than rsyslog). It looks like this behavior would notionally be configurable via the /etc/cloud/cloud.cfg.d/05_logging.cfg file. Unfortunately, in looking at info about that file (and generic python-logging config), I'm not seeing a promising method for forcing the mode for /var/log/cloud-init.log to be mode 0600 (admitedly, I'm rather muzzy-headed from cold medications, right now).

Am I missing something obvious, or am I in a "can't get there from here" situation? I really don't want to have to resort to an rc.local type of chmod kludge to move past this. :(

Any way, opened a BugZilla to see if this is a known issue and/or if there's a documented way around this scenario, but figured I'd post here in case someone could get me there more quickly.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.