Logrotate setup with create permissions not persisting

Latest response

Dear Community,

Under RHEL8.8 I created an Kickstart which on a post install script search any /etc/logrotate.d/* files and alter is create to have permissions 0640, in accordance with some hardening rules.

Of course by default some default configuration, like dnf, has even more restrictive permissions like 0600.

But it is odd to me that my setup is not persisted, or:

[During post install scripts where I put a grep to check alterations]
/var/log/anaconda/program.log:16:32:18,867 INF program: /etc/logrotate.d/btmp: create 0640 root utmp
/var/log/anaconda/program.log:16:32:18,867 INF program: /etc/logrotate.d/chrony: nocreate
/var/log/anaconda/program.log:16:32:18,868 INF program: /etc/logrotate.d/dnf: create 0640
/var/log/anaconda/program.log:16:32:18,868 INF program: /etc/logrotate.d/wtmp: create 0640 root utmp
/var/log/anaconda/program.log:16:32:18,868 INF program: /etc/logrotate.d/zabbix-agent: create 0640 zabbix zabbix

Look I collect on anaconda results!

But when I boot system I see:

[System checks of create after OS post installation boot]
/etc/logrotate.d/btmp: create 0600 root utmp
/etc/logrotate.d/chrony: nocreate
/etc/logrotate.d/dnf: create 0600
/etc/logrotate.d/wtmp: create 0600 root utmp
/etc/logrotate.d/zabbix-agent: create 0600 zabbix zabbix

I cannot understand this since I checked all logs and nothing indicates something modified back again these files. On Anaconda logs I also see:

/var/log/anaconda/journal.log:Aug 25 16:26:31 localhost.localdomain anaconda[1865]: packaging: Configuring (running scriptlet for): logrotate-3.14.0-6.el8.x86_64 1675757959 f620ccd92337326d612de23e7fe227c4034824335a985cb3683a46d861f0a514
/var/log/anaconda/journal.log:Aug 25 16:26:31 localhost.localdomain anaconda[1865]: packaging: Installed: logrotate-3.14.0-6.el8.x86_64 1675757959 f620ccd92337326d612de23e7fe227c4034824335a985cb3683a46d861f0a514
/var/log/anaconda/journal.log:Aug 25 16:30:19 localhost.localdomain anaconda[1865]: packaging: Verifying: logrotate-3.14.0-6.el8.x86_64 1675757959 f620ccd92337326d612de23e7fe227c4034824335a985cb3683a46d861f0a514
/var/log/anaconda/journal.log:Aug 25 16:30:20 localhost.localdomain anaconda[3107]: dnf: Installed: logrotate-3.14.0-6.el8.x86_64

Note time was before with these default values and then my script run about 2 minutes later, so last change.

I cannot see what could be causing this return to default values, reason I ask this question to community.

RC

Responses