Achieve consistent file and directory permissions for systemd journals

[alanmcanonical]

Description:

• Set the appropriate permissions to the files and directories.

Rationale:

• Configuring tmpfiles.d to manage permissions ensures that log files are maintained correctly after reboots.

[openshift-ci]

Hi @alanmcanonical. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

ubuntu2204 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_dir_groupowner_system_journal' differs.
--- xccdf_org.ssgproject.content_rule_dir_groupowner_system_journal
+++ xccdf_org.ssgproject.content_rule_dir_groupowner_system_journal
@@ -1,8 +1,21 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-find -H /run/log/journal/  -type d -exec chgrp systemd-journal {} \;
-find -H /var/log/journal/  -type d -exec chgrp systemd-journal {} \;
+TMPFILES_CONF="/etc/tmpfiles.d/systemd.conf"
+
+if grep -qP "^.[+]*\s+\/var\/log\/journal\s+" "$TMPFILES_CONF"; then
+    sed -i --follow-symlinks "s/\(^.[+]*\)\(\s\+\/var\/log\/journal\s\+[^ $]\+\s\+[^ $]\+\s\+\)\([^ $]\+\)/Z\2systemd-journal/" "$TMPFILES_CONF"
+else
+    echo "Z /var/log/journal ~2750 root systemd-journal - -" >> "$TMPFILES_CONF"
+fi
+
+if grep -qP "^.[+]*\s+\/run\/log\/journal\s+" "$TMPFILES_CONF"; then
+    sed -i --follow-symlinks "s/\(^.[+]*\)\(\s\+\/run\/log\/journal\s\+[^ $]\+\s\+[^ $]\+\s\+\)\([^ $]\+\)/Z\2systemd-journal/" "$TMPFILES_CONF"
+else
+    echo "Z /run/log/journal ~2750 root systemd-journal - -" >> "$TMPFILES_CONF"
+fi
+
+systemd-tmpfiles --create
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

bash remediation for rule 'xccdf_org.ssgproject.content_rule_dir_owner_system_journal' differs.
--- xccdf_org.ssgproject.content_rule_dir_owner_system_journal
+++ xccdf_org.ssgproject.content_rule_dir_owner_system_journal
@@ -1,8 +1,21 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-find -H /run/log/journal/  -type d -exec chown 0 {} \;
-find -H /var/log/journal/  -type d -exec chown 0 {} \;
+TMPFILES_CONF="/etc/tmpfiles.d/systemd.conf"
+
+if grep -qP "^.[+]*\s+\/var\/log\/journal\s+" "$TMPFILES_CONF"; then
+    sed -i --follow-symlinks "s/\(^.[+]*\)\(\s\+\/var\/log\/journal\s\+[^ $]\+\s\+\)\([^ $]\+\)/Z\2root/" "$TMPFILES_CONF"
+else
+    echo "Z /var/log/journal ~2750 root systemd-journal - -" >> "$TMPFILES_CONF"
+fi
+
+if grep -qP "^.[+]*\s+\/run\/log\/journal\s+" "$TMPFILES_CONF"; then
+    sed -i --follow-symlinks "s/\(^.[+]*\)\(\s\+\/run\/log\/journal\s\+[^ $]\+\s\+\)\([^ $]\+\)/Z\2root/" "$TMPFILES_CONF"
+else
+    echo "Z /run/log/journal ~2750 root systemd-journal - -" >> "$TMPFILES_CONF"
+fi
+
+systemd-tmpfiles --create
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

bash remediation for rule 'xccdf_org.ssgproject.content_rule_dir_permissions_system_journal' differs.
--- xccdf_org.ssgproject.content_rule_dir_permissions_system_journal
+++ xccdf_org.ssgproject.content_rule_dir_permissions_system_journal
@@ -1,9 +1,21 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-find -H /run/log/journal/  -perm /u+s,g+w,o+xwrt -type d -exec chmod u-s,g-w,o-xwrt {} \;
+TMPFILES_CONF="/etc/tmpfiles.d/systemd.conf"
 
-find -H /var/log/journal/  -perm /u+s,g+w,o+xwrt -type d -exec chmod u-s,g-w,o-xwrt {} \;
+if grep -qP "^.[+]*\s+\/var\/log\/journal\s+" "$TMPFILES_CONF"; then
+    sed -i --follow-symlinks "s/\(^.[+]*\)\(\s\+\/var\/log\/journal\s\+\)\([^ $]*\)/Z\2~2750/" "$TMPFILES_CONF"
+else
+    echo "Z /var/log/journal ~2750 root systemd-journal - -" >> "$TMPFILES_CONF"
+fi
+
+if grep -qP "^.[+]*\s+\/run\/log\/journal\s+" "$TMPFILES_CONF"; then
+    sed -i --follow-symlinks "s/\(^.[+]*\)\(\s\+\/run\/log\/journal\s\+\)\([^ $]*\)/Z\2~2750/" "$TMPFILES_CONF"
+else
+    echo "Z /run/log/journal ~2750 root systemd-journal - -" >> "$TMPFILES_CONF"
+fi
+
+systemd-tmpfiles --create
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_system_journal' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_system_journal
+++ xccdf_org.ssgproject.content_rule_file_groupowner_system_journal
@@ -1,9 +1,21 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-find /run/log/journal/  -type f ! -group systemd-journal -regex '^.*$' -exec chgrp systemd-journal {} \;
+TMPFILES_CONF="/etc/tmpfiles.d/systemd.conf"
 
-find /var/log/journal/  -type f ! -group systemd-journal -regex '^.*$' -exec chgrp systemd-journal {} \;
+if grep -qP "^.[+]*\s+\/var\/log\/journal\s+" "$TMPFILES_CONF"; then
+    sed -i --follow-symlinks "s/\(^.[+]*\)\(\s\+\/var\/log\/journal\s\+[^ $]\+\s\+[^ $]\+\s\+\)\([^ $]\+\)/Z\2systemd-journal/" "$TMPFILES_CONF"
+else
+    echo "Z /var/log/journal ~2750 root systemd-journal - -" >> "$TMPFILES_CONF"
+fi
+
+if grep -qP "^.[+]*\s+\/run\/log\/journal\s+" "$TMPFILES_CONF"; then
+    sed -i --follow-symlinks "s/\(^.[+]*\)\(\s\+\/run\/log\/journal\s\+[^ $]\+\s\+[^ $]\+\s\+\)\([^ $]\+\)/Z\2systemd-journal/" "$TMPFILES_CONF"
+else
+    echo "Z /run/log/journal ~2750 root systemd-journal - -" >> "$TMPFILES_CONF"
+fi
+
+systemd-tmpfiles --create
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_system_journal' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_system_journal
+++ xccdf_org.ssgproject.content_rule_file_owner_system_journal
@@ -1,9 +1,21 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-find /run/log/journal/  -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \;
+TMPFILES_CONF="/etc/tmpfiles.d/systemd.conf"
 
-find /var/log/journal/  -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \;
+if grep -qP "^.[+]*\s+\/var\/log\/journal\s+" "$TMPFILES_CONF"; then
+    sed -i --follow-symlinks "s/\(^.[+]*\)\(\s\+\/var\/log\/journal\s\+[^ $]\+\s\+\)\([^ $]\+\)/Z\2root/" "$TMPFILES_CONF"
+else
+    echo "Z /var/log/journal ~2750 root systemd-journal - -" >> "$TMPFILES_CONF"
+fi
+
+if grep -qP "^.[+]*\s+\/run\/log\/journal\s+" "$TMPFILES_CONF"; then
+    sed -i --follow-symlinks "s/\(^.[+]*\)\(\s\+\/run\/log\/journal\s\+[^ $]\+\s\+\)\([^ $]\+\)/Z\2root/" "$TMPFILES_CONF"
+else
+    echo "Z /run/log/journal ~2750 root systemd-journal - -" >> "$TMPFILES_CONF"
+fi
+
+systemd-tmpfiles --create
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_system_journal' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_system_journal
+++ xccdf_org.ssgproject.content_rule_file_permissions_system_journal
@@ -1,9 +1,21 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-find -H /run/log/journal/  -perm /u+xs,g+xws,o+xwrt  -type f -regex '^.*$' -exec chmod u-xs,g-xws,o-xwrt {} \;
+TMPFILES_CONF="/etc/tmpfiles.d/systemd.conf"
 
-find -H /var/log/journal/  -perm /u+xs,g+xws,o+xwrt  -type f -regex '^.*$' -exec chmod u-xs,g-xws,o-xwrt {} \;
+if grep -qP "^.[+]*\s+\/var\/log\/journal\s+" "$TMPFILES_CONF"; then
+    sed -i --follow-symlinks "s/\(^.[+]*\)\(\s\+\/var\/log\/journal\s\+\)\([^ $]*\)/Z\2~2750/" "$TMPFILES_CONF"
+else
+    echo "Z /var/log/journal ~2750 root systemd-journal - -" >> "$TMPFILES_CONF"
+fi
+
+if grep -qP "^.[+]*\s+\/run\/log\/journal\s+" "$TMPFILES_CONF"; then
+    sed -i --follow-symlinks "s/\(^.[+]*\)\(\s\+\/run\/log\/journal\s\+\)\([^ $]*\)/Z\2~2750/" "$TMPFILES_CONF"
+else
+    echo "Z /run/log/journal ~2750 root systemd-journal - -" >> "$TMPFILES_CONF"
+fi
+
+systemd-tmpfiles --create
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11974
This image was built from commit: 0b205de

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11974

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11974 make deploy-local

[codeclimate]

Code Climate has analyzed commit 0b205de and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

[dodys]

lgtm, thanks!