Reviewed: https://review.openstack.org/320560 Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=991650505c65c9d52de6c0a55a73e9fd7881addf Submitter: Jenkins Branch: liberty commit 991650505c65c9d52de6c0a55a73e9fd7881addf Author: Major Hayden <major at mhtx.net> Date: Mon May 23 16:02:36 2016 -0500 Fix auditd log permission bug The tasks for handling auditd log permissions incorrectly set all log files in /var/log/audit to 0400, which prevents auditd from writing to the active log file. This prevents auditd from starting and restarting. The task now removes any permissions explicitly disallowed by V-38498. Any files meeting/exceeding the STIG requirements will not be modified. This is a manual backport of I1bb2b91ae8a78b1f0304bd4ce0f9a774d65245bd from master. Closes-bug: 1584942 Change-Id: I1bb2b91ae8a78b1f0304bd4ce0f9a774d65245bd ** Tags added: in-liberty -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1584942 Title: Security role sets incorrect permissions on auditd logs Status in openstack-ansible: Fix Released Bug description: The security role sets the permissions on all audit logs to 0400, but this is incorrect. The active log that is being written to should be set to 0600 and the rotated ones should be 0400. This causes auditd to fail on startup. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1584942/+subscriptions