After running the Lookup role in the playbook, some of the file permissions are non-compliant. I have access to 3 vCenters, which are all standalone in their own environments. On two of those three, I ran the full VCLU playbook, as these are STIGed devices. While filling in the checklist, but of the vCenters had the following files render when running the STIG check command:
I re-ran the full playbook again on the two STIGed servers, and it had the same files generated in the output. I have not ran only the VCLU-70-000007 tag on the two STIGed servers.
On the third server (which is an un-STIGed box), I ran only the VCLU-70-000007 tag. If I only run that tag specifically, it resolves the finding as expected with no output generated. My guess is that if you run the entire playbook or as I am entering STIG check commands for the checklist, it is resetting those permissions again or creating new log files.
Reproduction steps
Run the full VCLU playbook
Run STIG check command for VCLU-70-000007
Expected behavior
After running VCLU playbook, no output should be generated.
Additional context
Is it possible to change the mask or the default permissions for those log files?
rlakey
commented
1 year ago
Describe the bug
After running the Lookup role in the playbook, some of the file permissions are non-compliant. I have access to 3 vCenters, which are all standalone in their own environments. On two of those three, I ran the full VCLU playbook, as these are STIGed devices. While filling in the checklist, but of the vCenters had the following files render when running the STIG check command:
/var/log/vmware/lookupsvc/tomcat/host-manager..log - 644 lookupsvc:lookupsvc
/var/log/vmware/lookupsvc/tomcat/manager..log - 644 lookupsvc:lookupsvc
/var/log/vmware/lookupsvc/vmware-lookupsvc-gc.log.0.current - 644 lookupsvc:lookupsvc
/var/log/vmware/lookupsvc/lookupsvc_stream.log.stdout - 600 lookupsvc:lookupsvc
/var/log/vmware/lookupsvc/lookupsvc_stream.log.stderr - 600 lookupsvc:lookupsvc
I re-ran the full playbook again on the two STIGed servers, and it had the same files generated in the output. I have not ran only the VCLU-70-000007 tag on the two STIGed servers.
On the third server (which is an un-STIGed box), I ran only the VCLU-70-000007 tag. If I only run that tag specifically, it resolves the finding as expected with no output generated. My guess is that if you run the entire playbook or as I am entering STIG check commands for the checklist, it is resetting those permissions again or creating new log files.
Reproduction steps
Expected behavior
After running VCLU playbook, no output should be generated.
Additional context
Is it possible to change the mask or the default permissions for those log files?