From 02da50af8bbf76462663bbc1ff001711d5c6325f Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Wed, 8 Dec 2021 07:42:19 -0500 Subject: [PATCH] Tighter permissions on /var/log/confluent --- confluent_osdeploy/el7/profiles/default/scripts/post.sh | 1 + .../el8-diskless/profiles/default/scripts/onboot.sh | 1 + confluent_osdeploy/el8-diskless/profiles/default/scripts/post.sh | 1 + confluent_osdeploy/el8/profiles/default/scripts/post.sh | 1 + .../suse15-diskless/profiles/default/scripts/onboot.sh | 1 + confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh | 1 + 6 files changed, 6 insertions(+) diff --git a/confluent_osdeploy/el7/profiles/default/scripts/post.sh b/confluent_osdeploy/el7/profiles/default/scripts/post.sh index 834a29b8..362a7945 100644 --- a/confluent_osdeploy/el7/profiles/default/scripts/post.sh +++ b/confluent_osdeploy/el7/profiles/default/scripts/post.sh @@ -1,5 +1,6 @@ #!/bin/sh mkdir -p /var/log/confluent +chmod 700 /var/log/confluent exec >> /var/log/confluent/confluent-post.log exec 2>> /var/log/confluent/confluent-post.log chmod 600 /var/log/confluent/confluent-post.log diff --git a/confluent_osdeploy/el8-diskless/profiles/default/scripts/onboot.sh b/confluent_osdeploy/el8-diskless/profiles/default/scripts/onboot.sh index cc7a4719..cf86a281 100644 --- a/confluent_osdeploy/el8-diskless/profiles/default/scripts/onboot.sh +++ b/confluent_osdeploy/el8-diskless/profiles/default/scripts/onboot.sh @@ -12,6 +12,7 @@ confluent_profile=$(grep ^profile: /etc/confluent/confluent.deploycfg|awk '{prin export nodename confluent_mgr confluent_profile . /etc/confluent/functions mkdir -p /var/log/confluent +chmod 700 /var/log/confluent exec >> /var/log/confluent/confluent-onboot.log exec 2>> /var/log/confluent/confluent-onboot.log chmod 600 /var/log/confluent/confluent-onboot.log diff --git a/confluent_osdeploy/el8-diskless/profiles/default/scripts/post.sh b/confluent_osdeploy/el8-diskless/profiles/default/scripts/post.sh index 6965815c..3a52d128 100644 --- a/confluent_osdeploy/el8-diskless/profiles/default/scripts/post.sh +++ b/confluent_osdeploy/el8-diskless/profiles/default/scripts/post.sh @@ -10,6 +10,7 @@ confluent_profile=$(grep ^profile: /etc/confluent/confluent.deploycfg|awk '{prin export nodename confluent_mgr confluent_profile . /etc/confluent/functions mkdir -p /var/log/confluent +chmod 700 /var/log/confluent exec >> /var/log/confluent/confluent-post.log exec 2>> /var/log/confluent/confluent-post.log chmod 600 /var/log/confluent/confluent-post.log diff --git a/confluent_osdeploy/el8/profiles/default/scripts/post.sh b/confluent_osdeploy/el8/profiles/default/scripts/post.sh index 834a29b8..362a7945 100644 --- a/confluent_osdeploy/el8/profiles/default/scripts/post.sh +++ b/confluent_osdeploy/el8/profiles/default/scripts/post.sh @@ -1,5 +1,6 @@ #!/bin/sh mkdir -p /var/log/confluent +chmod 700 /var/log/confluent exec >> /var/log/confluent/confluent-post.log exec 2>> /var/log/confluent/confluent-post.log chmod 600 /var/log/confluent/confluent-post.log diff --git a/confluent_osdeploy/suse15-diskless/profiles/default/scripts/onboot.sh b/confluent_osdeploy/suse15-diskless/profiles/default/scripts/onboot.sh index 96796744..d0d04fa4 100644 --- a/confluent_osdeploy/suse15-diskless/profiles/default/scripts/onboot.sh +++ b/confluent_osdeploy/suse15-diskless/profiles/default/scripts/onboot.sh @@ -12,6 +12,7 @@ confluent_profile=$(grep ^profile: /etc/confluent/confluent.deploycfg|awk '{prin export nodename confluent_mgr confluent_profile . /etc/confluent/functions mkdir -p /var/log/confluent +chmod 700 /var/log/confluent exec >> /var/log/confluent/confluent-onboot.log exec 2>> /var/log/confluent/confluent-onboot.log chmod 600 /var/log/confluent/confluent-onboot.log diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh b/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh index 9ecd4288..be4e2d80 100644 --- a/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh +++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh @@ -9,6 +9,7 @@ # If there are dependencies on the kernel (drivers or special filesystems) # then firstboot.sh would be the script to customize. +chmod 700 /var/log/confluent exec >> /var/log/confluent/confluent-post.log exec 2>> /var/log/confluent/confluent-post.log chmod 600 /var/log/confluent/confluent-post.log