Apply more restrictive permissions to /var/log/confluent/

While confluent shouldn't put anything sensitive in the log, custom
content may. To mitigate the risk, it will now lock down the
log permissions.

confluent_osdeploy/el7/profiles/default/scripts/firstboot.sh

@@ -16,6 +16,7 @@ while ! ping -c 1 $confluent_mgr >& /dev/null; do
 done
 exec >> /var/log/confluent/confluent-firstboot.log
 exec 2>> /var/log/confluent/confluent-firstboot.log
+chmod 600 /var/log/confluent/confluent-firstboot.log
 tail -f /var/log/confluent/confluent-firstboot.log > /dev/console &
 logshowpid=$!
 

confluent_osdeploy/el7/profiles/default/scripts/post.sh

@@ -2,6 +2,7 @@
 mkdir -p /var/log/confluent
 exec >> /var/log/confluent/confluent-post.log
 exec 2>> /var/log/confluent/confluent-post.log
+chmod 600 /var/log/confluent/confluent-post.log
 tail -f /var/log/confluent/confluent-post.log > /dev/tty &
 logshowpid=$!
 nodename=$(grep ^NODENAME /etc/confluent/confluent.info|awk '{print $2}')

confluent_osdeploy/el7/profiles/default/scripts/pre.sh

@@ -13,6 +13,7 @@ if [ -f "/run/install/cmdline.d/01-autocons.conf" ]; then
 fi
 exec >> /tmp/confluent-pre.log
 exec 2>> /tmp/confluent-pre.log
+chmod 600 /tmp/confluent-pre.log
 tail -f /tmp/confluent-pre.log > /dev/tty &
 logshowpid=$!
 nodename=$(grep ^NODENAME /etc/confluent/confluent.info|awk '{print $2}')

confluent_osdeploy/el8-diskless/profiles/default/scripts/firstboot.sh

@@ -13,6 +13,7 @@ export nodename confluent_mgr confluent_profile
 . /etc/confluent/functions
 exec >> /var/log/confluent/confluent-firstboot.log
 exec 2>> /var/log/confluent/confluent-firstboot.log
+chmod 600 /var/log/confluent/confluent-firstboot.log
 tail -f /var/log/confluent/confluent-firstboot.log > /dev/console &
 logshowpid=$!
 while ! ping -c 1 $confluent_mgr >& /dev/null; do

confluent_osdeploy/el8-diskless/profiles/default/scripts/onboot.sh

@@ -14,6 +14,7 @@ export nodename confluent_mgr confluent_profile
 mkdir -p /var/log/confluent
 exec >> /var/log/confluent/confluent-onboot.log
 exec 2>> /var/log/confluent/confluent-onboot.log
+chmod 600 /var/log/confluent/confluent-onboot.log
 tail -f /var/log/confluent/confluent-onboot.log > /dev/console &
 logshowpid=$!
 

confluent_osdeploy/el8-diskless/profiles/default/scripts/post.sh

@@ -12,6 +12,7 @@ export nodename confluent_mgr confluent_profile
 mkdir -p /var/log/confluent
 exec >> /var/log/confluent/confluent-post.log
 exec 2>> /var/log/confluent/confluent-post.log
+chmod 600 /var/log/confluent/confluent-post.log
 tail -f /var/log/confluent/confluent-post.log > /dev/console &
 logshowpid=$!
 curl -f https://$confluent_mgr/confluent-public/os/$confluent_profile/scripts/firstboot.service > /etc/systemd/system/firstboot.service

confluent_osdeploy/el8/profiles/default/scripts/firstboot.sh

@@ -24,6 +24,7 @@ export nodename confluent_mgr confluent_profile
 . /etc/confluent/functions
 exec >> /var/log/confluent/confluent-firstboot.log
 exec 2>> /var/log/confluent/confluent-firstboot.log
+chmod 600 /var/log/confluent/confluent-firstboot.log
 tail -f /var/log/confluent/confluent-firstboot.log > /dev/console &
 logshowpid=$!
 while ! ping -c 1 $confluent_pingtarget >& /dev/null; do

confluent_osdeploy/el8/profiles/default/scripts/post.sh

@@ -2,6 +2,7 @@
 mkdir -p /var/log/confluent
 exec >> /var/log/confluent/confluent-post.log
 exec 2>> /var/log/confluent/confluent-post.log
+chmod 600 /var/log/confluent/confluent-post.log
 tail -f /var/log/confluent/confluent-post.log > /dev/tty &
 logshowpid=$!
 nodename=$(grep ^NODENAME /etc/confluent/confluent.info|awk '{print $2}')

confluent_osdeploy/el8/profiles/default/scripts/pre.sh

@@ -24,6 +24,7 @@ function confluentpython() {
 }
 exec >> /tmp/confluent-pre.log
 exec 2>> /tmp/confluent-pre.log
+chmod 600 /tmp/confluent-pre.log
 tail -f /tmp/confluent-pre.log > /dev/tty &
 logshowpid=$!
 confluentpython /etc/confluent/apiclient >& /dev/null

confluent_osdeploy/suse15-diskless/profiles/default/scripts/onboot.sh

@@ -14,6 +14,7 @@ export nodename confluent_mgr confluent_profile
 mkdir -p /var/log/confluent
 exec >> /var/log/confluent/confluent-onboot.log
 exec 2>> /var/log/confluent/confluent-onboot.log
+chmod 600 /var/log/confluent/confluent-onboot.log
 tail -f /var/log/confluent/confluent-onboot.log > /dev/console &
 logshowpid=$!
 

confluent_osdeploy/suse15/profiles/hpc/scripts/firstboot.sh

@@ -3,6 +3,7 @@
 # This script runs at the end of the final boot, updating status
 exec >> /var/log/confluent/confluent-firstboot.log
 exec 2>> /var/log/confluent/confluent-firstboot.log
+chmod 600 /var/log/confluent/confluent-firstboot.log
 
 nodename=$(grep ^NODENAME /etc/confluent/confluent.info|awk '{print $2}')
 v6cfg=$(grep ^ipv6_method: /etc/confluent/confluent.deploycfg)

confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh

@@ -11,6 +11,7 @@
 
 exec >> /var/log/confluent/confluent-post.log
 exec 2>> /var/log/confluent/confluent-post.log
+chmod 600 /var/log/confluent/confluent-post.log
 confluent_mgr=$(grep ^deploy_server /etc/confluent/confluent.deploycfg|awk '{print $2}')
 confluent_profile=$(grep ^profile: /etc/confluent/confluent.deploycfg|sed -e 's/^profile: //')
 nodename=$(grep ^NODENAME /etc/confluent/confluent.info|awk '{print $2}')

confluent_osdeploy/suse15/profiles/hpc/scripts/pre.sh

@@ -5,6 +5,7 @@
 
 exec >> /tmp/confluent-pre.log
 exec 2>> /tmp/confluent-pre.log
+chmod 600 /tmp/confluent-pre.log
 nodename=$(grep ^NODENAME /etc/confluent/confluent.info|awk '{print $2}')
 rootpw=$(grep rootpassword: /etc/confluent/confluent.deploycfg|sed -e 's/^rootpassword: //')
 if [ "$rootpw" = "null" ]; then