Ceph OSD Charm

collect_ceph_osd_services.py can't access /var/lib/nagios/ceph-osd-checks on a cis-hardened system

Bug #1906994 reported by Nikolay Vinogradov on 2020-12-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ceph OSD Charm	New	Undecided	Unassigned

Bug Description

Trying to run the command below on a ceph-osd unit fails on a CIS-hardened Ubuntu 18.04 (see also the attached screenshot):

$ sudo -u nagios /usr/local/lib/nagios/plugins/check_ceph_osd_services.py
Something went wrong reading the file: [Errno 13] Permission denied: '/var/lib/nagios/ceph-osd-checks'

because CIS implies umask 027 by default, which clears o+r from /var/lib/nagios/ceph-osd-checks.

See also the requirement "5.4.4 Ensure default user umask is 027 or more restrictive (Scored)" from [1]

[1] http://gauss.ececs.uc.edu/Courses/c6056/lectures/ubuntu-18.04-LTS.pdf

Revision history for this message

Nikolay Vinogradov (nikolay.vinogradov) wrote on 2020-12-06:

Screenshot_20201206_221104.png Edit (8.6 KiB, image/png)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Screenshot_20201206_221104.png Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.