hw-health not working on CIS hardened system
Bug #1904045 reported by
Michał Ajduk
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
hw-health-charm |
Fix Released
|
High
|
Alvaro Uria |
Bug Description
hw-health charm does not work on CIS hardened system. Reason is the hardening changes umask and the /var/lib/
On non-hardened system:
root@sto1az3cz2
-rw-r--r-- 1 root root 1387 Nov 12 18:50 /var/lib/
On hardened system:
root@cmp2az1cz2
-rw-r----- 1 root root 1414 Nov 12 18:55 /var/lib/
The file is read by nagios user so it should be (due to security concerns) chowned to that user after creation and not world readable - CIS hardening prevents this.
Related branches
~guoqiao/charm-nrpe:LP1906991-chown-nagios-dirs
- Xav Paice (community): Approve
- Andrea Ieri: Approve
-
Diff: 25 lines (+14/-0)1 file modifiedhooks/nrpe_utils.py (+14/-0)
~canonical-is-bootstack/charm-hw-health:bug/1904045
- BootStack Reviewers: Pending requested
-
Diff: 29 lines (+5/-2)2 files modifiedsrc/lib/hwhealth/hwdiscovery.py (+4/-1)
src/lib/hwhealth/tools.py (+1/-1)
Changed in charm-hw-health: | |
importance: | Undecided → High |
assignee: | nobody → Alvaro Uria (aluria) |
Changed in charm-hw-health: | |
status: | New → In Progress |
Changed in charm-hw-health: | |
status: | New → Fix Committed |
Changed in charm-hw-health: | |
status: | In Progress → Fix Released |
To post a comment you must log in.
class Ipmi(Tool) has a couple of methods that call _install_cron_job in a different way: nrpe_check( self, nrpe_setup):
self._ install_ cronjob( )
super( ).configure_ nrpe_check( nrpe_setup)
"""
def configure_
# extra options for check_ipmi_sensors Perl script are configured in
# the cronjob
def install(self):
self._ install_ sudoer( )
self._ install_ nrpe_helper_ plugin( )
self._ install_ cronjob( cron_user= "nagios" )
# Install the sudoer file
# Install Perl script called by the (Python) cronjob
# Install the Python script called by check_nrpe
super( ).install( )
"""
The cronjob is set up to run as nagios user and it is later overwritten to run as nagios user.
Testing on the affected environment (CIS hardened) and a patch are on the way. The call to self._install_ cronjob( ) needs to specify: cron_user="nagios"