/usr/local/bin/collect_rabbitmq_stats.sh doesn't print anything on a CIS hardened system
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack RabbitMQ Server Charm |
New
|
Undecided
|
Unassigned |
Bug Description
I'm filing this just to document one more issue related to CIS and RabbitMQ Nagios monitoring integration.
On a CIS-hardened Ubuntu system that is hardened according to the lvl2 server profile ruleset, /usr/local/
The root cause is that on the hardened system, 'others' don't have any permissions for /etc/cron.d:
129893609 drwx------ 2 root root 4.0K Jul 26 11:36 cron.d
while normally they do:
230293588 drwxr-xr-x 2 root root 4.0K Jun 16 10:36 cron.d
These permissions are removed by this CIS rule:
#5.1.7 Ensure permissions on /etc/cron.d are configured (Automated)
rule-5.1.7()
{
print_
ensure_
}
ensure_
{
local file="$@"
chown root:root $file
chmod og-rwx $file
}
The workaround is of course to restore o+rx on /etc/cron.d, and I can't propose a better fix for that atm.
description: | updated |