OpenStack RabbitMQ Server Charm

rabbitmq charm causes non DISA-STIG compliance

Bug #1997109 reported by Jeff Hillman
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack RabbitMQ Server Charm
New
Undecided
Unassigned

Bug Description

ubuntu 20.04.5
juju 2.9.37
charm latest/stable rev CH:123
rabbitmq-server 3.8.2
ussuri

When running `sudo usg fix disa_stig` against an ubuntu 20.04.5 machine, it becomes DISA-STIG compliant.

running `juju add-machine <user>@<ip>` and then `juju deploy rabbitmq-server --to 0` causes DISA-STIG to no longer be compliant

Specifically, running a diff against the compliant results `sudo usg audit disa_stig` and then against the newly deployed rabbitmq-server charm causes the following diff:

```
- <rule-result idref="file_groupownership_system_commands_dirs" time="2022-11-16T15:38:17" severity="medium" weight="1.
000000">
- <result>pass</result>
+ <rule-result idref="file_groupownership_system_commands_dirs" time="2022-11-18T17:37:34" severity="medium" weight="1.
000000">
+ <result>fail</result>
       <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref name="oval:ssg-file_groupownership_system_commands_dirs:def:1" href="ssg-ubuntu2004-oval.xml"/>
       </check>
     </rule-result>

```

rabbitmq-server charm is breaking the file_groupownership_system_commands_dirs DISA-STIG compliance.

it looks like the charm is installing the lockfile-progs package, which is causing /usr/mail-* files to have a group ownership of mail instead of root.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.