Veritas changed permissions for VxVM log files /var/log/vx (/var/adm/vx) to comply with CIS security policies

book

Article ID: 100053523

calendar_today

Updated On:

Description

Error Message


Operational Impact

Customers do not want to manually modify file permissions, especially as some log files are created in a cycle model with multiple file versions created.
 

# ls -al /var/log/vx/ddl.log
rw-rr-. 1 root root 59052 Jun  1 15:35 /var/log/vx/ddl.log
 

Manual intervention is required to change the file permissions
 

# chmod 600 /var/log/vx/ddl.log

# ls -al /var/log/vx/ddl.log
rw------. 1 root root 59052 Jun  1 15:35 /var/log/vx/ddl.log
 

Cause


Product Development

Veritas is already reviewing file permissions for all InfoScale logs permissions to be set to 600. These changes will be made available through the InfoScale 8.0U1 patch release for all Linux platforms only.

 

Resolution

Veritas has created private VxVM hotfix VRTSvxvm-8.0.0.1601-RHEL8.x86_64 for RHEL 8 environments.
Please contact Veritas Technical Support if you require this hot-fix.

Below are the details addressed in the patch

 

OPERATING SYSTEM SUPPORTED BY THIS PATCH:
----------------------------------------
RHEL8 x86-64

 

SYMPTOM:
Need to support EO 14028  logging requirements.

DESCRIPTION:
Changes are needed to set specific permissions for log files and have minimum fields logged in all the product log files.

RESOLUTION:
Made appropriate changes to support EO logging requirements.



Test Results

Even with the VRTSvxvm-8.0.0.1601-RHEL8.x86_64 Private hot-fix deployed, some remaining log file permissions will be addressed in InfoScale 8.0U1 patch release for all Linux platforms only. The requirement will be to set all file permission in /var/log/vx to 600.


# pwd
/var/log/vx

# ls -al
total 15364
drwxr-xr-x.  2 root root    4096 Jul 19 00:35 .
drwxr-xr-x. 11 root root    4096 Jul 18 03:40 ..
-rw-------.  1 root root      32 Jul 18 18:58 .cmdlog
-rw-------   1 root root  346132 Jul 19 00:43 cmdlog
-rw-------.  1 root root 1048656 Jul 16 05:29 cmdlog.1
-rw-------.  1 root root 1048580 Jul 17 17:40 cmdlog.2
-rw-------.  1 root root 1048626 Jul 18 18:58 cmdlog.3
-rw-------   1 root root   33010 Jul 18 06:31 ddl.log
-rw-------   1 root root   25185 Jul 18 06:31 ddl.log.0
-rw-------   1 root root   18609 Jul 18 01:28 ddl.log.1
-rw-------.  1 root root   18609 Jul 17 01:27 ddl.log.10
-rw-------.  1 root root   25254 Jul 17 00:43 ddl.log.11
-rw-------.  1 root root   18609 Jul 17 00:41 ddl.log.12
-rw-------.  1 root root   18609 Jul 15 01:07 ddl.log.13
-rw-------.  1 root root   18609 Jul 15 00:32 ddl.log.15
-rw-------.  1 root root   33085 Jul 15 00:19 ddl.log.16
-rw-------.  1 root root   18609 Jul 15 00:07 ddl.log.17
-rw-------.  1 root root   18609 Dec 15  2021 ddl.log.18
-rw-------.  1 root root   18609 Dec 15  2021 ddl.log.19
-rw-------   1 root root   18609 Jul 17 23:36 ddl.log.2
-rw-------.  1 root root   25185 Dec 14  2021 ddl.log.20
-rw-------.  1 root root   18609 Dec 14  2021 ddl.log.21
-rw-------.  1 root root   18609 Jul 17 23:06 ddl.log.3
-rw-------.  1 root root   18609 Jul 17 13:58 ddl.log.4
-rw-------.  1 root root   18609 Jul 17 13:18 ddl.log.5
-rw-------.  1 root root   18609 Jul 17 11:56 ddl.log.6
-rw-------.  1 root root   18609 Jul 17 11:49 ddl.log.7
-rw-------.  1 root root   18609 Jul 17 11:40 ddl.log.8
-rw-------.  1 root root   18609 Jul 17 11:32 ddl.log.9
-rw-------.  1 root root   32909 Jul 17 01:06 dmpevents.log
-rw-------.  1 root root   96266 Jul 15 01:08 logger.txt
-rw-------.  1 root root    1543 Jul 17 01:07 native.log
-rw-r--r--.  1 root root       0 Jul 16 22:09 reclaim_disklist
-rw-------.  1 root root    5481 Dec 14  2021 rp_rv.log
-rw-------.  1 root root     176 Jul 17 01:16 sfcache.log
-rw-------.  1 root root    1320 Jul 15 00:32 .tasklog
-rw-------.  1 root root     493 Jul 15 00:32 tasklog
-rw-------.  1 root root      32 Jul 18 20:13 .translog
-rw-------   1 root root  681361 Jul 19 00:43 translog
-rw-------.  1 root root 1051444 Jul 15 01:11 translog.1
-rw-------   1 root root 1048814 Jul 18 20:13 translog.10
-rw-------.  1 root root 1048746 Jul 15 12:16 translog.2
-rw-------.  1 root root 1048634 Jul 15 21:00 translog.3
-rw-------.  1 root root 1049278 Jul 16 05:41 translog.4
-rw-------.  1 root root 1048770 Jul 16 17:08 translog.5
-rw-------.  1 root root 1060550 Jul 17 00:39 translog.6
-rw-------.  1 root root 1048763 Jul 17 14:27 translog.7
-rw-------.  1 root root 1048744 Jul 18 05:58 translog.8
-rw-------   1 root root 1048630 Jul 18 13:17 translog.9
-rw-------.  1 root root  123981 Dec 14  2021 voldctlmsg.log
-rw-------.  1 root root   77450 Jul 18 07:03 vxattachd_debug.log
-rw-------.  1 root root     822 Jul 15 01:05 vxcloudd.log
lrwxrwxrwx.  1 root root      21 Dec 14  2021 vxconfigd.log -> /etc/vx/vxconfigd.log
-rw-------.  1 root root     724 Jul 15 00:07 vxdmpd.log
-rw-------.  1 root root    5786 Jul 18 01:28 vxencryptd.log
-rw-------.  1 root root       0 Dec 14  2021 vxkms.log
-rw-------.  1 root root     720 Jul 17 01:06 vxloggerd.log

 

 

Issue/Introduction

To comply with various Security Policies as outlined in Executive Order 14028, Veritas Volume Manager (VxVM) needs to set the file permissions to 600 for log files created in the /var/log/vx (/var/adm/vx) directory.
The following /var/log/vx/ddl.log file breaks one of the Security policies, current permission set to 644.

rw-rr-. 1 root root 2689 May 31 10:27 ddl.log To comply with Security recommendations, all files under /var/log/vx cannot allow access to all/other users.
Powered by Wolken Software