puppet-rsyslog
puppet-rsyslog copied to clipboard
saz
Feature Request: Add ability to manage the permissions of rsyslog.conf and rsyslog.d
I am newer to Puppet and have been working with your rsyslog module for a little while. I may be missing something but I cannot figure out how to manage the permissions on the /etc/rsyslog.conf file or the /etc/rsyslog.d directory. I would think this should be part of the module that manages rsyslog. I have had to add a 'mode' line for each resource in config.pp (and that works) but I'd rather not customize the module. I also tried figuring out a way to enforce permissions outside of modifying your code (inheritance) but kept running into "duplicate declaration" errors or other 'subclass' errors. Any help/guidance would be greatly appreciated. Thanks
Can you explain your reason for the management of those permissions? As I've not checked it, I'm not aware of a way right now, but this was no request until now. I'm just trying to understand the reasons :)
Sent using Boxer
On 19 Jan 2017 8:01 PM, dmullaly [email protected] wrote:
I am newer to Puppet and have been working with your rsyslog module for a little while. I may be missing something but I cannot figure out how to manage the permissions on the /etc/rsyslog.conf file or the /etc/rsyslog.d directory. I would think this should be part of the module that manages rsyslog. I have had to add a 'mode' line for each resource in config.pp (and that works) but I'd rather not customize the module. I also tried figuring out a way to enforce permissions outside of modifying your code (inheritance) but kept running into "duplicate declaration" errors or other 'subclass' errors. Any help/guidance would be greatly appreciated. Thanks
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
Sure. We have security control requirements that require tighter permissions on certain config files/dirs from what the default package values are. With regards to rsyslog, we have to make sure that /etc/rsyslog.conf and /etc/rsyslog.d are set to the appropriate permissions. I'm a bit confused as to why these wouldn't be part of what is managed by the rsyslog module because the owner/group are configurable parameters. Here's the code I'm referencing in config.pp and what I added. Thanks for your time. Obviously it would be better to make what I added configurable parameters rather than hard coded.
class rsyslog::config { file { $rsyslog::rsyslog_d: ensure => directory, owner => 'root', mode => '0750', group => $rsyslog::run_group, purge => $rsyslog::purge_rsyslog_d, recurse => true, force => true, require => Class['rsyslog::install'], }
file { $rsyslog::rsyslog_conf: ensure => file, owner => 'root', mode => '0600', group => $rsyslog::run_group, content => template("${module_name}/rsyslog.conf.erb"), require => Class['rsyslog::install'], notify => Class['rsyslog::service'], }
I initially thought that these two params in params.pp did control /etc/rsyslog.conf and /etc/rsyslog.d but testing showed that $perm_file sets the permissions on a file that is created within /etc/rsyslog.d. I've yet to figure out what $perm_dir controls.
$perm_file = '0640'
$perm_dir = '0755'
Hope this helps, thanks
Dave
On Thu, Jan 19, 2017 at 6:41 PM, Steffen Zieger [email protected] wrote:
Can you explain your reason for the management of those permissions? As I've not checked it, I'm not aware of a way right now, but this was no request until now. I'm just trying to understand the reasons :)
Sent using Boxer
On 19 Jan 2017 8:01 PM, dmullaly [email protected] wrote:
I am newer to Puppet and have been working with your rsyslog module for a little while. I may be missing something but I cannot figure out how to manage the permissions on the /etc/rsyslog.conf file or the /etc/rsyslog.d directory. I would think this should be part of the module that manages rsyslog. I have had to add a 'mode' line for each resource in config.pp (and that works) but I'd rather not customize the module. I also tried figuring out a way to enforce permissions outside of modifying your code (inheritance) but kept running into "duplicate declaration" errors or other 'subclass' errors. Any help/guidance would be greatly appreciated. Thanks
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/saz/puppet-rsyslog/issues/256#issuecomment-273933956, or mute the thread https://github.com/notifications/unsubscribe-auth/AQKAteDP1UKrmt0YURtQzSj1HCMfZZc0ks5rT_SSgaJpZM4LoemA .
Hi @saz ,
I agree with @dmullaly .
Do you want one of us to make a PR for that?
mode may be whether perm_file or perm_dir.
