OpenStack RabbitMQ Server Charm

/usr/local/bin/collect_rabbitmq_stats.sh doesn't print anything on a CIS hardened system

Bug #1938297 reported by Nikolay Vinogradov on 2021-07-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack RabbitMQ Server Charm	New	Undecided	Unassigned

Bug Description

I'm filing this just to document one more issue related to CIS and RabbitMQ Nagios monitoring integration.

On a CIS-hardened Ubuntu system that is hardened according to the lvl2 server profile ruleset, /usr/local/bin/collect_rabbitmq_stats.sh doesn't work as expected because nrpe plugin can't access /etc/cron.d

The root cause is that on the hardened system, 'others' don't have any permissions for /etc/cron.d:

129893609 drwx------ 2 root root 4.0K Jul 26 11:36 cron.d

while normally they do:

230293588 drwxr-xr-x 2 root root 4.0K Jun 16 10:36 cron.d

These permissions are removed by this CIS rule:
#5.1.7 Ensure permissions on /etc/cron.d are configured (Automated)
rule-5.1.7()
{
    print_rule_banner "Ensure permissions on /etc/cron.d are configured"
    ensure_cron_file_perm /etc/cron.d
}
ensure_cron_file_perm()
{
    local file="$@"
    chown root:root $file
    chmod og-rwx $file
}

The workaround is of course to restore o+rx on /etc/cron.d, and I can't propose a better fix for that atm.

See original description

Nikolay Vinogradov (nikolay.vinogradov) on 2021-07-28

description:

updated

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.