Update ceilometer config files permissions
The /etc/ceilometer/*.conf|*.yaml files are world readable.
This may lead to sensitive information leakage and cloud compromise.
Set ceilometer config files permissions to 0640.
Set ceilometer config files owner and group to root:ceilometer.
Change-Id: Ia008f1c0780be435fee03ca58cfcdb7320bc074d
diff --git a/ceilometer/agent.sls b/ceilometer/agent.sls
index 3822928..3e39b3e 100644
--- a/ceilometer/agent.sls
+++ b/ceilometer/agent.sls
@@ -10,6 +10,8 @@
- name: /etc/ceilometer/ceilometer.conf
- source: salt://ceilometer/files/{{ agent.version }}/ceilometer-agent.conf.{{ grains.os_family }}
- template: jinja
+ - mode: 0640
+ - group: ceilometer
- require:
- pkg: ceilometer_agent_packages
@@ -42,7 +44,8 @@
- name: /etc/ceilometer/logging/logging-{{ service_name }}.conf
- source: salt://oslo_templates/files/logging/_logging.conf
- template: jinja
- - user: ceilometer
+ - mode: 0640
+ - user: root
- group: ceilometer
- require:
- pkg: ceilometer_agent_packages
@@ -86,6 +89,8 @@
- name: /etc/ceilometer/pipeline.yaml
- source: salt://ceilometer/files/{{ agent.version }}/pipeline.yaml
- template: jinja
+ - mode: 0640
+ - group: ceilometer
- require:
- pkg: ceilometer_agent_packages
@@ -96,6 +101,8 @@
- name: /etc/ceilometer/event_pipeline.yaml
- source: salt://ceilometer/files/{{ agent.version }}/event_pipeline.yaml
- template: jinja
+ - mode: 0640
+ - group: ceilometer
- require:
- pkg: ceilometer_agent_packages
- watch_in:
@@ -133,6 +140,8 @@
- name: /etc/ceilometer/polling.yaml
- source: salt://ceilometer/files/{{ agent.version }}/polling.yaml
- template: jinja
+ - mode: 0640
+ - group: ceilometer
- require:
- pkg: ceilometer_agent_packages
- watch_in:
diff --git a/ceilometer/server.sls b/ceilometer/server.sls
index 071f642..93815da 100644
--- a/ceilometer/server.sls
+++ b/ceilometer/server.sls
@@ -9,6 +9,8 @@
file.managed:
- source: salt://ceilometer/files/{{ server.version }}/ceilometer-server.conf.{{ grains.os_family }}
- template: jinja
+ - mode: 0640
+ - group: ceilometer
- require:
- pkg: ceilometer_server_packages
@@ -40,7 +42,8 @@
- name: /etc/ceilometer/logging.conf
- source: salt://oslo_templates/files/logging/_logging.conf
- template: jinja
- - user: ceilometer
+ - mode: 0640
+ - user: root
- group: ceilometer
- require:
- pkg: ceilometer_server_packages
@@ -72,6 +75,8 @@
- name: /etc/ceilometer/logging/logging-{{ service_name }}.conf
- source: salt://oslo_templates/files/logging/_logging.conf
- template: jinja
+ - mode: 0640
+ - group: ceilometer
- require:
- pkg: ceilometer_server_packages
{%- if server.logging.log_handlers.get('fluentd', {}).get('enabled', False) %}
@@ -143,6 +148,8 @@
- name: /etc/ceilometer/gnocchi_resources.yaml
- source: salt://ceilometer/files/{{ server.version }}/gnocchi_resources.yaml
- template: jinja
+ - mode: 0640
+ - group: ceilometer
- require:
- pkg: ceilometer_server_packages
- pkg: ceilometer_gnocchiclient_pkg
@@ -166,6 +173,8 @@
file.managed:
- source: salt://ceilometer/files/{{ server.version }}/pipeline.yaml
- template: jinja
+ - mode: 0640
+ - group: ceilometer
- require:
- pkg: ceilometer_server_packages
@@ -175,6 +184,8 @@
file.managed:
- source: salt://ceilometer/files/{{ server.version }}/event_pipeline.yaml
- template: jinja
+ - mode: 0640
+ - group: ceilometer
- require:
- pkg: ceilometer_server_packages
- watch_in:
@@ -184,6 +195,8 @@
file.managed:
- source: salt://ceilometer/files/{{ server.version }}/event_definitions.yaml
- template: jinja
+ - mode: 0640
+ - group: ceilometer
- require:
- pkg: ceilometer_server_packages
- watch_in:
@@ -193,6 +206,8 @@
file.managed:
- source: salt://ceilometer/files/{{ server.version }}/gabbi_pipeline.yaml
- template: jinja
+ - mode: 0640
+ - group: ceilometer
- require:
- pkg: ceilometer_server_packages
- watch_in: