From 13a02becba10f973b3062383c80d248e503454d6 Mon Sep 17 00:00:00 2001
From: Himanshu Setia <58999915+setiah@users.noreply.github.com>
Date: Thu, 15 Jul 2021 10:06:45 -0700
Subject: [PATCH] Restricting logs permissions (#966)

Currently, the permissions for opensearch logs are -rw-r-r-, which gives read access to anyone. This weak permission
structure can lead to leakage of any sensitive information (if published) in the logs. This commit restricts read
access with -rw-r--- permission.

Signed-off-by: Himanshu Setia <setiah@amazon.com>
---
 distribution/src/config/log4j2.properties | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/distribution/src/config/log4j2.properties b/distribution/src/config/log4j2.properties
index ba5537ca081..4820396c79e 100644
--- a/distribution/src/config/log4j2.properties
+++ b/distribution/src/config/log4j2.properties
@@ -20,6 +20,7 @@ appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%ma
 appender.rolling.type = RollingFile
 appender.rolling.name = rolling
 appender.rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_server.json
+appender.rolling.filePermissions = rw-r-----
 appender.rolling.layout.type = OpenSearchJsonLayout
 appender.rolling.layout.type_name = server
 
@@ -43,6 +44,7 @@ appender.rolling.strategy.action.condition.nested_condition.exceeds = 2GB
 appender.rolling_old.type = RollingFile
 appender.rolling_old.name = rolling_old
 appender.rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}.log
+appender.rolling_old.filePermissions = rw-r-----
 appender.rolling_old.layout.type = PatternLayout
 appender.rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
 
@@ -72,6 +74,7 @@ rootLogger.appenderRef.rolling_old.ref = rolling_old
 appender.deprecation_rolling.type = RollingFile
 appender.deprecation_rolling.name = deprecation_rolling
 appender.deprecation_rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_deprecation.json
+appender.deprecation_rolling.filePermissions = rw-r-----
 appender.deprecation_rolling.layout.type = OpenSearchJsonLayout
 appender.deprecation_rolling.layout.type_name = deprecation
 appender.deprecation_rolling.layout.opensearchmessagefields=x-opaque-id
@@ -91,6 +94,7 @@ appender.header_warning.name = header_warning
 appender.deprecation_rolling_old.type = RollingFile
 appender.deprecation_rolling_old.name = deprecation_rolling_old
 appender.deprecation_rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}_deprecation.log
+appender.deprecation_rolling_old.filePermissions = rw-r-----
 appender.deprecation_rolling_old.layout.type = PatternLayout
 appender.deprecation_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
 
@@ -114,6 +118,7 @@ appender.index_search_slowlog_rolling.type = RollingFile
 appender.index_search_slowlog_rolling.name = index_search_slowlog_rolling
 appender.index_search_slowlog_rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs\
   .cluster_name}_index_search_slowlog.json
+appender.index_search_slowlog_rolling.filePermissions = rw-r-----
 appender.index_search_slowlog_rolling.layout.type = OpenSearchJsonLayout
 appender.index_search_slowlog_rolling.layout.type_name = index_search_slowlog
 appender.index_search_slowlog_rolling.layout.opensearchmessagefields=message,took,took_millis,total_hits,types,stats,search_type,total_shards,source,id
@@ -131,6 +136,7 @@ appender.index_search_slowlog_rolling_old.type = RollingFile
 appender.index_search_slowlog_rolling_old.name = index_search_slowlog_rolling_old
 appender.index_search_slowlog_rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
   _index_search_slowlog.log
+appender.index_search_slowlog_rolling_old.filePermissions = rw-r-----
 appender.index_search_slowlog_rolling_old.layout.type = PatternLayout
 appender.index_search_slowlog_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
 
@@ -153,6 +159,7 @@ appender.index_indexing_slowlog_rolling.type = RollingFile
 appender.index_indexing_slowlog_rolling.name = index_indexing_slowlog_rolling
 appender.index_indexing_slowlog_rolling.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
   _index_indexing_slowlog.json
+appender.index_indexing_slowlog_rolling.filePermissions = rw-r-----
 appender.index_indexing_slowlog_rolling.layout.type = OpenSearchJsonLayout
 appender.index_indexing_slowlog_rolling.layout.type_name = index_indexing_slowlog
 appender.index_indexing_slowlog_rolling.layout.opensearchmessagefields=message,took,took_millis,doc_type,id,routing,source
@@ -170,6 +177,7 @@ appender.index_indexing_slowlog_rolling_old.type = RollingFile
 appender.index_indexing_slowlog_rolling_old.name = index_indexing_slowlog_rolling_old
 appender.index_indexing_slowlog_rolling_old.fileName = ${sys:opensearch.logs.base_path}${sys:file.separator}${sys:opensearch.logs.cluster_name}\
   _index_indexing_slowlog.log
+appender.index_indexing_slowlog_rolling_old.filePermissions = rw-r-----
 appender.index_indexing_slowlog_rolling_old.layout.type = PatternLayout
 appender.index_indexing_slowlog_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n