Restrict logs directory access permissions

Currently, the permissions for OpenSearch logs seem to be weak, allowing anyone to read them. The current permissions on the logs/ directory is -rw-r-r- (644)

This also applies to security plugin enabled clusters, which generate audit logs. This weak permission structure can cause leakage of sensitive information in the logs.

The permissions should be restricted to only the application user and group, which is -rw-r— (640), also suggested here [LOG4J2-1699] Configurable Log File Permissions with PosixFilePermission - ASF JIRA

Created a github issue - Restrict logs access permissions · Issue #958 · opensearch-project/OpenSearch · GitHub

1 Like