bundle agent __main__ { methods: "CVE_2021_44215_and_CVE_2021_44216_remediation"; } bundle agent CVE_2021_44215_and_CVE_2021_44216_remediation { meta: enterprise_edition.policy_server:: "tags" slist => { "autorun" }; classes: "supported_release_hotfix_relevant" expression => "cfengine_3_15_0|cfengine_3_15_1|cfengine_3_15_2|cfengine_3_15_3|cfengine_3_15_4|cfengine_3_18_0"; files: enterprise_edition.policy_server.supported_release_hotfix_relevant:: "$(sys.workdir)/httpd/logs/application/." -> { "ENT-7730" } comment => "Ensure permissions for $(sys.workdir)/httpd/logs/application/.*", handle => "hotfix_cfe_internal_setup_knowledge_files_httpd_application_log_files", file_select => plain, depth_search => recurse( "inf" ), perms => mog("0600", "cfapache", "cfapache"); "$(sys.workdir)/httpd/logs/." -> { "ENT-7730" } comment => "Ensure permissions for $(sys.workdir)/httpd/logs", handle => "hotfix_cfe_internal_setup_knowledge_files_httpd_log_files", file_select => plain_not_httpd_pid, depth_search => recurse_with_base( "0" ), perms => mog("0600", root, root); "/var/log/postgresql.log" -> { "ENT-7961" } comment => "Ensure permissions for PostgreSQL log", handle => "hotfix_cfe_internal_setup_knowledge_files_postgresql_log_file", perms => mog("0600", "cfpostgres", "cfpostgres"); reports: # CFEngine 3.15.5 or greater, CFEngine 3.18.1 or greater probably don't # need this active any more, fixes are inside the product. !supported_release_hotfix_relevant:: "NOTICE: This policy bundle '$(this.bundle)' in '$(this.promise_filename)' is likely no longer relevant (or you are running an unsupported release), consider deactivating this policy or upgrading to a supported version."; } body file_select plain_not_httpd_pid # @brief Select plain, regular files except for httpd.pid { file_types => { "plain" }; leaf_name => { "httpd.pid" }; file_result => "file_types.!leaf_name"; }