From mboxrd@z Thu Jan  1 00:00:00 1970
From: Lubomir Rintel <lkundrak@v3.sk>
Subject: Re: [PATCH audit] reconfigure: Apply log_group change
Date: Fri, 25 Jul 2014 16:04:03 +0200
Message-ID: <1406297043.9553.1.camel@hobbes>
References: <1406289544-24829-1-git-send-email-lkundrak@v3.sk>
	<2220736.RIJvHNllH8@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <2220736.RIJvHNllH8@x2>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hi Steve,

On Fri, 2014-07-25 at 09:27 -0400, Steve Grubb wrote:
> Hello Lubomir,
> 
> Thanks for the patch...but I think that why this is not currently addressed in 
> the code is something like this. Let's assume the system has 5 audit logs with 
> 600 root.
> 
> If an admin decides to allow a group to read the audit logs, they will have 
> to:
> 
> 1) create the group
> 2) add users to the group
> 3) change the auditd.conf file
> 4) chgrp -R group /var/log/audit
> 5) chmod 0750 /var/log/audit
> 6) chmod 0640 /var/log/audit/*
> 7) restart the audit daemon
> 
> What this patch does is part of step 4 and 6. It would change audit.log to be 
> readable, but would leave audit.log.1 -> audit.log.4 untouched. Because 
> allowing a group requires so many steps, it's always been left as an admin 
> exercise...just like revoking group access would.

I believe that not touching already rotated files would be an expected
behavior; as well as requirement for the operator to take care of parent
directory permissions. (At least I'd expect that.) However, in our setup
the configuration is changes upon machine setup, with a very low change
there would be rotated log files around.

The last step ("restart the audit daemon") is precisely what I'm trying
to avoid, as it is no longer allowed in el7 (the service file
specifically disables ability to stop the service, likely to protect
loss of any audit events).

> -Steve

Regards
Lubo

> 
> 
> On Friday, July 25, 2014 01:59:04 PM Lubomir Rintel wrote:
> > Link: https://bugzilla.redhat.com/show_bug.cgi?id=1118313
> > Link: https://bugzilla.redhat.com/show_bug.cgi?id=1118262
> > ---
> >  src/auditd-event.c | 6 ++++++
> >  1 file changed, 6 insertions(+)
> > 
> > diff --git a/src/auditd-event.c b/src/auditd-event.c
> > index 4fa266e..66dff34 100644
> > --- a/src/auditd-event.c
> > +++ b/src/auditd-event.c
> > @@ -1130,6 +1130,12 @@ static void reconfigure(struct auditd_consumer_data
> > *data) // log format
> >  	oconf->log_format = nconf->log_format;
> > 
> > +	// log group
> > +	if (oconf->log_group != nconf->log_group) {
> > +		oconf->log_group = nconf->log_group;
> > +		need_reopen = 1;
> > +	}
> > +
> >  	// action_mail_acct
> >  	if (strcmp(oconf->action_mail_acct, nconf->action_mail_acct)) {
> >  		free((void *)oconf->action_mail_acct);
>