linux-audit.redhat.com archive mirror
 help / color / mirror / Atom feed
* Audit log file perms
@ 2013-08-01 17:34 John Bambenek
  2013-08-01 17:54 ` Steve Grubb
  0 siblings, 1 reply; 4+ messages in thread
From: John Bambenek @ 2013-08-01 17:34 UTC (permalink / raw)
  To: linux-audit

What controls that? I have noticed /var/log/audit directory changes to a default setting quickly and file rotation resets it as well. 

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Audit log file perms
  2013-08-01 17:34 Audit log file perms John Bambenek
@ 2013-08-01 17:54 ` Steve Grubb
  2013-08-21 19:34   ` John C. A. Bambenek, GCIH, CISSP
  0 siblings, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2013-08-01 17:54 UTC (permalink / raw)
  To: linux-audit

On Thursday, August 01, 2013 12:34:20 PM John Bambenek wrote:
> What controls that?

The audit daemon.

> I have noticed /var/log/audit directory changes to a
> default setting quickly and file rotation resets it as well.

It defaults to 0600 unless you have set something for log_group and in that 
case you get 0640. Rotation is done using the rename syscall, so no 
permissions should be changing. Logs are created as 0640 root, root. But get 
modified as the audit daemon gets more of its configuration parsed.

-Steve

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Audit log file perms
  2013-08-01 17:54 ` Steve Grubb
@ 2013-08-21 19:34   ` John C. A. Bambenek, GCIH, CISSP
  2013-08-21 20:09     ` Steve Grubb
  0 siblings, 1 reply; 4+ messages in thread
From: John C. A. Bambenek, GCIH, CISSP @ 2013-08-21 19:34 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit@redhat.com


[-- Attachment #1.1: Type: text/plain, Size: 818 bytes --]

Files have right permissions but the directory itself keeps reverting to
root:root and 700.

On Thursday, August 1, 2013, Steve Grubb wrote:

> On Thursday, August 01, 2013 12:34:20 PM John Bambenek wrote:
> > What controls that?
>
> The audit daemon.
>
> > I have noticed /var/log/audit directory changes to a
> > default setting quickly and file rotation resets it as well.
>
> It defaults to 0600 unless you have set something for log_group and in that
> case you get 0640. Rotation is done using the rename syscall, so no
> permissions should be changing. Logs are created as 0640 root, root. But
> get
> modified as the audit daemon gets more of its configuration parsed.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com <javascript:;>
> https://www.redhat.com/mailman/listinfo/linux-audit
>

[-- Attachment #1.2: Type: text/html, Size: 1191 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Audit log file perms
  2013-08-21 19:34   ` John C. A. Bambenek, GCIH, CISSP
@ 2013-08-21 20:09     ` Steve Grubb
  0 siblings, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2013-08-21 20:09 UTC (permalink / raw)
  To: John C. A. Bambenek, GCIH, CISSP; +Cc: linux-audit@redhat.com

On Wednesday, August 21, 2013 02:34:36 PM John C. A. Bambenek, GCIH, CISSP 
wrote:
> Files have right permissions but the directory itself keeps reverting to
> root:root and 700.

The audit daemon does not change permissions on the directory. Its assumed the 
admin takes care of that since you would set that up once and it should be 
good for a while. The audit daemon just changes the files because it creates 
them and rotates them.

-Steve

> On Thursday, August 1, 2013, Steve Grubb wrote:
> > On Thursday, August 01, 2013 12:34:20 PM John Bambenek wrote:
> > > What controls that?
> > 
> > The audit daemon.
> > 
> > > I have noticed /var/log/audit directory changes to a
> > > default setting quickly and file rotation resets it as well.
> > 
> > It defaults to 0600 unless you have set something for log_group and in
> > that
> > case you get 0640. Rotation is done using the rename syscall, so no
> > permissions should be changing. Logs are created as 0640 root, root. But
> > get
> > modified as the audit daemon gets more of its configuration parsed.
> > 
> > -Steve
> > 
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com <javascript:;>
> > https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-08-21 20:09 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-08-01 17:34 Audit log file perms John Bambenek
2013-08-01 17:54 ` Steve Grubb
2013-08-21 19:34   ` John C. A. Bambenek, GCIH, CISSP
2013-08-21 20:09     ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).