* Audit log file perms @ 2013-08-01 17:34 John Bambenek 2013-08-01 17:54 ` Steve Grubb 0 siblings, 1 reply; 4+ messages in thread From: John Bambenek @ 2013-08-01 17:34 UTC (permalink / raw) To: linux-audit What controls that? I have noticed /var/log/audit directory changes to a default setting quickly and file rotation resets it as well. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Audit log file perms 2013-08-01 17:34 Audit log file perms John Bambenek @ 2013-08-01 17:54 ` Steve Grubb 2013-08-21 19:34 ` John C. A. Bambenek, GCIH, CISSP 0 siblings, 1 reply; 4+ messages in thread From: Steve Grubb @ 2013-08-01 17:54 UTC (permalink / raw) To: linux-audit On Thursday, August 01, 2013 12:34:20 PM John Bambenek wrote: > What controls that? The audit daemon. > I have noticed /var/log/audit directory changes to a > default setting quickly and file rotation resets it as well. It defaults to 0600 unless you have set something for log_group and in that case you get 0640. Rotation is done using the rename syscall, so no permissions should be changing. Logs are created as 0640 root, root. But get modified as the audit daemon gets more of its configuration parsed. -Steve ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Audit log file perms 2013-08-01 17:54 ` Steve Grubb @ 2013-08-21 19:34 ` John C. A. Bambenek, GCIH, CISSP 2013-08-21 20:09 ` Steve Grubb 0 siblings, 1 reply; 4+ messages in thread From: John C. A. Bambenek, GCIH, CISSP @ 2013-08-21 19:34 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit@redhat.com [-- Attachment #1.1: Type: text/plain, Size: 818 bytes --] Files have right permissions but the directory itself keeps reverting to root:root and 700. On Thursday, August 1, 2013, Steve Grubb wrote: > On Thursday, August 01, 2013 12:34:20 PM John Bambenek wrote: > > What controls that? > > The audit daemon. > > > I have noticed /var/log/audit directory changes to a > > default setting quickly and file rotation resets it as well. > > It defaults to 0600 unless you have set something for log_group and in that > case you get 0640. Rotation is done using the rename syscall, so no > permissions should be changing. Logs are created as 0640 root, root. But > get > modified as the audit daemon gets more of its configuration parsed. > > -Steve > > -- > Linux-audit mailing list > Linux-audit@redhat.com <javascript:;> > https://www.redhat.com/mailman/listinfo/linux-audit > [-- Attachment #1.2: Type: text/html, Size: 1191 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Audit log file perms 2013-08-21 19:34 ` John C. A. Bambenek, GCIH, CISSP @ 2013-08-21 20:09 ` Steve Grubb 0 siblings, 0 replies; 4+ messages in thread From: Steve Grubb @ 2013-08-21 20:09 UTC (permalink / raw) To: John C. A. Bambenek, GCIH, CISSP; +Cc: linux-audit@redhat.com On Wednesday, August 21, 2013 02:34:36 PM John C. A. Bambenek, GCIH, CISSP wrote: > Files have right permissions but the directory itself keeps reverting to > root:root and 700. The audit daemon does not change permissions on the directory. Its assumed the admin takes care of that since you would set that up once and it should be good for a while. The audit daemon just changes the files because it creates them and rotates them. -Steve > On Thursday, August 1, 2013, Steve Grubb wrote: > > On Thursday, August 01, 2013 12:34:20 PM John Bambenek wrote: > > > What controls that? > > > > The audit daemon. > > > > > I have noticed /var/log/audit directory changes to a > > > default setting quickly and file rotation resets it as well. > > > > It defaults to 0600 unless you have set something for log_group and in > > that > > case you get 0640. Rotation is done using the rename syscall, so no > > permissions should be changing. Logs are created as 0640 root, root. But > > get > > modified as the audit daemon gets more of its configuration parsed. > > > > -Steve > > > > -- > > Linux-audit mailing list > > Linux-audit@redhat.com <javascript:;> > > https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-08-21 20:09 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-08-01 17:34 Audit log file perms John Bambenek 2013-08-01 17:54 ` Steve Grubb 2013-08-21 19:34 ` John C. A. Bambenek, GCIH, CISSP 2013-08-21 20:09 ` Steve Grubb
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox