From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Ameel Kamboh" <akamboh@nortel.com>
Subject: Setting audit logs as different group ID
Date: Fri, 3 Aug 2007 10:08:28 -0500
Message-ID: <95470FF653FF324C8171194A81299CE01551F1D1@zrc2hxm2.corp.nortel.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1359473812=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l73F8cLv008595
	for <linux-audit@redhat.com>; Fri, 3 Aug 2007 11:08:38 -0400
Received: from zrtps0kn.nortel.com (zrtps0kn.nortel.com [47.140.192.55])
	by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l73F8aDg003935
	for <linux-audit@redhat.com>; Fri, 3 Aug 2007 11:08:36 -0400
Received: from zrc2hxm2.corp.nortel.com (zrc2hxm2.corp.nortel.com
	[47.103.123.73])
	by zrtps0kn.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id
	l73F8Tu04839
	for <linux-audit@redhat.com>; Fri, 3 Aug 2007 15:08:29 GMT
Content-class: urn:content-classes:message
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

This is a multi-part message in MIME format.

--===============1359473812==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C7D5E0.25CC1100"

This is a multi-part message in MIME format.

------_=_NextPart_001_01C7D5E0.25CC1100
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Is there a way to have the audit log files be a member of a different
group (other then root)
Currently I am seeing this:
-rw-r----- 1 root root       837716 Aug  3 10:06 audit.log
-r--r----- 1 root root     52428840 Aug  3 08:24 audit.log.1
-r--r----- 1 root root      5242936 Jul 24 10:56 audit.log.2
-r--r----- 1 root ntsecadm  5242911 Jul 23 15:33 audit.log.3

I had originally set the group for /var/log/audit/audit.log to
root:ntsecadm during post install or RH5
After the audit logs rotate the new files take on root:root ownership, I
would like them to also be root:ntsecadm

Can this be set in audit.conf?
Ameel Kamboh
SIP Core Network and Security=20
Phone: 972.685.4922 (esn 445-4922)
Mobile: 978-590-2280
SIP: akamboh@techtrial.com
email: akamboh@nortel.com




------_=_NextPart_001_01C7D5E0.25CC1100
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7652.24">
<TITLE>Setting audit logs as different group ID</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P><FONT SIZE=3D2 FACE=3D"Arial">Is there a way to have the audit log =
files be a member of a different group (other then root)</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">Currently I am seeing this:</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">-rw-r----- 1 root =
root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 837716 Aug&nbsp; 3 10:06 =
audit.log</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">-r--r----- 1 root =
root&nbsp;&nbsp;&nbsp;&nbsp; 52428840 Aug&nbsp; 3 08:24 =
audit.log.1</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">-r--r----- 1 root =
root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5242936 Jul 24 10:56 =
audit.log.2</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">-r--r----- 1 root ntsecadm&nbsp; =
5242911 Jul 23 15:33 audit.log.3</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">I had originally set the group for =
/var/log/audit/audit.log to root:ntsecadm during post install or =
RH5</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">After the audit logs rotate the new =
files take on root:root ownership, I would like them to also be =
root:ntsecadm</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Can this be set in audit.conf?</FONT>

<BR><B><I><SPAN LANG=3D"ko"><FONT COLOR=3D"#008080" =
FACE=3D"Batang">Ameel Kamboh</FONT></SPAN></I></B>

<BR><I><SPAN LANG=3D"en-us"><FONT COLOR=3D"#800000" SIZE=3D2 =
FACE=3D"Arial">SIP Core</FONT></SPAN></I><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#800000" SIZE=3D2 FACE=3D"Arial"> Network and Security =
</FONT></SPAN>

<BR><SPAN LANG=3D"fr"><FONT COLOR=3D"#FF0000" SIZE=3D2 =
FACE=3D"Arial">Phone</FONT><FONT SIZE=3D2 FACE=3D"Arial">: 972.685.4922 =
(esn 445-4922)</FONT></SPAN>

<BR><SPAN LANG=3D"fr"><FONT COLOR=3D"#FF0000" SIZE=3D2 =
FACE=3D"Arial">Mobile</FONT><FONT SIZE=3D2 FACE=3D"Arial">: =
978-590-2280</FONT></SPAN>

<BR><SPAN LANG=3D"fr"><FONT COLOR=3D"#FF0000" SIZE=3D2 =
FACE=3D"Arial">SIP</FONT><FONT SIZE=3D2 FACE=3D"Arial">: =
akamboh@techtrial.com</FONT></SPAN>

<BR><SPAN LANG=3D"fr"><FONT COLOR=3D"#FF0000" SIZE=3D2 =
FACE=3D"Arial">email</FONT><FONT SIZE=3D2 FACE=3D"Arial">: =
</FONT></SPAN><A HREF=3D"mailto:akamboh@nortel.com"><SPAN =
LANG=3D"fr"><U><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">akamboh@nortel.com</FONT></U></SPAN></A><SPAN =
LANG=3D"fr"></SPAN><SPAN LANG=3D"en-us"></SPAN>
</P>
<BR>
<BR>

</BODY>
</HTML>
------_=_NextPart_001_01C7D5E0.25CC1100--


--===============1359473812==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============1359473812==--

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Setting audit logs as different group ID
Date: Fri, 3 Aug 2007 18:06:21 -0400
Message-ID: <200708031806.21776.sgrubb@redhat.com>
References: <95470FF653FF324C8171194A81299CE01551F1D1@zrc2hxm2.corp.nortel.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <95470FF653FF324C8171194A81299CE01551F1D1@zrc2hxm2.corp.nortel.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday 03 August 2007 11:08:28 Ameel Kamboh wrote:
> Is there a way to have the audit log files be a member of a different
> group (other then root)

Not today.

> Can this be set in audit.conf?

I can add this to the TODO list and get to it in a future release.

-Steve