* Re: /var/log/audit ownership/permissions
@ 2016-07-21 9:48 Ondrej Moris
2016-07-21 13:55 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: Ondrej Moris @ 2016-07-21 9:48 UTC (permalink / raw)
To: linux-audit
Hi, I noticed that in 2.6.5 /var/log/audit permission were dropped from
750 to 600. I am fine with that but while I see the motivation [1], I
just cannot find where is that happening in the code. Besides, specfile
still contains:
%attr(750,root,root) %dir %{_var}/log/audit
and hence 'rpm -V audit' obviously fails.
[1]
http://post-office.corp.redhat.com/archives/tech-list/2016-May/msg00468.html
--
Ondrej
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: /var/log/audit ownership/permissions
2016-07-21 9:48 /var/log/audit ownership/permissions Ondrej Moris
@ 2016-07-21 13:55 ` Steve Grubb
2016-07-21 14:12 ` Ondrej Moris
0 siblings, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2016-07-21 13:55 UTC (permalink / raw)
To: linux-audit
On Thursday, July 21, 2016 11:48:04 AM EDT Ondrej Moris wrote:
> Hi, I noticed that in 2.6.5 /var/log/audit permission were dropped from
> 750 to 600.
The directory should be 0750 or 0700 depending on your config. 0600 would be a
mistake.
> I am fine with that but while I see the motivation [1], I
> just cannot find where is that happening in the code.
https://fedorahosted.org/audit/browser/trunk/src/auditd-event.c#L886
> Besides, specfile
> still contains:
>
> %attr(750,root,root) %dir %{_var}/log/audit
Maybe I should take the attr away or modify it to (-,root,-). The group can
change. For example, I have wheel allowed to run audit reports on my system.
> and hence 'rpm -V audit' obviously fails.
Yeah. Hmm.
-Steve
> [1]
> http://post-office.corp.redhat.com/archives/tech-list/2016-May/msg00468.html
>
> --
> Ondrej
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: /var/log/audit ownership/permissions
2016-07-21 13:55 ` Steve Grubb
@ 2016-07-21 14:12 ` Ondrej Moris
2016-07-21 14:31 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: Ondrej Moris @ 2016-07-21 14:12 UTC (permalink / raw)
To: Steve Grubb, linux-audit
On 07/21/2016 03:55 PM, Steve Grubb wrote:
> On Thursday, July 21, 2016 11:48:04 AM EDT Ondrej Moris wrote:
>> Hi, I noticed that in 2.6.5 /var/log/audit permission were dropped from
>> 750 to 600.
>
> The directory should be 0750 or 0700 depending on your config. 0600 would be a
> mistake.
Sorry, it was a typo - it should be 0700 (not 0600).
>
>
>> I am fine with that but while I see the motivation [1], I
>> just cannot find where is that happening in the code.
>
> https://fedorahosted.org/audit/browser/trunk/src/auditd-event.c#L886
Thanks, now it is clear. You one thing - line 903 suggests that it is
either 0700 or 0770 which I can confirm by testing:
# # log_group = root
# ls -ld /var/log/audit/
drwx------. 2 root root 4096 Jul 21 09:56 /var/log/audit/
# # log_group = input
# ls -ld /var/log/audit/
drwxrwx---. 2 root input 4096 Jul 21 09:56 /var/log/audit/
>
>> Besides, specfile
>> still contains:
>>
>> %attr(750,root,root) %dir %{_var}/log/audit
>
> Maybe I should take the attr away or modify it to (-,root,-). The group can
> change. For example, I have wheel allowed to run audit reports on my system.
>
>> and hence 'rpm -V audit' obviously fails.
>
> Yeah. Hmm.
Yes, change you mentioned would solve 'rpm -V' problem. It sounds very
reasonable since both group ownership and permission are configurable
via auditd.conf.
>
> -Steve
>
>> [1]
>> http://post-office.corp.redhat.com/archives/tech-list/2016-May/msg00468.html
>>
>> --
>> Ondrej
>>
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: /var/log/audit ownership/permissions
2016-07-21 14:12 ` Ondrej Moris
@ 2016-07-21 14:31 ` Steve Grubb
0 siblings, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2016-07-21 14:31 UTC (permalink / raw)
To: Ondrej Moris; +Cc: linux-audit
On Thursday, July 21, 2016 4:12:48 PM EDT Ondrej Moris wrote:
> On 07/21/2016 03:55 PM, Steve Grubb wrote:
> >> I am fine with that but while I see the motivation [1], I
> >> just cannot find where is that happening in the code.
> >
> > https://fedorahosted.org/audit/browser/trunk/src/auditd-event.c#L886
>
> Thanks, now it is clear. You one thing - line 903 suggests that it is
> either 0700 or 0770 which I can confirm by testing:
>
> # # log_group = root
> # ls -ld /var/log/audit/
> drwx------. 2 root root 4096 Jul 21 09:56 /var/log/audit/
>
> # # log_group = input
> # ls -ld /var/log/audit/
> drwxrwx---. 2 root input 4096 Jul 21 09:56 /var/log/audit/
Fixed in commit 1360.
> >> Besides, specfile
> >> still contains:
> >>
> >> %attr(750,root,root) %dir %{_var}/log/audit
> >
> > Maybe I should take the attr away or modify it to (-,root,-). The group
> > can
> > change. For example, I have wheel allowed to run audit reports on my
> > system.>
> >> and hence 'rpm -V audit' obviously fails.
> >
> > Yeah. Hmm.
>
> Yes, change you mentioned would solve 'rpm -V' problem. It sounds very
> reasonable since both group ownership and permission are configurable
> via auditd.conf.
Also fixed in the same commit.
-Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-07-21 14:31 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-07-21 9:48 /var/log/audit ownership/permissions Ondrej Moris
2016-07-21 13:55 ` Steve Grubb
2016-07-21 14:12 ` Ondrej Moris
2016-07-21 14:31 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).