From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH audit] reconfigure: Apply log_group change
Date: Fri, 25 Jul 2014 09:27:30 -0400
Message-ID: <2220736.RIJvHNllH8@x2>
References: <1406289544-24829-1-git-send-email-lkundrak@v3.sk>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1406289544-24829-1-git-send-email-lkundrak@v3.sk>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Lubomir Rintel <lkundrak@v3.sk>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hello Lubomir,

Thanks for the patch...but I think that why this is not currently addressed in 
the code is something like this. Let's assume the system has 5 audit logs with 
600 root.

If an admin decides to allow a group to read the audit logs, they will have 
to:

1) create the group
2) add users to the group
3) change the auditd.conf file
4) chgrp -R group /var/log/audit
5) chmod 0750 /var/log/audit
6) chmod 0640 /var/log/audit/*
7) restart the audit daemon

What this patch does is part of step 4 and 6. It would change audit.log to be 
readable, but would leave audit.log.1 -> audit.log.4 untouched. Because 
allowing a group requires so many steps, it's always been left as an admin 
exercise...just like revoking group access would.

-Steve


On Friday, July 25, 2014 01:59:04 PM Lubomir Rintel wrote:
> Link: https://bugzilla.redhat.com/show_bug.cgi?id=1118313
> Link: https://bugzilla.redhat.com/show_bug.cgi?id=1118262
> ---
>  src/auditd-event.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/src/auditd-event.c b/src/auditd-event.c
> index 4fa266e..66dff34 100644
> --- a/src/auditd-event.c
> +++ b/src/auditd-event.c
> @@ -1130,6 +1130,12 @@ static void reconfigure(struct auditd_consumer_data
> *data) // log format
>  	oconf->log_format = nconf->log_format;
> 
> +	// log group
> +	if (oconf->log_group != nconf->log_group) {
> +		oconf->log_group = nconf->log_group;
> +		need_reopen = 1;
> +	}
> +
>  	// action_mail_acct
>  	if (strcmp(oconf->action_mail_acct, nconf->action_mail_acct)) {
>  		free((void *)oconf->action_mail_acct);