From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Bug#759604: Any problem with making auditd log readable by the adm group? Date: Wed, 11 May 2016 08:36:44 -0400 Message-ID: <4396759.amBRPDjSgs@x2> References: <85futrf3ts.fsf@boum.org> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: intrigeri , 759604@bugs.debian.org List-Id: linux-audit@redhat.com On Wednesday, May 11, 2016 09:55:33 AM Laurent Bigonville wrote: > Le 09/05/16 =E0 21:07, intrigeri a =E9crit : > > Hi, > = > Hey, > = > > in Debian, the convention for many log files is to make them readable > > by members of the adm group. We're considering doing the same for the > > auditd logs, in order to make apparmor-notify work out-of-the-box. > = > Shouldn't apparmor-notify use the audispd to get the events instead of > parsing directly the logs? If this is a realtime event analysis tool, then yes. (The original question= I = thought was if adding the adm group to let admins search audit logs would h= urt = anything.) There are two ways that you can get the events. One way is to = enable the af_unix plugin and read off of the unix socket. The other way is= to = make a plugin for which there is skeleton code here: https://github.com/linux-audit/audit-userspace/tree/master/contrib/plugin > I'm not objecting changing the permissions in debian, but I'm wondering > if it shouldn't be better to do it like that, I think that the > setroubleshoot (a SELinux troubleshooting service used in RHEL/Fedora) > is doing it like that. That is correct. -Steve