From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ondrej Moris <omoris@redhat.com>
Subject: Re: /var/log/audit ownership/permissions
Date: Thu, 21 Jul 2016 16:12:48 +0200
Message-ID: <5790D860.8060508@redhat.com>
References: <1d3522ae-ff55-5a91-5e8d-b64fac67e84b@redhat.com>
	<12890758.RtUGNIL9cO@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <12890758.RtUGNIL9cO@x2>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On 07/21/2016 03:55 PM, Steve Grubb wrote:
> On Thursday, July 21, 2016 11:48:04 AM EDT Ondrej Moris wrote:
>> Hi, I noticed that in 2.6.5 /var/log/audit permission were dropped from
>> 750 to 600. 
> 
> The directory should be 0750 or 0700 depending on your config. 0600 would be a 
> mistake.

Sorry, it was a typo - it should be 0700 (not 0600).

> 
> 
>> I am fine with that but while I see the motivation [1], I
>> just cannot find where is that happening in the code. 
> 
> https://fedorahosted.org/audit/browser/trunk/src/auditd-event.c#L886

Thanks, now it is clear. You one thing - line 903 suggests that it is
either 0700 or 0770 which I can confirm by testing:

# # log_group = root
# ls -ld /var/log/audit/
drwx------. 2 root root 4096 Jul 21 09:56 /var/log/audit/

# # log_group = input
# ls -ld /var/log/audit/
drwxrwx---. 2 root input 4096 Jul 21 09:56 /var/log/audit/

> 
>> Besides, specfile
>> still contains:
>>
>> %attr(750,root,root) %dir %{_var}/log/audit
> 
> Maybe I should take the attr away or modify it to (-,root,-). The group can 
> change. For example, I have wheel allowed to run audit reports on my system.
> 
>> and hence 'rpm -V audit' obviously fails.
> 
> Yeah. Hmm.

Yes, change you mentioned would solve 'rpm -V' problem. It sounds very
reasonable since both group ownership and permission are configurable
via auditd.conf.

> 
> -Steve
> 
>> [1]
>> http://post-office.corp.redhat.com/archives/tech-list/2016-May/msg00468.html
>>
>> --
>> Ondrej
>>
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
> 
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>