Regarding log_file_parser
Steve Grubb
sgrubb at redhat.com
Fri Feb 26 17:12:20 UTC 2016
On Saturday, February 27, 2016 12:22:05 AM 张晨峰 wrote:
> when parsing the field "log_file", If the dir is examined nonexistent, why
> don't create it ? what are the reasons for the design?
Its assumed that the audit system is installed on a managed system. That means
that it depends on the admin or the OS distribution to provide its basic
needs. With that assumption, one would then only verify that the path exists
so that if open(2) later fails, you can correctly tell the admin why the audit
system cannot be started.
The audit system _could_ make the directory. But what if its a typo? (e.g.
/vr/log/audit) Should auditd make the whole directory hierarchy all the way to
the last directory? What permissions should the directory (or directories)
have? What should be the owner and group? If those don't exist, should the
audit system make the accounts? What if the directory chosen is not labeled
correctly for SE Linux? Should auditd have knowledge of SE Linux policy and
call semanage to fix that? What about other MAC systems?
I really just want to draw the line and say its the admin's responsibility to
correctly set it up and then only verify the essentials so that a meaningful
and actionable problem is reported. :-)
Hope this helps...
-Steve
More information about the Linux-audit
mailing list