/var/log/audit ownership/permissions
Steve Grubb
sgrubb at redhat.com
Thu Jul 21 14:31:45 UTC 2016
On Thursday, July 21, 2016 4:12:48 PM EDT Ondrej Moris wrote:
> On 07/21/2016 03:55 PM, Steve Grubb wrote:
> >> I am fine with that but while I see the motivation [1], I
> >> just cannot find where is that happening in the code.
> >
> > https://fedorahosted.org/audit/browser/trunk/src/auditd-event.c#L886
>
> Thanks, now it is clear. You one thing - line 903 suggests that it is
> either 0700 or 0770 which I can confirm by testing:
>
> # # log_group = root
> # ls -ld /var/log/audit/
> drwx------. 2 root root 4096 Jul 21 09:56 /var/log/audit/
>
> # # log_group = input
> # ls -ld /var/log/audit/
> drwxrwx---. 2 root input 4096 Jul 21 09:56 /var/log/audit/
Fixed in commit 1360.
> >> Besides, specfile
> >> still contains:
> >>
> >> %attr(750,root,root) %dir %{_var}/log/audit
> >
> > Maybe I should take the attr away or modify it to (-,root,-). The group
> > can
> > change. For example, I have wheel allowed to run audit reports on my
> > system.>
> >> and hence 'rpm -V audit' obviously fails.
> >
> > Yeah. Hmm.
>
> Yes, change you mentioned would solve 'rpm -V' problem. It sounds very
> reasonable since both group ownership and permission are configurable
> via auditd.conf.
Also fixed in the same commit.
-Steve
More information about the Linux-audit
mailing list