Bug#759604: Any problem with making auditd log readable by the adm group?
Steve Grubb
sgrubb at redhat.com
Wed May 11 12:36:44 UTC 2016
On Wednesday, May 11, 2016 09:55:33 AM Laurent Bigonville wrote:
> Le 09/05/16 à 21:07, intrigeri a écrit :
> > Hi,
>
> Hey,
>
> > in Debian, the convention for many log files is to make them readable
> > by members of the adm group. We're considering doing the same for the
> > auditd logs, in order to make apparmor-notify work out-of-the-box.
>
> Shouldn't apparmor-notify use the audispd to get the events instead of
> parsing directly the logs?
If this is a realtime event analysis tool, then yes. (The original question I
thought was if adding the adm group to let admins search audit logs would hurt
anything.) There are two ways that you can get the events. One way is to
enable the af_unix plugin and read off of the unix socket. The other way is to
make a plugin for which there is skeleton code here:
https://github.com/linux-audit/audit-userspace/tree/master/contrib/plugin
> I'm not objecting changing the permissions in debian, but I'm wondering
> if it shouldn't be better to do it like that, I think that the
> setroubleshoot (a SELinux troubleshooting service used in RHEL/Fedora)
> is doing it like that.
That is correct.
-Steve
More information about the Linux-audit
mailing list