[RFC] audit.spec: create audit group for log read access
Steve Grubb
sgrubb at redhat.com
Wed Jan 20 18:16:05 UTC 2021
Hello,
On Wednesday, January 20, 2021 12:52:24 PM EST Enzo Matsumiya wrote:
> We (SUSE) would like to introduce an "audit" group for log read access.
>
> This would be handled only by patching the .spec file to create the
> group and modify the permissions of the default log dir/file to:
>
> drwxr-x--- 1 root audit 322 25. Okt 21:06 /var/log/audit/
> -rw-r----- 1 root audit 1815972 26. Okt 22:23 /var/log/audit/audit.log
>
> No source code modifications are required, as log_group_parser() should
> handle invalid entries.
>
> If an enforcement or warning is required for when log_group is not
> using the default "audit" group, it should be easy to do as well.
>
> For those wondering, Common Criteria seems to be fine with this
> modification.
>
> Excerpt from SUSE's CC certification (RH's seems to match):
>
> ---- begin ----
> 6.2.1.4 Restricted audit review (FAU_SAR.2)
>
> FAU_SAR.2.1 The TSF shall prohibit all users read access to the audit
> records, except those users that have been granted explicit read-access.
>
> Application Note: The protection of the audit records is based on the Unix
> permission bit settings defined by FDP_ACC.1(PSO) supported by
> FDP_ACF.1(PSO).
> ---- end ----
>
> Please let me know of your concerns, if any.
This might go against the DISA STIG, but otherwise this is using the audit
system as intended.
> I have a working patch that I can submit right away in case this gets an
> ok.
I consider the audit.spec file to be an example to help others with packaging.
But I'm not entirely sure if it's 100% in sync with Fedora since they make
arbitrary policy changes like removing gcc and make from the build root which
then causes specfile updates. If you want to submit a patch, feel free. I
would apply it as an example to others.
Best Regards,
-Steve
More information about the Linux-audit
mailing list