Bug: Auditd messes with directory permissions (chmod 750)

Elof of Unit #17 elofu17 at hotmail.com
Fri Mar 18 12:03:03 UTC 2022 

Hi!

This is a minor bug report.

Summary:
If /etc/audit/auditd.conf contain for example:

log_file = /var/log/auditd.log

Then /sbin/auditd will chmod the system dir /var/log to 0750.
This is bad and should not happen unless explicitly stated in the configuration.


Full story:
I inherited a Debian machine, installed by a former co-worker of mine.
He had installed and configured auditd (amongst other things).
I now installed exim4, but it failed to start due to lack of permissions:

Mar 17 11:14:37 foobar exim4[4251]: 2022-03-17 11:14:37 Cannot open main log file "/var/log/exim4/mainlog": Permission denied: euid=0 egid=114
Mar 17 11:14:37 foobar exim4[4251]: exim: could not open panic log - aborting: see message(s) above

I see that /var/log has mode 750:

ls -ld /var/log/
drwxr-x--- 17 root syslog 4096 Mar 17 10:45 /var/log/

Now the question was what (re)set this permission after every reboot?
After hours of investigation I finally narrowed it down to auditd being the culprit.
It turns out that the normal path for the logfile is /var/log/audit/audit.log
Setting mode 0750 on the subdir /var/log/audit is nice and usually wanted.
But if you specify log_file = /var/log/auditd.log or log_file = /opt/auditd.log you *don't* want the system dirs /var/log or /opt to be chmod:ed to 0750, bricking parts of the system.

Solution:
1.
Please syslog a message if and when auditd chmod a directory!
Ex:
  "auditd: chmod /var/log from 0755 to 0750"
That would have shorten my investigation by many hours, to see what part of the system magically reverted /var/log to 750 after every reboot.

2.
Add some intelligence to the chmod section, making it only chmod the logdir if it is located in its own subdir.
I guess that it is suficient to just check if the full path to the file is '/var/log' and if so do nothing. That would probably be the most common mistake people would do. Other cases would be resolved quickly when you see the syslog message from 1) above.

3.
Possibly there should also be a configuration option for this. Maybe someone wants a different mode on the subdir (like for letting splunk read the file without messing with setfacl).

/Elof
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20220318/d2f05db8/attachment.htm>

More information about the Linux-audit mailing list