On 07/21/2016 03:55 PM, Steve Grubb wrote:
On Thursday, July 21, 2016 11:48:04 AM EDT Ondrej Moris wrote:
> Hi, I noticed that in 2.6.5 /var/log/audit permission were dropped from
> 750 to 600.
The directory should be 0750 or 0700 depending on your config. 0600 would be a
mistake.
Sorry, it was a typo - it should be 0700 (not 0600).
> I am fine with that but while I see the motivation [1], I
> just cannot find where is that happening in the code.
https://fedorahosted.org/audit/browser/trunk/src/auditd-event.c#L886
Thanks, now it is clear. You one thing - line 903 suggests that it is
either 0700 or 0770 which I can confirm by testing:
# # log_group = root
# ls -ld /var/log/audit/
drwx------. 2 root root 4096 Jul 21 09:56 /var/log/audit/
# # log_group = input
# ls -ld /var/log/audit/
drwxrwx---. 2 root input 4096 Jul 21 09:56 /var/log/audit/
> Besides, specfile
> still contains:
>
> %attr(750,root,root) %dir %{_var}/log/audit
Maybe I should take the attr away or modify it to (-,root,-). The group can
change. For example, I have wheel allowed to run audit reports on my system.
> and hence 'rpm -V audit' obviously fails.
Yeah. Hmm.
Yes, change you mentioned would solve 'rpm -V' problem. It sounds very
reasonable since both group ownership and permission are configurable
via auditd.conf.