Re: Bug#759604: Any problem with making auditd log readable by the adm group?
On Wednesday, May 11, 2016 09:55:33 AM Laurent Bigonville wrote:
Le 09/05/16 à 21:07, intrigeri a écrit :
> Hi,
Hey,
> in Debian, the convention for many log files is to make them readable
> by members of the adm group. We're considering doing the same for the
> auditd logs, in order to make apparmor-notify work out-of-the-box.
Shouldn't apparmor-notify use the audispd to get the events instead of
parsing directly the logs?
If this is a realtime event analysis tool, then yes. (The original question I
thought was if adding the adm group to let admins search audit logs would hurt
anything.) There are two ways that you can get the events. One way is to
enable the af_unix plugin and read off of the unix socket. The other way is to
make a plugin for which there is skeleton code here:
https://github.com/linux-audit/audit-userspace/tree/master/contrib/plugin
I'm not objecting changing the permissions in debian, but I'm
wondering
if it shouldn't be better to do it like that, I think that the
setroubleshoot (a SELinux troubleshooting service used in RHEL/Fedora)
is doing it like that.
That is correct.
-Steve