Audit log file perms - Linux-audit - Linux-Audit List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Audit log file perms

The relationship between audit...

file watch question

John Bambenek

Thursday, 1 August 2013 Thu, 1 Aug '13

12:34 p.m.

What controls that? I have noticed /var/log/audit directory changes to a default setting quickly and file rotation resets it as well.

Reply

Show replies by date

Steve Grubb

Thursday, 1 August Thu, 1 Aug

12:54 p.m.

On Thursday, August 01, 2013 12:34:20 PM John Bambenek wrote:

What controls that?

The audit daemon.

I have noticed /var/log/audit directory changes to a default setting quickly and file rotation resets it as well.

It defaults to 0600 unless you have set something for log_group and in that case you get 0640. Rotation is done using the rename syscall, so no permissions should be changing. Logs are created as 0640 root, root. But get modified as the audit daemon gets more of its configuration parsed. -Steve

Reply

John C. A. Bambenek, GCIH, CISSP

Wednesday, 21 August Wed, 21 Aug

2:34 p.m.

Files have right permissions but the directory itself keeps reverting to root:root and 700. On Thursday, August 1, 2013, Steve Grubb wrote:

On Thursday, August 01, 2013 12:34:20 PM John Bambenek wrote: > What controls that? The audit daemon. > I have noticed /var/log/audit directory changes to a > default setting quickly and file rotation resets it as well. It defaults to 0600 unless you have set something for log_group and in that case you get 0640. Rotation is done using the rename syscall, so no permissions should be changing. Logs are created as 0640 root, root. But get modified as the audit daemon gets more of its configuration parsed. -Steve -- Linux-audit mailing list Linux-audit(a)redhat.com <javascript:;> https://www.redhat.com/mailman/listinfo/linux-audit

Reply

Steve Grubb

3:09 p.m.

On Wednesday, August 21, 2013 02:34:36 PM John C. A. Bambenek, GCIH, CISSP wrote:

Files have right permissions but the directory itself keeps reverting to root:root and 700.

The audit daemon does not change permissions on the directory. Its assumed the admin takes care of that since you would set that up once and it should be good for a while. The audit daemon just changes the files because it creates them and rotates them. -Steve

On Thursday, August 1, 2013, Steve Grubb wrote: > On Thursday, August 01, 2013 12:34:20 PM John Bambenek wrote: > > What controls that? > > The audit daemon. > > > I have noticed /var/log/audit directory changes to a > > default setting quickly and file rotation resets it as well. > > It defaults to 0600 unless you have set something for log_group and in > that > case you get 0640. Rotation is done using the rename syscall, so no > permissions should be changing. Logs are created as 0640 root, root. But > get > modified as the audit daemon gets more of its configuration parsed. > > -Steve > > -- > Linux-audit mailing list > Linux-audit(a)redhat.com <javascript:;> > https://www.redhat.com/mailman/listinfo/linux-audit

Reply

4140

days inactive

4160

days old

linux-audit@lists.linux-audit.osci.io

Manage subscription

3 comments

3 participants

tags (0)

participants (3)

John Bambenek
John C. A. Bambenek, GCIH, CISSP
Steve Grubb