This patch introduces a new "audit" group. The purpose of this group is to restrict read access to audit.log file. No users are added to this group by default in this patch; it's up to the user to do so. One use case for this is to use AppArmor denial notifications (aa-notify), which currently requires sudo. So, with this patch, instead of modifying sudo configuration, the user who wants to run aa-notify to read audit.log can just be added to the new audit group. This patch already uses systemd-sysuser facilities to create system groups. Signed-off-by: Enzo Matsumiya <ematsumiya(a)suse.de&gt; --- audit.spec | 27 +++++++++++++++++++++++++-- init.d/auditd.conf | 2 +- system-group-audit.conf | 2 ++ 3 files changed, 28 insertions(+), 3 deletions(-) create mode 100644 system-group-audit.conf diff --git a/audit.spec b/audit.spec index 23153a60dc80..be6490b7ad09 100644 --- a/audit.spec +++ b/audit.spec @@ -7,22 +7,35 @@ License: GPLv2+ Group: System Environment/Daemons URL: http://people.redhat.com/sgrubb/audit/ Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz +Source1: system-group-audit.conf BuildRequires: gcc swig BuildRequires: golang BuildRequires: krb5-devel libcap-ng-devel BuildRequires: kernel-headers >= 2.6.29 BuildRequires: systemd +BuildRequires: sysuser-tools Requires: %{name}-libs = %{version}-%{release} Requires(post): systemd coreutils Requires(preun): systemd initscripts Requires(postun): systemd coreutils initscript +Requires: group(audit) %description The audit package contains the user space utilities for storing and searching the audit records generated by the audit subsystem in the Linux 2.6 and later kernels. +%package -n system-group-audit +Summary: System group 'audit' +License: LGPL-2.1-or-later +Group: System/Fhs +Provides: group(audit) +%sysusers_requires + +%description -n system-group-audit +This package contains the system group 'audit' for restrict read access to logs. + %package libs Summary: Dynamic library for libaudit License: LGPLv2+ @@ -98,13 +111,17 @@ behavior. make CFLAGS="%{optflags}" %{?_smp_mflags} +%sysusers_generate_pre %{SOURCE1} audit + %install mkdir -p $RPM_BUILD_ROOT/{sbin,etc/audit/plugins.d,etc/audit/rules.d} mkdir -p $RPM_BUILD_ROOT/%{_mandir}/{man5,man8} mkdir -p $RPM_BUILD_ROOT/%{_lib} mkdir -p $RPM_BUILD_ROOT/%{_libdir}/audit -mkdir --mode=0700 -p $RPM_BUILD_ROOT/%{_var}/log/audit +mkdir --mode=0750 -p $RPM_BUILD_ROOT/%{_var}/log/audit mkdir -p $RPM_BUILD_ROOT/%{_var}/spool/audit +mkdir -p $RPM_BUILD_ROOT/%{_sysusersdir} +install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysusersdir}/ make DESTDIR=$RPM_BUILD_ROOT install mkdir -p $RPM_BUILD_ROOT/%{_libdir} @@ -143,6 +160,8 @@ if [ "$files" -eq 0 ] ; then fi %systemd_post auditd.service +%pre -n system-group-audit -f audit.pre + %preun %systemd_preun auditd.service if [ $1 -eq 0 ]; then @@ -228,7 +247,8 @@ fi %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop %ghost %{_localstatedir}/run/auditd.state -%attr(-,root,-) %dir %{_var}/log/audit +%attr(750,root,audit) %dir %{_var}/log/audit +%ghost %config(noreplace) %attr(640,root,audit) %dir %{_var}/log/audit/audit.log %attr(750,root,root) %dir /etc/audit %attr(750,root,root) %dir /etc/audit/rules.d %attr(750,root,root) %dir /etc/audit/plugins.d @@ -238,6 +258,9 @@ fi %config(noreplace) %attr(640,root,root) /etc/audit/audit-stop.rules %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/af_unix.conf +%files -n system-group-audit +%{_sysusersdir}/system-group-audit.conf + %files -n audispd-plugins %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/audispd-zos-remote.conf %config(noreplace) %attr(640,root,root) /etc/audit/zos-remote.conf diff --git a/init.d/auditd.conf b/init.d/auditd.conf index ff6a3352854f..0c68c00322f9 100644 --- a/init.d/auditd.conf +++ b/init.d/auditd.conf @@ -5,7 +5,7 @@ local_events = yes write_logs = yes log_file = /var/log/audit/audit.log -log_group = root +log_group = audit log_format = ENRICHED flush = INCREMENTAL_ASYNC freq = 50 diff --git a/system-group-audit.conf b/system-group-audit.conf new file mode 100644 index 000000000000..ea2ffb04b405 --- /dev/null +++ b/system-group-audit.conf @@ -0,0 +1,2 @@ +# Type Name ID GECOS [HOME] +g audit - -- 2.30.0