On 07/21/2016 03:55 PM, Steve Grubb wrote: > On Thursday, July 21, 2016 11:48:04 AM EDT Ondrej Moris wrote: >> Hi, I noticed that in 2.6.5 /var/log/audit permission were dropped from >> 750 to 600. > > The directory should be 0750 or 0700 depending on your config. 0600 would be > a > mistake.
Sorry, it was a typo - it should be 0700 (not 0600). > > >> I am fine with that but while I see the motivation [1], I >> just cannot find where is that happening in the code. > > https://fedorahosted.org/audit/browser/trunk/src/auditd-event.c#L886 Thanks, now it is clear. You one thing - line 903 suggests that it is either 0700 or 0770 which I can confirm by testing: # # log_group = root # ls -ld /var/log/audit/ drwx------. 2 root root 4096 Jul 21 09:56 /var/log/audit/ # # log_group = input # ls -ld /var/log/audit/ drwxrwx---. 2 root input 4096 Jul 21 09:56 /var/log/audit/ > >> Besides, specfile >> still contains: >> >> %attr(750,root,root) %dir %{_var}/log/audit > > Maybe I should take the attr away or modify it to (-,root,-). The group can > change. For example, I have wheel allowed to run audit reports on my system. > >> and hence 'rpm -V audit' obviously fails. > > Yeah. Hmm. Yes, change you mentioned would solve 'rpm -V' problem. It sounds very reasonable since both group ownership and permission are configurable via auditd.conf. > > -Steve > >> [1] >> http://post-office.corp.redhat.com/archives/tech-list/2016-May/msg00468.html >> >> -- >> Ondrej >> >> -- >> Linux-audit mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/linux-audit > > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit > -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
