Le Mon, 17 Aug 2015 10:37:00 +0200, intrigeri <intrig...@debian.org> a écrit :
> Hi, Hey, Sorry for not replying earlier. > > intrig...@debian.org wrote (28 Aug 2014 21:37:36 GMT) : > > currently, by default /var/log/audit is root:root / 0750, and > > /var/log/audit/audit.log is root:root / 0600. > > > The convention for many log files in Debian is to make them readable > > by members of the adm group. Any reason not to do that for audit.log > > as well? > > > This would unbreak apparmor-notify when auditd is running in its > > default configuration. > > I looked into it a bit closer, and the problem has two aspects. > > 1. There's a log_group directive in /etc/audit/auditd.conf, and I've > verified that it's enough to make audit.log group-readable, with > permissions 0640. On this side, the question then becomes: what would > be the problem with setting `log_group = adm' by default? > > 2. For the parent directory (/var/log/audit), it's currently shipped > as part of the package, so here we could simply ship it with 0710 > permissions, owned by root:adm. > > I guess that #2 is no big issue: giving members of the adm group "x" > permission on that directory should not be a problem in itself, would > it? Addressing this only would not solve 100% of the problem I've > reported initially, but at least it would allow one to fix it by > simply modifying a conffile, as opposed to having to use > dpkg-statoverride, which arguably requires a bit more expertise. > > Thoughts, anyone? The problem might be IIRC that the auditd daemon itself check the mode/owner/group of the files on disk before starting. I do not remembrer all the details though. We need the check that by changing this we are not loosing some kind of US gouvernement certifications if we really care about this (auditd daemon follows some gouvernement recommendations/certification). Maybe you could ask on the linux-au...@redhat.com mailing list? Cheers, Laurent Bigonville
