Hello, On Wednesday, January 20, 2021 12:52:24 PM EST Enzo Matsumiya wrote: > We (SUSE) would like to introduce an "audit" group for log read access. > > This would be handled only by patching the .spec file to create the > group and modify the permissions of the default log dir/file to: > > drwxr-x--- 1 root audit 322 25. Okt 21:06 /var/log/audit/ > -rw-r----- 1 root audit 1815972 26. Okt 22:23 /var/log/audit/audit.log > > No source code modifications are required, as log_group_parser() should > handle invalid entries. > > If an enforcement or warning is required for when log_group is not > using the default "audit" group, it should be easy to do as well. > > For those wondering, Common Criteria seems to be fine with this > modification. > > Excerpt from SUSE's CC certification (RH's seems to match): > > ---- begin ---- > 6.2.1.4 Restricted audit review (FAU_SAR.2) > > FAU_SAR.2.1 The TSF shall prohibit all users read access to the audit > records, except those users that have been granted explicit read-access. > > Application Note: The protection of the audit records is based on the Unix > permission bit settings defined by FDP_ACC.1(PSO) supported by > FDP_ACF.1(PSO). > ---- end ---- > > Please let me know of your concerns, if any.
This might go against the DISA STIG, but otherwise this is using the audit system as intended. > I have a working patch that I can submit right away in case this gets an > ok. I consider the audit.spec file to be an example to help others with packaging. But I'm not entirely sure if it's 100% in sync with Fedora since they make arbitrary policy changes like removing gcc and make from the build root which then causes specfile updates. If you want to submit a patch, feel free. I would apply it as an example to others. Best Regards, -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
