* Bug#759604: Any problem with making auditd log readable by the adm group?
@ 2016-05-09 19:07 intrigeri
2016-05-09 19:33 ` Steve Grubb
2016-05-11 7:55 ` Laurent Bigonville
0 siblings, 2 replies; 5+ messages in thread
From: intrigeri @ 2016-05-09 19:07 UTC (permalink / raw)
To: linux-audit; +Cc: 759604
Hi,
in Debian, the convention for many log files is to make them readable
by members of the adm group. We're considering doing the same for the
auditd logs, in order to make apparmor-notify work out-of-the-box.
The maintainer of auditd in Debian would like to know what's your take
on it. What kind of problem could be created if we did that?
Cheers,
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Any problem with making auditd log readable by the adm group?
2016-05-09 19:07 Bug#759604: Any problem with making auditd log readable by the adm group? intrigeri
@ 2016-05-09 19:33 ` Steve Grubb
2016-05-10 9:07 ` Bug#759604: " intrigeri
2016-05-11 7:55 ` Laurent Bigonville
1 sibling, 1 reply; 5+ messages in thread
From: Steve Grubb @ 2016-05-09 19:33 UTC (permalink / raw)
To: linux-audit; +Cc: intrigeri, 759604
On Monday, May 09, 2016 09:07:11 PM intrigeri wrote:
> in Debian, the convention for many log files is to make them readable
> by members of the adm group. We're considering doing the same for the
> auditd logs, in order to make apparmor-notify work out-of-the-box.
>
> The maintainer of auditd in Debian would like to know what's your take
> on it. What kind of problem could be created if we did that?
I can't think of any problems. Just set the log_group = adm in auditd.conf and
fixup the packaging to have that as the group owner. Auditd should create the
logs with 0640 permissions.
-Steve
^ permalink raw reply [flat|nested] 5+ messages in thread
* Bug#759604: Any problem with making auditd log readable by the adm group?
2016-05-09 19:33 ` Steve Grubb
@ 2016-05-10 9:07 ` intrigeri
0 siblings, 0 replies; 5+ messages in thread
From: intrigeri @ 2016-05-10 9:07 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit, 759604
Steve Grubb wrote (09 May 2016 19:33:16 GMT) :
> On Monday, May 09, 2016 09:07:11 PM intrigeri wrote:
>> in Debian, the convention for many log files is to make them readable
>> by members of the adm group. We're considering doing the same for the
>> auditd logs, in order to make apparmor-notify work out-of-the-box.
>>
>> The maintainer of auditd in Debian would like to know what's your take
>> on it. What kind of problem could be created if we did that?
> I can't think of any problems.
Thanks for your input!
Cheers,
^ permalink raw reply [flat|nested] 5+ messages in thread
* Bug#759604: Any problem with making auditd log readable by the adm group?
2016-05-09 19:07 Bug#759604: Any problem with making auditd log readable by the adm group? intrigeri
2016-05-09 19:33 ` Steve Grubb
@ 2016-05-11 7:55 ` Laurent Bigonville
2016-05-11 12:36 ` Steve Grubb
1 sibling, 1 reply; 5+ messages in thread
From: Laurent Bigonville @ 2016-05-11 7:55 UTC (permalink / raw)
To: intrigeri, 759604, linux-audit
Le 09/05/16 à 21:07, intrigeri a écrit :
> Hi,
Hey,
> in Debian, the convention for many log files is to make them readable
> by members of the adm group. We're considering doing the same for the
> auditd logs, in order to make apparmor-notify work out-of-the-box.
Shouldn't apparmor-notify use the audispd to get the events instead of
parsing directly the logs?
I'm not objecting changing the permissions in debian, but I'm wondering
if it shouldn't be better to do it like that, I think that the
setroubleshoot (a SELinux troubleshooting service used in RHEL/Fedora)
is doing it like that.
Cheers,
Laurent Bigonville
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Bug#759604: Any problem with making auditd log readable by the adm group?
2016-05-11 7:55 ` Laurent Bigonville
@ 2016-05-11 12:36 ` Steve Grubb
0 siblings, 0 replies; 5+ messages in thread
From: Steve Grubb @ 2016-05-11 12:36 UTC (permalink / raw)
To: linux-audit; +Cc: intrigeri, 759604
On Wednesday, May 11, 2016 09:55:33 AM Laurent Bigonville wrote:
> Le 09/05/16 à 21:07, intrigeri a écrit :
> > Hi,
>
> Hey,
>
> > in Debian, the convention for many log files is to make them readable
> > by members of the adm group. We're considering doing the same for the
> > auditd logs, in order to make apparmor-notify work out-of-the-box.
>
> Shouldn't apparmor-notify use the audispd to get the events instead of
> parsing directly the logs?
If this is a realtime event analysis tool, then yes. (The original question I
thought was if adding the adm group to let admins search audit logs would hurt
anything.) There are two ways that you can get the events. One way is to
enable the af_unix plugin and read off of the unix socket. The other way is to
make a plugin for which there is skeleton code here:
https://github.com/linux-audit/audit-userspace/tree/master/contrib/plugin
> I'm not objecting changing the permissions in debian, but I'm wondering
> if it shouldn't be better to do it like that, I think that the
> setroubleshoot (a SELinux troubleshooting service used in RHEL/Fedora)
> is doing it like that.
That is correct.
-Steve
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-05-11 12:36 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-05-09 19:07 Bug#759604: Any problem with making auditd log readable by the adm group? intrigeri
2016-05-09 19:33 ` Steve Grubb
2016-05-10 9:07 ` Bug#759604: " intrigeri
2016-05-11 7:55 ` Laurent Bigonville
2016-05-11 12:36 ` Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.