Re: [RFC] audit.spec: create audit group for log read access

[Steve Grubb <sgrubb@redhat.com>]

Hello,

On Wednesday, January 20, 2021 12:52:24 PM EST Enzo Matsumiya wrote:
> We (SUSE) would like to introduce an "audit" group for log read access.
> 
> This would be handled only by patching the .spec file to create the
> group and modify the permissions of the default log dir/file to:
> 
> drwxr-x--- 1 root audit     322 25. Okt 21:06 /var/log/audit/
> -rw-r----- 1 root audit 1815972 26. Okt 22:23 /var/log/audit/audit.log
> 
> No source code modifications are required, as log_group_parser() should
> handle invalid entries.
> 
> If an enforcement or warning is required for when log_group is not
> using the default "audit" group, it should be easy to do as well.
> 
> For those wondering, Common Criteria seems to be fine with this
> modification.
> 
> Excerpt from SUSE's CC certification (RH's seems to match):
> 
> ---- begin ----
> 6.2.1.4 Restricted audit review (FAU_SAR.2)
> 
> FAU_SAR.2.1	The TSF shall prohibit all users read access to the audit
> records, except those users that have been granted explicit read-access.
> 
> Application Note: The protection of the audit records is based on the Unix
> permission bit settings defined by FDP_ACC.1(PSO) supported by
> FDP_ACF.1(PSO).
> ---- end ----
> 
> Please let me know of your concerns, if any.

This might go against the DISA STIG, but otherwise this is using the audit 
system as intended. 
 
> I have a working patch that I can submit right away in case this gets an
> ok.

I consider the audit.spec file to be an example to help others with packaging. 
But I'm not entirely sure if it's 100% in sync with Fedora since they make 
arbitrary policy changes like removing gcc and make from the build root which 
then causes specfile updates. If you want to submit a patch, feel free. I 
would apply it as an example to others.

Best Regards,
-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit