linux-audit.redhat.com archive mirror
 help / color / mirror / Atom feed
* [RFC PATCH] audit.spec: create audit group for log read access
@ 2021-01-21 16:15 Enzo Matsumiya
  0 siblings, 0 replies; only message in thread
From: Enzo Matsumiya @ 2021-01-21 16:15 UTC (permalink / raw)
  To: linux-audit

This patch introduces a new "audit" group.

The purpose of this group is to restrict read access to audit.log file.

No users are added to this group by default in this patch; it's up to
the user to do so.

One use case for this is to use AppArmor denial notifications (aa-notify),
which currently requires sudo. So, with this patch, instead of
modifying sudo configuration, the user who wants to run aa-notify to
read audit.log can just be added to the new audit group.

This patch already uses systemd-sysuser facilities to create system
groups.

Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
---
 audit.spec              | 27 +++++++++++++++++++++++++--
 init.d/auditd.conf      |  2 +-
 system-group-audit.conf |  2 ++
 3 files changed, 28 insertions(+), 3 deletions(-)
 create mode 100644 system-group-audit.conf

diff --git a/audit.spec b/audit.spec
index 23153a60dc80..be6490b7ad09 100644
--- a/audit.spec
+++ b/audit.spec
@@ -7,22 +7,35 @@ License: GPLv2+
 Group: System Environment/Daemons
 URL: http://people.redhat.com/sgrubb/audit/
 Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
+Source1: system-group-audit.conf
 BuildRequires: gcc swig
 BuildRequires: golang
 BuildRequires: krb5-devel libcap-ng-devel
 BuildRequires: kernel-headers >= 2.6.29
 BuildRequires: systemd
+BuildRequires: sysuser-tools
 
 Requires: %{name}-libs = %{version}-%{release}
 Requires(post): systemd coreutils
 Requires(preun): systemd initscripts
 Requires(postun): systemd coreutils initscript
+Requires: group(audit)
 
 %description
 The audit package contains the user space utilities for
 storing and searching the audit records generated by
 the audit subsystem in the Linux 2.6 and later kernels.
 
+%package -n system-group-audit
+Summary:       System group 'audit'
+License:       LGPL-2.1-or-later
+Group:         System/Fhs
+Provides:      group(audit)
+%sysusers_requires
+
+%description -n system-group-audit
+This package contains the system group 'audit' for restrict read access to logs.
+
 %package libs
 Summary: Dynamic library for libaudit
 License: LGPLv2+
@@ -98,13 +111,17 @@ behavior.
 
 make CFLAGS="%{optflags}" %{?_smp_mflags}
 
+%sysusers_generate_pre %{SOURCE1} audit
+
 %install
 mkdir -p $RPM_BUILD_ROOT/{sbin,etc/audit/plugins.d,etc/audit/rules.d}
 mkdir -p $RPM_BUILD_ROOT/%{_mandir}/{man5,man8}
 mkdir -p $RPM_BUILD_ROOT/%{_lib}
 mkdir -p $RPM_BUILD_ROOT/%{_libdir}/audit
-mkdir --mode=0700 -p $RPM_BUILD_ROOT/%{_var}/log/audit
+mkdir --mode=0750 -p $RPM_BUILD_ROOT/%{_var}/log/audit
 mkdir -p $RPM_BUILD_ROOT/%{_var}/spool/audit
+mkdir -p $RPM_BUILD_ROOT/%{_sysusersdir}
+install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysusersdir}/
 make DESTDIR=$RPM_BUILD_ROOT install
 
 mkdir -p $RPM_BUILD_ROOT/%{_libdir}
@@ -143,6 +160,8 @@ if [ "$files" -eq 0 ] ; then
 fi
 %systemd_post auditd.service
 
+%pre -n system-group-audit -f audit.pre
+
 %preun
 %systemd_preun auditd.service
 if [ $1 -eq 0 ]; then
@@ -228,7 +247,8 @@ fi
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop
 %ghost %{_localstatedir}/run/auditd.state
-%attr(-,root,-) %dir %{_var}/log/audit
+%attr(750,root,audit) %dir %{_var}/log/audit
+%ghost %config(noreplace) %attr(640,root,audit) %dir %{_var}/log/audit/audit.log
 %attr(750,root,root) %dir /etc/audit
 %attr(750,root,root) %dir /etc/audit/rules.d
 %attr(750,root,root) %dir /etc/audit/plugins.d
@@ -238,6 +258,9 @@ fi
 %config(noreplace) %attr(640,root,root) /etc/audit/audit-stop.rules
 %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/af_unix.conf
 
+%files -n system-group-audit
+%{_sysusersdir}/system-group-audit.conf
+
 %files -n audispd-plugins
 %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/audispd-zos-remote.conf
 %config(noreplace) %attr(640,root,root) /etc/audit/zos-remote.conf
diff --git a/init.d/auditd.conf b/init.d/auditd.conf
index ff6a3352854f..0c68c00322f9 100644
--- a/init.d/auditd.conf
+++ b/init.d/auditd.conf
@@ -5,7 +5,7 @@
 local_events = yes
 write_logs = yes
 log_file = /var/log/audit/audit.log
-log_group = root
+log_group = audit
 log_format = ENRICHED
 flush = INCREMENTAL_ASYNC
 freq = 50
diff --git a/system-group-audit.conf b/system-group-audit.conf
new file mode 100644
index 000000000000..ea2ffb04b405
--- /dev/null
+++ b/system-group-audit.conf
@@ -0,0 +1,2 @@
+# Type Name ID GECOS [HOME]
+g audit -
-- 
2.30.0


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2021-01-21 16:16 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-21 16:15 [RFC PATCH] audit.spec: create audit group for log read access Enzo Matsumiya

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).