From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5E8E9C433E0 for ; Wed, 20 Jan 2021 18:16:40 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 7D8C1233FC for ; Wed, 20 Jan 2021 18:16:39 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7D8C1233FC Authentication-Results: mail.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1611166598; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=IrllYsuu0Z2TAnrImeTjNsNuSFILbNYS//TFeNjIHSw=; b=XKkGZQ6KvawW5VL/4NSVqhR59ZhP3aE2m2vWEr++taYo2YZw5YctHJW201se9TugEIf6uV F/BxZqhSMsVWpMw+Qj3PAW26SCbLLpTfP2WUmHkKQPzQPr3c/KACkeutDvuqUAkgKTAuSB 1lQoe4OKDKIRGnDaWJkdLThLl+3VLPs= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-259-mPAkxAiBPAWeOSwnOCwy6w-1; Wed, 20 Jan 2021 13:16:33 -0500 X-MC-Unique: mPAkxAiBPAWeOSwnOCwy6w-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 57C391800D42; Wed, 20 Jan 2021 18:16:30 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id F3C085D9DD; Wed, 20 Jan 2021 18:16:29 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 65505180954D; Wed, 20 Jan 2021 18:16:11 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 10KIG9wL014138 for ; Wed, 20 Jan 2021 13:16:09 -0500 Received: by smtp.corp.redhat.com (Postfix) id B4A0610023AD; Wed, 20 Jan 2021 18:16:09 +0000 (UTC) Received: from x2.localnet (ovpn-114-140.phx2.redhat.com [10.3.114.140]) by smtp.corp.redhat.com (Postfix) with ESMTP id 79DFB100238C; Wed, 20 Jan 2021 18:16:06 +0000 (UTC) From: Steve Grubb To: linux-audit@redhat.com, Enzo Matsumiya Subject: Re: [RFC] audit.spec: create audit group for log read access Date: Wed, 20 Jan 2021 13:16:05 -0500 Message-ID: <5439988.DvuYhMxLoT@x2> Organization: Red Hat In-Reply-To: <20210120175224.dchx7f6z6i2bslst@hyori> References: <20210120175224.dchx7f6z6i2bslst@hyori> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: linux-audit@redhat.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hello, On Wednesday, January 20, 2021 12:52:24 PM EST Enzo Matsumiya wrote: > We (SUSE) would like to introduce an "audit" group for log read access. > > This would be handled only by patching the .spec file to create the > group and modify the permissions of the default log dir/file to: > > drwxr-x--- 1 root audit 322 25. Okt 21:06 /var/log/audit/ > -rw-r----- 1 root audit 1815972 26. Okt 22:23 /var/log/audit/audit.log > > No source code modifications are required, as log_group_parser() should > handle invalid entries. > > If an enforcement or warning is required for when log_group is not > using the default "audit" group, it should be easy to do as well. > > For those wondering, Common Criteria seems to be fine with this > modification. > > Excerpt from SUSE's CC certification (RH's seems to match): > > ---- begin ---- > 6.2.1.4 Restricted audit review (FAU_SAR.2) > > FAU_SAR.2.1 The TSF shall prohibit all users read access to the audit > records, except those users that have been granted explicit read-access. > > Application Note: The protection of the audit records is based on the Unix > permission bit settings defined by FDP_ACC.1(PSO) supported by > FDP_ACF.1(PSO). > ---- end ---- > > Please let me know of your concerns, if any. This might go against the DISA STIG, but otherwise this is using the audit system as intended. > I have a working patch that I can submit right away in case this gets an > ok. I consider the audit.spec file to be an example to help others with packaging. But I'm not entirely sure if it's 100% in sync with Fedora since they make arbitrary policy changes like removing gcc and make from the build root which then causes specfile updates. If you want to submit a patch, feel free. I would apply it as an example to others. Best Regards, -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit