Audit log file perms
Steve Grubb
sgrubb at redhat.com
Wed Aug 21 20:09:41 UTC 2013
On Wednesday, August 21, 2013 02:34:36 PM John C. A. Bambenek, GCIH, CISSP
wrote:
> Files have right permissions but the directory itself keeps reverting to
> root:root and 700.
The audit daemon does not change permissions on the directory. Its assumed the
admin takes care of that since you would set that up once and it should be
good for a while. The audit daemon just changes the files because it creates
them and rotates them.
-Steve
> On Thursday, August 1, 2013, Steve Grubb wrote:
> > On Thursday, August 01, 2013 12:34:20 PM John Bambenek wrote:
> > > What controls that?
> >
> > The audit daemon.
> >
> > > I have noticed /var/log/audit directory changes to a
> > > default setting quickly and file rotation resets it as well.
> >
> > It defaults to 0600 unless you have set something for log_group and in
> > that
> > case you get 0640. Rotation is done using the rename syscall, so no
> > permissions should be changing. Logs are created as 0640 root, root. But
> > get
> > modified as the audit daemon gets more of its configuration parsed.
> >
> > -Steve
> >
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com <javascript:;>
> > https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list