From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id yBnPNScSKWL5BwAAgWs5BA (envelope-from ) for ; Wed, 09 Mar 2022 21:46:31 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id eEtKMycSKWIqZwAA9RJhRA (envelope-from ) for ; Wed, 09 Mar 2022 21:46:31 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6D656158E5 for ; Wed, 9 Mar 2022 21:46:31 +0100 (CET) Received: from localhost ([::1]:46436 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nS3CY-0007vL-Bf for larch@yhetil.org; Wed, 09 Mar 2022 15:46:30 -0500 Received: from eggs.gnu.org ([209.51.188.92]:37062) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nS3B9-0006bR-91 for guix-patches@gnu.org; Wed, 09 Mar 2022 15:45:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:38731) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nS3B9-00025O-00 for guix-patches@gnu.org; Wed, 09 Mar 2022 15:45:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nS3B8-0000DM-DA for guix-patches@gnu.org; Wed, 09 Mar 2022 15:45:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#54309] [PATCH] services: auditd: use exclusive log directory for auditd Resent-From: fesoj000 Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 09 Mar 2022 20:45:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 54309 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Maxime Devos , 54309@debbugs.gnu.org Received: via spool by 54309-submit@debbugs.gnu.org id=B54309.1646858699803 (code B ref 54309); Wed, 09 Mar 2022 20:45:02 +0000 Received: (at 54309) by debbugs.gnu.org; 9 Mar 2022 20:44:59 +0000 Received: from localhost ([127.0.0.1]:60861 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nS3B4-0000Cs-Ur for submit@debbugs.gnu.org; Wed, 09 Mar 2022 15:44:59 -0500 Received: from mail-ej1-f49.google.com ([209.85.218.49]:40597) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nS3B3-0000Cd-Sz for 54309@debbugs.gnu.org; Wed, 09 Mar 2022 15:44:58 -0500 Received: by mail-ej1-f49.google.com with SMTP id p15so7712322ejc.7 for <54309@debbugs.gnu.org>; Wed, 09 Mar 2022 12:44:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to:content-transfer-encoding; bh=cX936lyKR4mKHP2kxmEh6taCCeyXTOWybahMIAo/Lkk=; b=TWRrMSA8oXXmbzIXOj5/KwEjdIPZFC6cPasBaXdgrlfEqqn0VFXaP32VY1ju4hhiqb hq4sxYK5381O0en6NeN5rFSTWJbDPIBKSiJFWlIWDscJ6nJR42T0AuU15eNutq8yKiFD dloWACnYypWRyrm2VdBLoYPVoCSkaGqJS1L3ZnUj1Jo6FXgMFYIPDQOt5QICtLGJP4eN yaSve2djYHb56oFh/V6H/hiDRYEOr1Vrvy6GUB4iaePgkcEaTvu46br2OWHUS+MELiap AOYCMawd22IcKWLhllOo1MkgYiH0e9GJCCz8iWGRu5gg2B6FBwIvF5ZwWf76MBOMcQri LxuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=cX936lyKR4mKHP2kxmEh6taCCeyXTOWybahMIAo/Lkk=; b=AJEPnzfVGA+FpUBqjAazfU2VqiQKJ5VW7uYAQGIwrpt0a2mPpmRsMA/Qkxiu2aQr23 hRfnnfXv+XnbNSx6xPxYjc0WpTHtdIOW2SqmcxoccULxLVB38bU9wxZVcd8YDex2lUdm iSF3VKPtZ9HUuJEBcy57fWPHe6iquFyBmUlIqK98tecVs48mFDYb2UJRna853mPfORcw EVDvn9uLfw+xsxhgvAUBfJnEcsFWAsaNFqrtT49Ii5OlaMdWKmEYY3Ac+S+ur5wLHd5v 71kLRanWWyEmBG6qIXLsLtaCP81yO9CbuIfY3JF3eOd4WUAR0DMErdWv68Gn1jM7fYid /BdA== X-Gm-Message-State: AOAM53274McPxQeaMtzjA2Yn0YFZFYh/UL3y1IO24IfHn8XvUnWt1kRL vBWGlZtNIzv3fQBMIyuIp0w= X-Google-Smtp-Source: ABdhPJzDuWwQJJCaCVWyKSHdO9MAetyVEA93Tx0aAPgb3P00U7WQUiU0pAsWtryj7MVWaGJHxvE9rA== X-Received: by 2002:a17:907:980d:b0:6d6:f910:513a with SMTP id ji13-20020a170907980d00b006d6f910513amr1380375ejc.643.1646858691812; Wed, 09 Mar 2022 12:44:51 -0800 (PST) Received: from ?IPV6:2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5? (p200300eeaf2f0e00c2f9c2bbbf951fc5.dip0.t-ipconnect.de. [2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5]) by smtp.gmail.com with ESMTPSA id z24-20020a170906815800b006dab4bd985dsm1090420ejw.107.2022.03.09.12.44.51 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 09 Mar 2022 12:44:51 -0800 (PST) Message-ID: Date: Wed, 9 Mar 2022 21:44:51 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.6.1 Content-Language: en-US References: <4ca12a3e0b1662addecb8bcca1f63ba5e223e8b8.camel@telenet.be> From: fesoj000 In-Reply-To: <4ca12a3e0b1662addecb8bcca1f63ba5e223e8b8.camel@telenet.be> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1646858791; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=cX936lyKR4mKHP2kxmEh6taCCeyXTOWybahMIAo/Lkk=; b=qsWthkT8j6MMapqdVEprzTVV/t7nVl04Wspm3h4g005VCg+bEc7D6BwsfTeUEBQg0K/OjP x7n8ZcTf5Sk/j20fg9r/OcZWaem2JD6kF0H3XICRfqFoYgm9d1xE+uiJKCor7WwIg0WMPF zfHUG5DUrml5Oocum+EK5fu+HOs9vsimpW0zq6HUXahrZNk98pNyaO1PbgIzOFTxWFb9La 8gLNmJoG+kvnLmgrKiaktEj/CTLKxJond6ivcYATFjAUXBr+cSpllbSxjqzkbzJvLwKH5h BQU4CSX+yIS3kUeC4Zg5/pog0gJqLXHS8xpxYYpDwIT1CtKfUjdE2RSTIyiiBQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1646858791; a=rsa-sha256; cv=none; b=F6SwVKbLpppBwqb0syFrM9DgYUD8W6/ni2QH1xHt3NN0MYzjUB/bGQYnlu0MLP5K68wlQn mEbGoxfBxOqHgwcy/uk1WN3pLut/h0Cw+efsVBQHlHTWpvEZsz7PtVq3BTCi8bKEvexy+5 wbtBJvvyHGqkftq5EbKoJdIAazDmVoWV5Mo5wBysN4s/Oy5nl34cD8+HnIw2vPVdGgyMbG 9RZnlE+GRDJuxWN7MLHI5XT4AIE/NOmMbqQOwlBZv3NtbygewpXGF4tslylE4viUeO1yUl k/Blu2mec6AR/PH0XytUKh+3DF5z2EwD1KdwzlxeDyKzMjPhQj25KOpdrhYoxA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=TWRrMSA8; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 5.89 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=TWRrMSA8; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 6D656158E5 X-Spam-Score: 5.89 X-Migadu-Scanner: scn1.migadu.com X-TUID: cY7ac5zGgw2R Hi, On 3/9/22 8:36 PM, Maxime Devos wrote: > fesoj000 schreef op wo 09-03-2022 om 20:21 [+0100]: >> Currently auditd writes logs to /var/log/audit.log. This is a problem because >> auditd changes the permissions of the directory audit.log lives in to >> 700. > > Why is auditd doing this? Can this behaviour be patched out? Is there > an upstream reportThis is the default behavior. auditd will always change the permissions, but some attributes for this permission change can be configured in the config file. This behavior could be patched, but i don't think this is a good idea. Even the manpages assume /var/log/audit as the default log directory in some paragraphs. The auditd logfile contains events which can be usefull for debugging but usually this information is used in the aftermath of an cyberattack to learn more about what happend. It is even recommended to use a separate partition for /var/log/audit. auditd measures disk space and having /var/log/audit on a separate partition would deny unrelated processes from filling up the disk, effectively disabling audit logging. I think having /var/log/audit as the default log directory for auditd would not hurt. This would be more in line with other distros and further would allow to use a different partition. >> /var/log usually has 755, this is assumed by some services. postgresql >> for example, fails when used together with auditd. > > Why does postgresql care about the group and other bits? > Could postgresql be modified not to care? Maybe postgresql could be changed to gracefully handle this, but i am not sure what the benefit would be in this context. In my mind this is obviously a problem of how auditd is handled currently by auditd-service-type. Postgresql might be not the only service behaving this way. I did use postgresql as an example because this was the case i run into. > What are the reasons for changing the group and other bits? > Perhaps that should be done by default by Guix when creating > /var/log (POLA)? guix creates /var/log as 755, auditd changes its log directory to prevent access from unprivileged processes. Maybe auditd is paranoid in this case, but it is fine as long as it gets its own directory. > In any case, I would recommend adding to auditd.scm to make clear > why the default log location is unacceptable. The log location is configured by the configuration file. This configuration file is generated by auditd-service-type. The upstream [0] default configuration uses /var/log/audit as log directory. I think that documenting upstream default behavior does not add much value here. In fact, i think we can remove the log_file statement all together, because the built in default config uses /var/log/audit/audit.log [1]. I will prepare and test a new diff which removes the log_file statement. [0] https://github.com/linux-audit/audit-userspace/blob/master/init.d/auditd.conf [1] https://github.com/linux-audit/audit-userspace/blob/master/src/auditd-config.c#L314 BR