[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RFC: Security permissions for /var/log/audit/* and */bin/* files

Hello!

While working on a new version of the audit-package, I stumbled upon the
problem that /sbin/auditd explicitely checks several files and
directories for file-permissions, which are less than Debians standard
0755 and 0644. Here a list of those 6 files and the corresponding
description from the manual page auditd.conf(5):

log_file /var/log/audit/audit.log 0640
      This  keyword specifies the full path name to the log file where
      audit records will be stored. It must be a regular file.

dispatcher /sbin/audispd 0750
      The  dispatcher is a program that is started by the audit daemon
      when it starts up. It will pass a copy of all  audit  events  to
      that  application's  stdin.  Make sure you trust the application
      that you add to this line since it runs with root privileges.

space_left_action /some/executable 0750
      This parameter tells the system what action  to  take  when  the
      system  has  detected  that  it  is  starting to get low on disk
      space.  Valid values are ignore, syslog, email,  exec,  suspend,
      single,  and  halt.   If  set  to  ignore, the audit daemon does
      nothing.  syslog means that it will issue a warning  to  syslog.
      Email  means  that  it  will send a warning to the email account
      specified in action_mail_acct as well as sending the message  to
      syslog.   exec /path-to-script will execute the script. You can-
      not pass parameters to the script.  suspend will cause the audit
      daemon  to  stop  writing  records  to the disk. The daemon will
      still be alive. The single option will cause the audit daemon to
      put  the  computer system in single user mode.  halt option will
      cause the audit daemon to shutdown the computer system.

admin_space_left_action /some/executable 0750
      This  parameter  tells  the  system what action to take when the
      system has detected that it is low on disk space.  Valid  values
      are  ignore, syslog, email, exec, suspend, single, and halt.  If
      set to ignore, the audit daemon does nothing.  Syslog means that
      it  will  issue  a  warning to syslog.  Email means that it will
      send   a   warning   to   the   email   account   specified   in
      action_mail_acct as well as sending the message to syslog.  exec
      /path-to-script will execute the script. You cannot pass parame-
      ters to the script.  Suspend will cause the audit daemon to stop
      writing records to the disk. The daemon will still be alive. The
      single  option  will  cause the audit daemon to put the computer
      system in single user mode.  halt

disk_full_action /some/executable 0750
      This parameter tells the system what action  to  take  when  the
      system  has  detected  that the partition to which log files are
      written has become full. Valid values are ignore, syslog,  exec,
      suspend,  single,  and halt.  If set to ignore, the audit daemon
      does nothing.  Syslog means that it will issue a warning to sys-
      log.   exec  /path-to-script will execute the script. You cannot
      pass parameters to the script.  Suspend  will  cause  the  audit
      daemon  to  stop  writing  records  to the disk. The daemon will
      still be alive. The single option will cause the audit daemon to
      put  the  computer system in single user mode.  halt option will
      cause the audit daemon to shutdown the computer system.

disk_error_action /some/executable 0750
      This parameter tells the system what  action  to  take  whenever
      there  is an error detected when writing audit events to disk or
      rotating logs. Valid values are ignore, syslog,  exec,  suspend,
      single, and halt.  If set to ignore, the audit daemon does noth-
      ing.  Syslog means that it will issue a warning to syslog.  exec
      /path-to-script will execute the script. You cannot pass parame-
      ters to the script.  Suspend will cause the audit daemon to stop
      writing records to the disk. The daemon will still be alive. The
      single option will cause the audit daemon to  put  the  computer
      system  in  single  user mode.  halt option will cause the audit
      daemon to shutdown the computer system.

I thinks the Log-file is very critial and important, so reducing the
permissions to 640 is probabpy okay. The parent-directory will be 0750.

All other permissions for the executables are IMHO to restrictive. I'd
like to remove the check either completely or at lease change it to
non-world-writable.

Any opinions on that?

BYtE
Philipp
-- 
Philipp Matthias Hahn <pmhahn@debian.org>
 GPG/PGP: 9A540E39 @ keyrings.debian.org
Reply to: