RFC: Security permissions for /var/log/audit/* and */bin/* files
Hello!
While working on a new version of the audit-package, I stumbled upon the
problem that /sbin/auditd explicitely checks several files and
directories for file-permissions, which are less than Debians standard
0755 and 0644. Here a list of those 6 files and the corresponding
description from the manual page auditd.conf(5):
log_file /var/log/audit/audit.log 0640
This keyword specifies the full path name to the log file where
audit records will be stored. It must be a regular file.
dispatcher /sbin/audispd 0750
The dispatcher is a program that is started by the audit daemon
when it starts up. It will pass a copy of all audit events to
that application's stdin. Make sure you trust the application
that you add to this line since it runs with root privileges.
space_left_action /some/executable 0750
This parameter tells the system what action to take when the
system has detected that it is starting to get low on disk
space. Valid values are ignore, syslog, email, exec, suspend,
single, and halt. If set to ignore, the audit daemon does
nothing. syslog means that it will issue a warning to syslog.
Email means that it will send a warning to the email account
specified in action_mail_acct as well as sending the message to
syslog. exec /path-to-script will execute the script. You can-
not pass parameters to the script. suspend will cause the audit
daemon to stop writing records to the disk. The daemon will
still be alive. The single option will cause the audit daemon to
put the computer system in single user mode. halt option will
cause the audit daemon to shutdown the computer system.
admin_space_left_action /some/executable 0750
This parameter tells the system what action to take when the
system has detected that it is low on disk space. Valid values
are ignore, syslog, email, exec, suspend, single, and halt. If
set to ignore, the audit daemon does nothing. Syslog means that
it will issue a warning to syslog. Email means that it will
send a warning to the email account specified in
action_mail_acct as well as sending the message to syslog. exec
/path-to-script will execute the script. You cannot pass parame-
ters to the script. Suspend will cause the audit daemon to stop
writing records to the disk. The daemon will still be alive. The
single option will cause the audit daemon to put the computer
system in single user mode. halt
disk_full_action /some/executable 0750
This parameter tells the system what action to take when the
system has detected that the partition to which log files are
written has become full. Valid values are ignore, syslog, exec,
suspend, single, and halt. If set to ignore, the audit daemon
does nothing. Syslog means that it will issue a warning to sys-
log. exec /path-to-script will execute the script. You cannot
pass parameters to the script. Suspend will cause the audit
daemon to stop writing records to the disk. The daemon will
still be alive. The single option will cause the audit daemon to
put the computer system in single user mode. halt option will
cause the audit daemon to shutdown the computer system.
disk_error_action /some/executable 0750
This parameter tells the system what action to take whenever
there is an error detected when writing audit events to disk or
rotating logs. Valid values are ignore, syslog, exec, suspend,
single, and halt. If set to ignore, the audit daemon does noth-
ing. Syslog means that it will issue a warning to syslog. exec
/path-to-script will execute the script. You cannot pass parame-
ters to the script. Suspend will cause the audit daemon to stop
writing records to the disk. The daemon will still be alive. The
single option will cause the audit daemon to put the computer
system in single user mode. halt option will cause the audit
daemon to shutdown the computer system.
I thinks the Log-file is very critial and important, so reducing the
permissions to 640 is probabpy okay. The parent-directory will be 0750.
All other permissions for the executables are IMHO to restrictive. I'd
like to remove the check either completely or at lease change it to
non-world-writable.
Any opinions on that?
BYtE
Philipp
--
Philipp Matthias Hahn <pmhahn@debian.org>
GPG/PGP: 9A540E39 @ keyrings.debian.org
Reply to: