| Message ID | cc3ad4b4-fd8b-f3c5-31c4-e27a52c694c4@gmail.com |
|---|---|
| State | New |
| Headers |
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id D30AA27BBEA; Wed, 9 Mar 2022 19:24:39 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 67FF627BBE9 for <patchwork@mira.cbaines.net>; Wed, 9 Mar 2022 19:24:39 +0000 (GMT) Received: from localhost ([::1]:40808 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>) id 1nS1vK-0004NS-J4 for patchwork@mira.cbaines.net; Wed, 09 Mar 2022 14:24:38 -0500 Received: from eggs.gnu.org ([209.51.188.92]:49120) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1nS1sq-0002IO-Sd for guix-patches@gnu.org; Wed, 09 Mar 2022 14:22:06 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:38613) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1nS1so-0006Hz-DV for guix-patches@gnu.org; Wed, 09 Mar 2022 14:22:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1nS1so-0006O2-7v for guix-patches@gnu.org; Wed, 09 Mar 2022 14:22:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#54309] [PATCH] services: auditd: use exclusive log directory for auditd Resent-From: fesoj000 <fesoj000@gmail.com> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 09 Mar 2022 19:22:02 +0000 Resent-Message-ID: <handler.54309.B.164685370324521@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 54309 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 54309@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.164685370324521 (code B ref -1); Wed, 09 Mar 2022 19:22:02 +0000 Received: (at submit) by debbugs.gnu.org; 9 Mar 2022 19:21:43 +0000 Received: from localhost ([127.0.0.1]:60743 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>) id 1nS1sU-0006NR-Sz for submit@debbugs.gnu.org; Wed, 09 Mar 2022 14:21:43 -0500 Received: from lists.gnu.org ([209.51.188.17]:56126) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <fesoj000@gmail.com>) id 1nS1sT-0006NK-Gy for submit@debbugs.gnu.org; Wed, 09 Mar 2022 14:21:41 -0500 Received: from eggs.gnu.org ([209.51.188.92]:49004) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <fesoj000@gmail.com>) id 1nS1sS-00026F-Tt for guix-patches@gnu.org; Wed, 09 Mar 2022 14:21:41 -0500 Received: from [2a00:1450:4864:20::532] (port=35419 helo=mail-ed1-x532.google.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <fesoj000@gmail.com>) id 1nS1sR-0006BI-EH for guix-patches@gnu.org; Wed, 09 Mar 2022 14:21:40 -0500 Received: by mail-ed1-x532.google.com with SMTP id y22so4201493eds.2 for <guix-patches@gnu.org>; Wed, 09 Mar 2022 11:21:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:from:subject :content-language:to:content-transfer-encoding; bh=i5me75jnCPmiT9VgvhVk5APEI7DnC7QfwKXc1wjYv5M=; b=eSCjHOFnqxaBWUZtZtAK3tz8qvqFafDbeQgaiJP13dr71tqXp4+yvKaH2KhrOguLBq j3jhaKO4hu8BDoQz7OwXzd9cGmTQXC7xy3dYEEOze1VqP8IZRyzXuz+nf29dT8B9vRlv G6agWu4RRE+KefljqOG4dpPBvMr8TXMPqR2AisMqfnt/ur6Hg+uQDzPKfqSY2bynvkmS giY6Y0PiKXFdZsKoYCCqMfGVsPbKX2ZWh8wKlOYu6z7vV6Dn371qaxPOcjdbhys7/0la F+vjYbJZ5j0ZFjYApVolaxEDBIF6yn0zXGSNMyVD968RUZuMx0kWkN2RdFy8LoWb2sh9 XHYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:from :subject:content-language:to:content-transfer-encoding; bh=i5me75jnCPmiT9VgvhVk5APEI7DnC7QfwKXc1wjYv5M=; b=bG/cGVsv/QnELyPCYMbgnERdvviEDyQd9eGwroQseh3XQAvx0n7D5kBc6BOO99dM12 at3wnJrnomYPyhlCqYwBYr+Z/Fy6nLUfd2NBZCVShwpvzkGGEe87OUYfST9ekpBOkcv2 gew+ATtGmE69Jc2Cl0msvJDmrQd1SNjYYe/WYKUxJXIee7cwrUn/t0WZ01M0nO8V9Zxo bTkA7vJI7gCAjlwyHcBEt8m0q1FIsbNlCrZbWf9vpxvjh6e62AMJuV98rZhVyujtD3CV M+vHGCDno2/03UaR9v3LygyQD26d66nNqfnchq6nB3tTchDVlZBmAHZpEgUtJ970J1SL jaqg== X-Gm-Message-State: AOAM532ksBgXRSbJVasIYWbMHQalidZCqrZQDLtpyRk2xpZHAWS0FfeJ Y5YtpAP15CWtHh8xWwDtAsycQqFhEuo= X-Google-Smtp-Source: ABdhPJw0yOcVJnmuOBx/KAIs8XK1ukjCMDo0P4Y7XXuzQE4BOoVV6yKOTOINGaO9uWGt2BhqyyO5qg== X-Received: by 2002:a50:8d0e:0:b0:416:7dfc:9f93 with SMTP id s14-20020a508d0e000000b004167dfc9f93mr951791eds.93.1646853697689; Wed, 09 Mar 2022 11:21:37 -0800 (PST) Received: from ?IPV6:2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5? (p200300eeaf2f0e00c2f9c2bbbf951fc5.dip0.t-ipconnect.de. [2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5]) by smtp.gmail.com with ESMTPSA id g23-20020a17090670d700b006ccfd4163f7sm1036525ejk.206.2022.03.09.11.21.37 for <guix-patches@gnu.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 09 Mar 2022 11:21:37 -0800 (PST) Message-ID: <cc3ad4b4-fd8b-f3c5-31c4-e27a52c694c4@gmail.com> Date: Wed, 9 Mar 2022 20:21:37 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.6.1 From: fesoj000 <fesoj000@gmail.com> Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Host-Lookup-Failed: Reverse DNS lookup failed for 2a00:1450:4864:20::532 (failed) Received-SPF: pass client-ip=2a00:1450:4864:20::532; envelope-from=fesoj000@gmail.com; helo=mail-ed1-x532.google.com X-Spam_score_int: -3 X-Spam_score: -0.4 X-Spam_bar: / X-Spam_report: (-0.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, PDS_HP_HELO_NORDNS=0.659, RCVD_IN_DNSWL_NONE=-0.0001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: <guix-patches.gnu.org> List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=unsubscribe> List-Archive: <https://lists.gnu.org/archive/html/guix-patches> List-Post: <mailto:guix-patches@gnu.org> List-Help: <mailto:guix-patches-request@gnu.org?subject=help> List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=subscribe> Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-getmail-retrieved-from-mailbox: Patches |
| Series |
[bug#54309] services: auditd: use exclusive log directory for auditd
|
|
Commit Message
fesoj000
March 9, 2022, 7:21 p.m. UTC
Currently auditd writes logs to /var/log/audit.log. This is a problem because auditd changes the permissions of the directory audit.log lives in to 700. /var/log usually has 755, this is assumed by some services. postgresql for example, fails when used together with auditd. On redhat for example, auditd uses /var/log/audit/ as its log directory. This change mirrors this behaviour. * gnu/services/auditd.scm: add auditd-activation function and extend activation-service-type. --- gnu/services/auditd.scm | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-)
Comments
fesoj000 schreef op wo 09-03-2022 om 20:21 [+0100]: > Currently auditd writes logs to /var/log/audit.log. This is a problem because > auditd changes the permissions of the directory audit.log lives in to > 700. Why is auditd doing this? Can this behaviour be patched out? Is there an upstream report? > /var/log usually has 755, this is assumed by some services. postgresql > for example, fails when used together with auditd. Why does postgresql care about the group and other bits? Could postgresql be modified not to care? What are the reasons for changing the group and other bits? Perhaps that should be done by default by Guix when creating /var/log (POLA)? In any case, I would recommend adding to auditd.scm to make clear why the default log location is unacceptable. Greetings, Maxime.
Hi, On 3/9/22 8:36 PM, Maxime Devos wrote: > fesoj000 schreef op wo 09-03-2022 om 20:21 [+0100]: >> Currently auditd writes logs to /var/log/audit.log. This is a problem because >> auditd changes the permissions of the directory audit.log lives in to >> 700. > > Why is auditd doing this? Can this behaviour be patched out? Is there > an upstream reportThis is the default behavior. auditd will always change the permissions, but some attributes for this permission change can be configured in the config file. This behavior could be patched, but i don't think this is a good idea. Even the manpages assume /var/log/audit as the default log directory in some paragraphs. The auditd logfile contains events which can be usefull for debugging but usually this information is used in the aftermath of an cyberattack to learn more about what happend. It is even recommended to use a separate partition for /var/log/audit. auditd measures disk space and having /var/log/audit on a separate partition would deny unrelated processes from filling up the disk, effectively disabling audit logging. I think having /var/log/audit as the default log directory for auditd would not hurt. This would be more in line with other distros and further would allow to use a different partition. >> /var/log usually has 755, this is assumed by some services. postgresql >> for example, fails when used together with auditd. > > Why does postgresql care about the group and other bits? > Could postgresql be modified not to care? Maybe postgresql could be changed to gracefully handle this, but i am not sure what the benefit would be in this context. In my mind this is obviously a problem of how auditd is handled currently by auditd-service-type. Postgresql might be not the only service behaving this way. I did use postgresql as an example because this was the case i run into. > What are the reasons for changing the group and other bits? > Perhaps that should be done by default by Guix when creating > /var/log (POLA)? guix creates /var/log as 755, auditd changes its log directory to prevent access from unprivileged processes. Maybe auditd is paranoid in this case, but it is fine as long as it gets its own directory. > In any case, I would recommend adding to auditd.scm to make clear > why the default log location is unacceptable. The log location is configured by the configuration file. This configuration file is generated by auditd-service-type. The upstream [0] default configuration uses /var/log/audit as log directory. I think that documenting upstream default behavior does not add much value here. In fact, i think we can remove the log_file statement all together, because the built in default config uses /var/log/audit/audit.log [1]. I will prepare and test a new diff which removes the log_file statement. [0] https://github.com/linux-audit/audit-userspace/blob/master/init.d/auditd.conf [1] https://github.com/linux-audit/audit-userspace/blob/master/src/auditd-config.c#L314 BR
Hi there, i don't think this is the right spot to ask this, but i am not sure where else i could ask this. What is the patch acceptance process? I am wondering, what are steps from patch to commit? I have quite some packages, services and other patches laying around in varying quality. I recently started cleaning them up. I plan to get them integrated into master at some point. So, i assume that there has to be interest and time from a guix developer to review, maybe test and then integrate the changes/packages into one of the branches. Is there something i can do to help the process along? Maybe we could use this very patch as an example. Currently i am uncertain if this patch is appropriate for master, because of the risk that changing the auditd default log directory might break some setups. This could be 'fixed' by writing a news snippet. But i am not sure. Or is there still something else missing? BR
Hi, Am Freitag, dem 18.03.2022 um 20:17 +0100 schrieb fesoj000: > Hi there, > > i don't think this is the right spot to ask this, but i am not sure > where else i could ask this. > > What is the patch acceptance process? I am wondering, what are steps > from patch to commit? I have quite some packages, services and other > patches laying around in varying quality. I recently started > cleaning them up. I plan to get them integrated into master at some > point. In general it's send a patch, wait for review (this might take some time), argue with the reviewer, reluctantly send v2, v3, ... until your patch passes the quality criteria, gets stamped and arrives upstream via avian carrier. > So, i assume that there has to be interest and time from a guix > developer to review, maybe test and then integrate the > changes/packages into one of the branches. Note that there have already been two people reviewing; you currently owe me a v2 addressing the TOCTOU "race" of creating the audit directory without 700 permissions. > Is there something i can do to help the process along? Maybe we > could use this very patch as an example. Currently i am uncertain if > this patch is appropriate for master, because of the risk that > changing the auditd default log directory might break some setups. > This could be 'fixed' by writing a news snippet. But i > am not sure. Or is there still something else missing? In general, you should read the reviews carefully, reflect on them, implement suggested changes (or come up with better alternative solutions) and resend the patches with said changes; rinse and repeat until you hear a "LGTM". If the reviewer in question is a committer, you might hear a "Thanks, pushed" instead. As a rule of thumb, others will rarely actively fix up your code and if they do it's mostly minor things. Any work more than that takes them away from other review or their own submissions. Cheers
diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm index abde811f51..8478581999 100644 --- a/gnu/services/auditd.scm +++ b/gnu/services/auditd.scm @@ -31,7 +31,7 @@ (define-module (gnu services auditd) %default-auditd-configuration-directory)) (define auditd.conf - (plain-file "auditd.conf" "log_file = /var/log/audit.log\nlog_format = \ + (plain-file "auditd.conf" "log_file = /var/log/audit/audit.log\nlog_format = \ ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \ syslog\nadmin_space_left_action = ignore\ndisk_full_action = \ ignore\ndisk_error_action = syslog\n")) @@ -50,6 +50,12 @@ (define-record-type* <auditd-configuration> (default audit)) (configuration-directory auditd-configuration-configuration-directory)) ; file-like +(define (auditd-activation config) + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + (mkdir-p "/var/log/audit")))) + (define (auditd-shepherd-service config) (let* ((audit (auditd-configuration-audit config)) (configuration-directory (auditd-configuration-configuration-directory config))) @@ -67,7 +73,9 @@ (define auditd-service-type (extensions (list (service-extension shepherd-root-service-type - auditd-shepherd-service))) + auditd-shepherd-service) + (service-extension activation-service-type + auditd-activation))) (default-value (auditd-configuration (configuration-directory %default-auditd-configuration-directory)))))