Since I'm one of the few who is anal-retentive enough to be interested in auditing,
and also blog about it, I get a number of questions about it. A couple of weeks ago
I got a question from Colin Bouttell
why setting the default
acl(2)
on /var/audit doesn't seem to work correctly with the audit daemon.
If OpenSolaris
had been available then, I could quickly have shown why and where it happens, and
he could have compiled a temporary fix in a blink of an eye.
Now that OpenSolaris is available, I can blog about this issue the way I would have liked when I got the question. The bug related to this problem is 6256481.
I'll start by quickly mentioning how the default acl works. You can set default acls on a directory, which all files created in that directory will inherit. By default the default acls are not set.
# getfacl /var/audit # file: /var/audit # owner: root # group: sys user::rwx group::r-x #effective:r-x mask:r-x other:r-x
If you use
setfacl(1)
and set the default acl for
/var/audit like this
# setfacl -m setfacl -m d:m:r--,d:u::rw-,d:g::---,d:o:---,d:u:audit:r-- /var/auditYou can verify the setting using
getfacl(1)
# getfacl /var/audit # file: /var/audit # owner: root # group: sys user::rwx group::r-x #effective:r-x mask:r-x other:r-x default:user::rw- default:user:audit:r-- default:group::--- default:mask:r-- default:other:---Note that you have to supply all four default acls (
user, group, other and mask)
when you set them.
All new files created in the directory will be readable by the audit user.
# touch /var/audit/test # getfacl /var/audit/test # file: /var/audit/test # owner: root # group: root user::rw- user:audit:r-- #effective:r-- group::--- #effective:--- mask:r-- other:---
Now one would think that all audit files created by auditd
will be be readable by the audit user too, but if you use "audit -n"
to switch the audit log, you will see that the default acls aren't set as you might expect.
# getfacl /var/audit/20050530010500.not_terminated.vaccine # file: /var/audit/20050530010500.not_terminated.vaccine # owner: root # group: root user::rw- user:audit:r-- #effective:--- group::--- #effective:--- mask:--- other:---
This was the question I got from Colin, and after a quick test to verify the problem,
I decided to take a look at the source to see why this is happening. Before Solaris 10
the code to create a new audit file resided in
usr/src/cmd/auditd/auditd.c,
but now auditd has plugins which deal with the distribution of audit records.
It is the audit_binfile.so plugin
(usr/src/lib/auditd_plugins/binfile/binfile.c)
which deals with writing the audit log to local disk
In the function
open_log
on line
544
in binfile.c the new file is created:
537 /* Get a filename which does not already exist */
538 opened = 0;
539 while (!opened) {
540 getauditdate(auditdate);
541 (void) snprintf(newname, AUDIT_FNAME_SZ,
542 "%s/%s.not_terminated.%s",
543 current_dir->dl_dirname, auditdate, host);
544 newfd = open(newname,
545 O_RDWR | O_APPEND | O_CREAT | O_EXCL, 0600);
546 if (newfd < 0) {
547 switch (errno) {
548 case EEXIST:
549 DPRINT((dbfp,
550 "open_log says duplicate for %s "
551 "(will try another)\n", newname));
552 (void) sleep(1);
553 break;
554 default:
555 /* open failed */
556 DPRINT((dbfp,
557 "open_log says full for %s: %s\n",
558 newname, strerror(errno)));
559 current_dir->dl_space = SPACE_FULL;
560 current_dir = current_dir->dl_next;
561 return (0);
562 } /* switch */
563 } else
564 opened = 1;
565 } /* while */
and it is the 0600 on line 545 which causes the problem,
as the group mode acts as an upper bound for the default acl mask, and in this case
limits it to ---.
Changing the mode from 0600 to 0640 will fix the problem,
as the default mask ANDed together with the group mode will be r--
which allows the newly created audit logs to be read by the audit user.
[Technorati Tags: OpenSolaris Solaris Security]
Posted by Connie on January 15, 2006 at 03:32 PM PST #