Hi, On Wed, May 11, 2016 at 08:36:44AM -0400, Steve Grubb wrote: > On Wednesday, May 11, 2016 09:55:33 AM Laurent Bigonville wrote: > > Le 09/05/16 à 21:07, intrigeri a écrit : > > > in Debian, the convention for many log files is to make them readable > > > by members of the adm group. We're considering doing the same for the > > > auditd logs, in order to make apparmor-notify work out-of-the-box. > > > > Shouldn't apparmor-notify use the audispd to get the events instead of > > parsing directly the logs? > > If this is a realtime event analysis tool, then yes. (The original question I > thought was if adding the adm group to let admins search audit logs would > hurt > anything.) There are two ways that you can get the events. One way is to > enable the af_unix plugin and read off of the unix socket. The other way is > to > make a plugin for which there is skeleton code here: > > https://github.com/linux-audit/audit-userspace/tree/master/contrib/plugin
It seems to me we have two issues at play here: - auditd violating the adm group convention; - apparmor-notify using a suboptimal mechanism to stream auditd logs. Could we fix the permissions on /var/log/auditd and open an issue upstream for apparmor-notify to use the unix socket plugin, esp. since no-one finds the permissions change problematic? Best, nicoo
signature.asc
Description: PGP signature
