- /var/log/audit/audit.log has a default permission of 600 we need it to be 640
- For log management we use Splunk. Splunk runs on every machine under it's own user id. We use ACL's to give the Splunk user read permissions on the log files we want to index in Splunk.
- By putting an ACL on audit.log the permissions change to 640.
- We use CFEngine to ensure that the permissions and ACL's on our log files are correct.
- Every time audit.log gets rotated permissions change back to 600
- CFEngine runs every thirty minutes to correct the permissions.
- It would be expected that you can configure the permissions on the log files in /etc/audit/auditd.conf but we did not find anything about this
- Currently in the worst case scenario Splunk can not read audit.log for thirty minutes
- In case of some rare busy systems audit.log is rotated in less then thirty minutes
- We are experiencing this problem on both RHEL 6 and RHEL 5.
- How can we ensure that permission of 640 is kept during log rotation of /var/log/audit/audit.log?
- Red Hat Enterprise Linux (RHEL) 5 and 6
- Kernel auditing daemon (audit) 1.8 and 2.2
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.