[PATCH] services: auditd: use exclusive log directory for auditd

> Currently auditd writes logs to /var/log/audit.log. This is a problem because

> auditd changes the permissions of the directory audit.log lives in to

> 700.

> /var/log usually has 755, this is assumed by some services. postgresql

> for example, fails when used together with auditd.

> fesoj000 schreef op wo 09-03-2022 om 20:21 [+0100]:

>> Currently auditd writes logs to /var/log/audit.log. This is a problem because

>> auditd changes the permissions of the directory audit.log lives in to

>> 700.

>

> Why is auditd doing this? Can this behaviour be patched out? Is there

> an upstream reportThis is the default behavior. auditd will always change the permissions, but

>> /var/log usually has 755, this is assumed by some services. postgresql

>> for example, fails when used together with auditd.

>

> Why does postgresql care about the group and other bits?

> Could postgresql be modified not to care?

> What are the reasons for changing the group and other bits?

> Perhaps that should be done by default by Guix when creating

> /var/log (POLA)?

> In any case, I would recommend adding to auditd.scm to make clear

> why the default log location is unacceptable.

> Use the upstream default log file for auditd.

>

> * gnu/services/auditd.scm: add auditd-activation function and extend

> activation-service-type.

> ---

>   gnu/services/auditd.scm | 17 ++++++++++++-----

>   1 file changed, 12 insertions(+), 5 deletions(-)

>

> diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm

> index abde811f51..c88e974adb 100644

> --- a/gnu/services/auditd.scm

> +++ b/gnu/services/auditd.scm

> @@ -31,10 +31,9 @@ (define-module (gnu services auditd)

>               %default-auditd-configuration-directory))

>  

>   (define auditd.conf

> -  (plain-file "auditd.conf" "log_file =

> /var/log/audit.log\nlog_format = \

> -ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \

> -syslog\nadmin_space_left_action = ignore\ndisk_full_action = \

> -ignore\ndisk_error_action = syslog\n"))

> +  (plain-file "auditd.conf" "log_format = ENRICHED\nfreq =

> 1\nspace_left = 5% \

> +\nspace_left_action = syslog\nadmin_space_left_action = ignore\

> +\ndisk_full_action = ignore\ndisk_error_action = syslog\n"))

>   (define %default-auditd-configuration-directory

>     (computed-file "auditd"

> @@ -50,6 +49,12 @@ (define-record-type* <auditd-configuration>

>                              (default audit))

>     (configuration-directory auditd-configuration-configuration-

> directory))      ; file-like

>  

> +(define (auditd-activation config)

> +  (with-imported-modules '((guix build utils))

> +    #~(begin

> +        (use-modules (guix build utils))

> +        (mkdir-p "/var/log/audit"))))

> Hi,

>

> Am Mittwoch, dem 09.03.2022 um 22:00 +0100 schrieb fesoj000:

>> Use the upstream default log file for auditd.

>>

>> * gnu/services/auditd.scm: add auditd-activation function and extend

>> activation-service-type.

>> ---

>>   gnu/services/auditd.scm | 17 ++++++++++++-----

>>   1 file changed, 12 insertions(+), 5 deletions(-)

>>

>> diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm

>> index abde811f51..c88e974adb 100644

>> --- a/gnu/services/auditd.scm

>> +++ b/gnu/services/auditd.scm

>> @@ -31,10 +31,9 @@ (define-module (gnu services auditd)

>>               %default-auditd-configuration-directory))

>>

>>   (define auditd.conf

>> -  (plain-file "auditd.conf" "log_file =

>> /var/log/audit.log\nlog_format = \

>> -ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \

>> -syslog\nadmin_space_left_action = ignore\ndisk_full_action = \

>> -ignore\ndisk_error_action = syslog\n"))

>> +  (plain-file "auditd.conf" "log_format = ENRICHED\nfreq =

>> 1\nspace_left = 5% \

>> +\nspace_left_action = syslog\nadmin_space_left_action = ignore\

>> +\ndisk_full_action = ignore\ndisk_error_action = syslog\n"))

> I'm not sure what the rationale behind writing auditd.conf this way is,

> but note that can simply writethis as "\

> log_format = ENRICHED

> freq = 1

> space_left = 5%

> ..."

>

> Doing this, it would take up some more vertical real estate, but imho

> it'd be easier to read. We might also want to make some of these

> configurable later on, e.g. space_left, but that's not relevant to this

> patch set.

>>   (define %default-auditd-configuration-directory

>>     (computed-file "auditd"

>> @@ -50,6 +49,12 @@ (define-record-type* <auditd-configuration>

>>                              (default audit))

>>     (configuration-directory auditd-configuration-configuration-

>> directory))      ; file-like

>>

>> +(define (auditd-activation config)

>> +  (with-imported-modules '((guix build utils))

>> +    #~(begin

>> +        (use-modules (guix build utils))

>> +        (mkdir-p "/var/log/audit"))))

> I think guix should already create this directory with the 700

> permissions auditd demands, to prevent any TOCTOU-style tampering.

> Hi there,

>

> i don't think this is the right spot to ask this, but i am not sure

> where else i could ask this.

>

> What is the patch acceptance process? I am wondering, what are steps

> from patch to commit? I have quite some packages, services and other

> patches laying around in varying quality. I recently started

> cleaning them up. I plan to get them integrated into master at some

> point.

> So, i assume that there has to be interest and time from a guix

> developer to review, maybe test and then integrate the

> changes/packages into one of the branches.

> Is there something i can do to help the process along? Maybe we

> could use this very patch as an example. Currently i am uncertain if

> this patch is appropriate for master, because of the risk that

> changing the auditd default log directory might break some setups.

> This could be 'fixed' by writing a news snippet. But i

> am not sure. Or is there still something else missing?

>> So, i assume that there has to be interest and time from a guix

>> developer to review, maybe test and then integrate the

>> changes/packages into one of the branches.

> Note that there have already been two people reviewing; you currently

> owe me a v2 addressing the TOCTOU "race" of creating the audit

> directory without 700 permissions.

> On 3/18/22 9:06 PM, Liliana Marie Prikler wrote:

> > > So, i assume that there has to be interest and time from a guix

> > > developer to review, maybe test and then integrate the

> > > changes/packages into one of the branches.

> > Note that there have already been two people reviewing; you

> > currently

> > owe me a v2 addressing the TOCTOU "race" of creating the audit

> > directory without 700 permissions.

> Yes, that is true. But i addressed the rest, i think. New version

> inline.

> From 0605a2b5cc8beb816e3ff557d7be060a050f91b7 Mon Sep 17 00:00:00

> 2001

> From: fesoj000 <fesoj000@gmail.com>

> Date: Wed, 9 Mar 2022 20:07:42 +0100

> Subject: [PATCH] services: auditd: use exclusive log directory for

> auditd

>

> Use /var/log/audit for auditd. This is the upstream default.

>

> Further, rework the config file generated by auditd-service-type.

> Only

> write values which diverge from the upstream default.

>

> * gnu/services/auditd.scm: add auditd-activation function and extend

> activation-service-type.

> ---

>   gnu/services/auditd.scm | 20 +++++++++++++++-----

>   1 file changed, 15 insertions(+), 5 deletions(-)

>

> diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm

> index abde811f51..602a6c5a48 100644

> --- a/gnu/services/auditd.scm

> +++ b/gnu/services/auditd.scm

> @@ -31,10 +31,10 @@ (define-module (gnu services auditd)

>               %default-auditd-configuration-directory))

>  

>   (define auditd.conf

> -  (plain-file "auditd.conf" "log_file =

> /var/log/audit.log\nlog_format = \

> -ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \

> -syslog\nadmin_space_left_action = ignore\ndisk_full_action = \

> -ignore\ndisk_error_action = syslog\n"))

> +  (plain-file "auditd.conf" "\

> +space_left = 5%

> +space_left_action = syslog

> +"))

>   (define %default-auditd-configuration-directory

>     (computed-file "auditd"

> @@ -50,6 +50,14 @@ (define-record-type* <auditd-configuration>

>                              (default audit))

>     (configuration-directory auditd-configuration-configuration-

> directory))      ; file-like

>  

> +(define (auditd-activation config)

> +  (with-imported-modules '((guix build utils))

> +    #~(begin

> +        (use-modules (guix build utils))

> +        (let ((var-log-audit "/var/log/audit"))

> +          (umask #o077)

> +          (mkdir-p var-log-audit)))))

> +

> Am Freitag, dem 18.03.2022 um 22:48 +0100 schrieb fesoj000:

>> On 3/18/22 9:06 PM, Liliana Marie Prikler wrote:

>>>> So, i assume that there has to be interest and time from a guix

>>>> developer to review, maybe test and then integrate the

>>>> changes/packages into one of the branches.

>>> Note that there have already been two people reviewing; you

>>> currently

>>> owe me a v2 addressing the TOCTOU "race" of creating the audit

>>> directory without 700 permissions.

>> Yes, that is true. But i addressed the rest, i think. New version

>> inline.

> For the record, inline patches generate noise that's hard to separate

> when applying, so you'd probably want to avoid them. If you don't have

> git send-email set up regular attachments also work for some, though

> they do become tedious as well with series.

>

>> From 0605a2b5cc8beb816e3ff557d7be060a050f91b7 Mon Sep 17 00:00:00

>> 2001

>> From: fesoj000 <fesoj000@gmail.com>

>> Date: Wed, 9 Mar 2022 20:07:42 +0100

>> Subject: [PATCH] services: auditd: use exclusive log directory for

>> auditd

>>

>> Use /var/log/audit for auditd. This is the upstream default.

>>

>> Further, rework the config file generated by auditd-service-type.

>> Only

>> write values which diverge from the upstream default.

>>

>> * gnu/services/auditd.scm: add auditd-activation function and extend

>> activation-service-type.

>> ---

>>   gnu/services/auditd.scm | 20 +++++++++++++++-----

>>   1 file changed, 15 insertions(+), 5 deletions(-)

>>

>> diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm

>> index abde811f51..602a6c5a48 100644

>> --- a/gnu/services/auditd.scm

>> +++ b/gnu/services/auditd.scm

>> @@ -31,10 +31,10 @@ (define-module (gnu services auditd)

>>               %default-auditd-configuration-directory))

>>

>>   (define auditd.conf

>> -  (plain-file "auditd.conf" "log_file =

>> /var/log/audit.log\nlog_format = \

>> -ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \

>> -syslog\nadmin_space_left_action = ignore\ndisk_full_action = \

>> -ignore\ndisk_error_action = syslog\n"))

>> +  (plain-file "auditd.conf" "\

>> +space_left = 5%

>> +space_left_action = syslog

>> +"))

> I can understand discarding the log_file entry because we now use

> upstream default, but the rest should remain imo.

>>   (define %default-auditd-configuration-directory

>>     (computed-file "auditd"

>> @@ -50,6 +50,14 @@ (define-record-type* <auditd-configuration>

>>                              (default audit))

>>     (configuration-directory auditd-configuration-configuration-

>> directory))      ; file-like

>>

>> +(define (auditd-activation config)

>> +  (with-imported-modules '((guix build utils))

>> +    #~(begin

>> +        (use-modules (guix build utils))

>> +        (let ((var-log-audit "/var/log/audit"))

>> +          (umask #o077)

>> +          (mkdir-p var-log-audit)))))

>> +

> This would also apply umask 077 to /var and /var/log if those don't

> already exist.

> More importantly, code executed after that will also

> inherit the umask, which I don't think is the intended consequence.

> > +(define (auditd-activation config)

> > +  (with-imported-modules '((guix build utils))

> > +    #~(begin

> > +        (use-modules (guix build utils))

> > +        (let ((var-log-audit "/var/log/audit"))

> > +          (umask #o077)

> > +          (mkdir-p var-log-audit)))))

> > +

> This would also apply umask 077 to /var and /var/log if those don't

> already exist.  More importantly, code executed after that will also

> inherit the umask, which I don't think is the intended consequence.

> +        (let* ((previous-umask (umask #o077)))

> +          (mkdir-p "/var/log/audit")

> +          (umask previous-umask)))))

> fesoj000 schreef op za 19-03-2022 om 12:34 [+0100]:

>> +        (let* ((previous-umask (umask #o077)))

>> +          (mkdir-p "/var/log/audit")

>> +          (umask previous-umask)))))

>

> I cannot recommend this, what if 'mkdir-p' throws an exception?

> That might cause problems. Or maybe not, but it would require

> some analysis that can be avoided with 'mkdir-p/perms'.

> > I cannot recommend this, what if 'mkdir-p' throws an exception?

> > That might cause problems.  Or maybe not, but it would require

> > some analysis that can be avoided with 'mkdir-p/perms'.

> Hm, but i still have to set umask to prevent TOCTOU, the

> implementation of 'mkdir-p/perms' does not take care of that.

> fesoj000 schreef op zo 20-03-2022 om 21:22 [+0100]:

> > > I cannot recommend this, what if 'mkdir-p' throws an exception?

> > > That might cause problems.  Or maybe not, but it would require

> > > some analysis that can be avoided with 'mkdir-p/perms'.

> > Hm, but i still have to set umask to prevent TOCTOU, the

> > implementation of 'mkdir-p/perms' does not take care of that.

>

> mkdir-p/perms could be modified to take care of that.

> If that is done, then other users of mkdir-p/perms would benefit as

> well.

>

> To implement this, I recommend using the prodecures from

> <https://lists.gnu.org/archive/html/guile-devel/2021-11/msg00005.html

> >

> -- that patch was written to remove the TOCTOU!

> Liliana Marie Prikler schreef op vr 18-03-2022 om 23:36 [+0100]:

>>> +(define (auditd-activation config)

>>> +  (with-imported-modules '((guix build utils))

>>> +    #~(begin

>>> +        (use-modules (guix build utils))

>>> +        (let ((var-log-audit "/var/log/audit"))

>>> +          (umask #o077)

>>> +          (mkdir-p var-log-audit)))))

>>> +

>> This would also apply umask 077 to /var and /var/log if those don't

>> already exist.  More importantly, code executed after that will also

>> inherit the umask, which I don't think is the intended consequence.

>

> More concretely, the procedure 'mkdir-p/perms' would address the umask

> issue, but not the potential ‘oops too restrictive permissions for /var

> and /var/log' issue.

> On 3/20/22 12:09 AM, Maxime Devos wrote:

> > Liliana Marie Prikler schreef op vr 18-03-2022 om 23:36 [+0100]:

> > > > +(define (auditd-activation config)

> > > > +  (with-imported-modules '((guix build utils))

> > > > +    #~(begin

> > > > +        (use-modules (guix build utils))

> > > > +        (let ((var-log-audit "/var/log/audit"))

> > > > +          (umask #o077)

> > > > +          (mkdir-p var-log-audit)))))

> > > > +

> > > This would also apply umask 077 to /var and /var/log if those

> > > don't already exist.  More importantly, code executed after that

> > > will also inherit the umask, which I don't think is the intended

> > > consequence.

> >

> > More concretely, the procedure 'mkdir-p/perms' would address the

> > umask issue, but not the potential ‘oops too restrictive

> > permissions for /var and /var/log' issue.

> Ok, i can assume that a future version of 'mkdir-p/perms' will handle

> the umask.

>

> Should the activation now handle potential permission problems from

> past activations and auditd starts? Can you try to explain in more

> detail please?