This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

vgptool and audit logging on RHEL

Hi

We've enabled audit logging on security relevant files.

We see unnecessary  chown and chmod accesses to the group-override file.

/etc/opt/quest/vas/group-override log entry:

----
type=PROCTITLE msg=audit(09/08/2017 08:22:46.341:28049) : proctitle=/opt/quest/bin/.vgptool apply
type=PATH msg=audit(09/08/2017 08:22:46.341:28049) : item=0 name=/etc/opt/quest/vas/group-override inode=399731 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=NORMAL
type=CWD msg=audit(09/08/2017 08:22:46.341:28049) :  cwd=/opt/quest
type=SYSCALL msg=audit(09/08/2017 08:22:46.341:28049) : arch=x86_64 syscall=chown success=yes exit=0 a0=0x16797d8 a1=root a2=root a3=0x7ffefd60d730 items=1 ppid=4270 pid=4281 auid=u501 uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2659 comm=.vgptool exe=/opt/quest/bin/.vgptool subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=CFG_vasd
----
type=PROCTITLE msg=audit(09/08/2017 08:22:46.341:28050) : proctitle=/opt/quest/bin/.vgptool apply
type=PATH msg=audit(09/08/2017 08:22:46.341:28050) : item=0 name=/etc/opt/quest/vas/group-override inode=399731 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=NORMAL
type=CWD msg=audit(09/08/2017 08:22:46.341:28050) :  cwd=/opt/quest
type=SYSCALL msg=audit(09/08/2017 08:22:46.341:28050) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x16797d8 a1=0644 a2=0x0 a3=0x7ffefd60d730 items=1 ppid=4270 pid=4281 auid=u501 uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2659 comm=.vgptool exe=/opt/quest/bin/.vgptool subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=CFG_vasd

 

I think vgptool should check the files permissions and ownership before blindly resetting them.  I would consider this even a best practice? ;-)

 

- Thomas

Parents Reply Children
No Data