Hi
We've enabled audit logging on security relevant files.
We see unnecessary chown and chmod accesses to the group-override file.
/etc/opt/quest/vas/group-override log entry:
----
type=PROCTITLE msg=audit(09/08/2017 08:22:46.341:28049) : proctitle=/opt/quest/bin/.vgptool apply
type=PATH msg=audit(09/08/2017 08:22:46.341:28049) : item=0 name=/etc/opt/quest/vas/group-override inode=399731 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=NORMAL
type=CWD msg=audit(09/08/2017 08:22:46.341:28049) : cwd=/opt/quest
type=SYSCALL msg=audit(09/08/2017 08:22:46.341:28049) : arch=x86_64 syscall=chown success=yes exit=0 a0=0x16797d8 a1=root a2=root a3=0x7ffefd60d730 items=1 ppid=4270 pid=4281 auid=u501 uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2659 comm=.vgptool exe=/opt/quest/bin/.vgptool subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=CFG_vasd
----
type=PROCTITLE msg=audit(09/08/2017 08:22:46.341:28050) : proctitle=/opt/quest/bin/.vgptool apply
type=PATH msg=audit(09/08/2017 08:22:46.341:28050) : item=0 name=/etc/opt/quest/vas/group-override inode=399731 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=NORMAL
type=CWD msg=audit(09/08/2017 08:22:46.341:28050) : cwd=/opt/quest
type=SYSCALL msg=audit(09/08/2017 08:22:46.341:28050) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x16797d8 a1=0644 a2=0x0 a3=0x7ffefd60d730 items=1 ppid=4270 pid=4281 auid=u501 uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2659 comm=.vgptool exe=/opt/quest/bin/.vgptool subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=CFG_vasd
I think vgptool should check the files permissions and ownership before blindly resetting them. I would consider this even a best practice? ;-)
- Thomas