vgptool and audit logging on RHEL

Hi

We've enabled audit logging on security relevant files.

We see unnecessary  chown and chmod accesses to the group-override file.

/etc/opt/quest/vas/group-override log entry:

----
type=PROCTITLE msg=audit(09/08/2017 08:22:46.341:28049) : proctitle=/opt/quest/bin/.vgptool apply
type=PATH msg=audit(09/08/2017 08:22:46.341:28049) : item=0 name=/etc/opt/quest/vas/group-override inode=399731 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=NORMAL
type=CWD msg=audit(09/08/2017 08:22:46.341:28049) :  cwd=/opt/quest
type=SYSCALL msg=audit(09/08/2017 08:22:46.341:28049) : arch=x86_64 syscall=chown success=yes exit=0 a0=0x16797d8 a1=root a2=root a3=0x7ffefd60d730 items=1 ppid=4270 pid=4281 auid=u501 uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2659 comm=.vgptool exe=/opt/quest/bin/.vgptool subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=CFG_vasd
----
type=PROCTITLE msg=audit(09/08/2017 08:22:46.341:28050) : proctitle=/opt/quest/bin/.vgptool apply
type=PATH msg=audit(09/08/2017 08:22:46.341:28050) : item=0 name=/etc/opt/quest/vas/group-override inode=399731 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=NORMAL
type=CWD msg=audit(09/08/2017 08:22:46.341:28050) :  cwd=/opt/quest
type=SYSCALL msg=audit(09/08/2017 08:22:46.341:28050) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x16797d8 a1=0644 a2=0x0 a3=0x7ffefd60d730 items=1 ppid=4270 pid=4281 auid=u501 uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2659 comm=.vgptool exe=/opt/quest/bin/.vgptool subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=CFG_vasd

 

I think vgptool should check the files permissions and ownership before blindly resetting them.  I would consider this even a best practice? ;-)

 

- Thomas

  • Hi Thomas,

    For GPO's like Dynamic File Copy or just File Copy we do expect to see chown and chmod commands but if that is being done on every single apply that is something we might be able to take a look at to see if any changes can be made.

    With that in mind however, we would like to obtain a snapshot of the system and since that does collect some data you likely won't want to share in a public forum would you be willing to open a support case so we can review that data securely?

    Thank you,
    Leigh Grant
  • In reply to Leigh Grant:

    I can do this on monday.
    - Thomas
  • In reply to thomas.mueller1:

    That sounds perfect.
    If someone other than me starts working on it feel free to reference this conversation and I can help move things along.

    Thank you,
    Leigh Grant
  • In reply to Leigh Grant:

    It was a Files entry which had owner/group/mode set. I was unaware of that. Thanks for the pointer.

    Anyway, it would make sense to only set something if it really has changed. ;-)