Question: How to configure auditd to change the default permissions on the /var/log/audit/audit.log from 0600 to 0640 and also changing the group ownership of the file?
By default it’s not possible to change permissions on the /var/log/audit/audit.log file using ACLs, instead “log_group” parameter can be set under the file /etc/audit/audit.conf.
The Steps
In this example, we would like to change default permissions on the /var/audit/audit.log from 600 to 640 and also changing group from root to splunk.
1. Check current permissions on the /var/audit/audit.log file, mostly it’s root:root with 0600
# ls -l /var/log/audit/audit.log -rw------- 1 root root 3531590 Jun 1 00:20 /var/log/audit/audit.log
2. Edit /etc/audit/auditd.conf file and change log_group to splunk.
Before change:
# cat /etc/audit/auditd.conf | grep log_group log_group = root
After change:
# cat /etc/audit/auditd.conf | grep log_group log_group = splunk
3. Restart audit service and check.
# service audit restart
4. Check permissions on the /var/log/audit/audit.log.
# ls -l /var/log/audit/audit.log -rw-r----- 1 root splunk 3532862 Jun 1 00:24 /var/log/audit/audit.log