Skip to content

Fix audit log permissions using group-based access (development) #220

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
akuzminsky merged 1 commit into from
Dec 26, 2025
Merged

Fix audit log permissions using group-based access (development) #220

akuzminsky merged 1 commit into from
Dec 26, 2025

Conversation

@akuzminsky
Copy link
Member

@akuzminsky akuzminsky commented Dec 26, 2025

Summary

  • Uses adm group for audit logs instead of ACLs
  • Removes ACL scripts and related complexity
  • cwagent reads audit logs via group membership

Problem

PR #215/#219 attempted to fix CloudWatch agent losing access to audit logs
after rotation using ACLs. However, auditd ignores default ACLs when creating
files - it always creates with mode 0600 and no inherited ACLs.

Solution

Use auditd's native log_group setting:

  • auditd.conf: log_group = adm
  • logrotate: create 0640 root adm
  • cwagent (already in adm group) reads via standard Unix permissions

This works because auditd does respect log_group when creating files.

Changes

  • auditd.pp: Default log_file_group changed to adm
  • auditd.conf.erb: Use variable for log_group, keep rotation disabled
  • logrotate.erb: Removed ACL postrotate hook
  • cloudwatch_agent.pp: Removed ACL package, scripts, and exec
  • Deleted set-audit-acl.sh.erb and check-audit-acl.sh.erb

Test plan

  • Deploy to development jumphost
  • Verify auditd.conf has log_group = adm
  • Force rotation with logrotate -f /etc/logrotate.d/audit
  • Confirm audit.log has group adm and mode 0640
  • Confirm CloudWatch agent can read without permission errors
  • Monitor for 24-48 hours

@akuzminsky
Fix audit log permissions using group-based access (development)
6843b3c 
The ACL-based approach from #215/#219 failed because auditd ignores
default ACLs when creating files. When auditd recreates the log file
after rotation, it sets permissions to 0600 with no ACLs, blocking
CloudWatch agent access.

Solution: Use standard Unix group permissions instead of ACLs.
- Set auditd log_group to 'adm' (cwagent is already in adm group)
- Logrotate creates files with group 'adm'
- Remove ACL scripts and related resources

This is simpler and more reliable than ACLs since auditd respects
log_group when creating files.

Testing in development before rolling out to other environments.
@akuzminsky akuzminsky merged commit 33e306a into main Dec 26, 2025
2 checks passed
@akuzminsky akuzminsky deleted the fix-audit-log-permissions-group-based branch December 26, 2025 18:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@infrahouse8 infrahouse8 infrahouse8 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@akuzminsky @infrahouse8