Skip to content

Fix audit log permissions using adm group (development) #221

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
akuzminsky merged 1 commit into from
Dec 26, 2025
Merged

Fix audit log permissions using adm group (development) #221

akuzminsky merged 1 commit into from
Dec 26, 2025

Conversation

@akuzminsky
Copy link
Member

@akuzminsky akuzminsky commented Dec 26, 2025

Summary

  • Uses auditd's log_group = adm for audit log permissions
  • Lets auditd handle rotation natively
  • Removes logrotate configuration

Problem

CloudWatch agent lost access to audit logs after rotation. Previous fixes
(#215, #219) used ACLs, but auditd ignores default ACLs when creating files.
Logrotate-based solutions caused double rotation or required service restarts.

Solution

Use auditd's built-in log_group setting:

  • auditd.conf: log_group = adm
  • max_log_file_action = rotate (auditd handles rotation)
  • cwagent (in adm group) reads via standard Unix permissions

No ACLs, no logrotate, no race conditions.

Changes

  • auditd.pp: Set log_file_group = 'adm', remove logrotate config
  • auditd.conf.erb: Use log_group = <%= @log_file_group %>
  • Deleted logrotate.erb

Test plan

  • Deploy to development jumphost
  • Verify auditd.conf has log_group = adm
  • Trigger rotation (wait for 50MB or send SIGUSR1)
  • Confirm new audit.log has group adm
  • Confirm CloudWatch agent reads without permission errors
  • Monitor for 24-48 hours

@akuzminsky
Fix audit log permissions using adm group (development)
39a0532 
CloudWatch agent was losing access to audit logs after rotation.
Previous ACL-based fixes failed because auditd ignores default ACLs.

Solution: Use auditd's native log_group setting.
- Set log_group = adm in auditd.conf (cwagent is in adm group)
- Let auditd handle rotation natively (preserves group on new files)
- Remove logrotate config (unnecessary complexity)

This is simpler and more reliable than ACLs or logrotate workarounds.
@akuzminsky akuzminsky merged commit f23810d into main Dec 26, 2025
2 checks passed
@akuzminsky akuzminsky deleted the fix-audit-log-group-permissions-dev branch December 26, 2025 18:52
@akuzminsky akuzminsky mentioned this pull request Dec 26, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@infrahouse8 infrahouse8 infrahouse8 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@akuzminsky @infrahouse8