[build_debian.sh]: Fix /var/log having 0750 permissions instead of 07…

…55 (#10031) PR #9481 changed auditd's log directory to be /var/log instead of /var/log/audit, because SONiC mounts a disk image at /var/log during runtime, and so the /var/log/audit directory might not exist (since it would've been created during package installation, mounting another partition at /var/log will hide it). However, for security reasons, auditd changes the log directory to have 0750 permissions, so that not everyone knows about the audit logs or read them. To fix this, revert the change to auditd's log directory, and tell systemd to create the audit log directory at runtime if it doesn't exist. Because the disk image gets mounted during initramfs (before systemd starts), systemd will make sure that the /var/log/audit directory will exist. Fixes #9548 and #10015 Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
sonic-net · Jun 24, 2024 · 3621a18 · 3621a18
1 parent 001c731
commit 3621a18
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/build_debian.sh b/build_debian.sh
@@ -328,8 +328,13 @@ sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y in
     jq                      \
     auditd
 
-# Change auditd log file path to fix auditd can't startup issue.
-sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "sudo sed -i 's/^\s*log_file\s*=.*/log_file = \/var\/log\/audit.log/g' /etc/audit/auditd.conf"
+# Have systemd create the auditd log directory
+sudo mkdir -p ${FILESYSTEM_ROOT}/etc/systemd/system/auditd.service.d
+sudo tee ${FILESYSTEM_ROOT}/etc/systemd/system/auditd.service.d/log-directory.conf >/dev/null <<EOF
+[Service]
+LogsDirectory=audit
+LogsDirectoryMode=0750
+EOF
 
 if [[ $CONFIGURED_ARCH == amd64 ]]; then
 ## Pre-install the fundamental packages for amd64 (x86)