Can I safely change group ownership of /var/log/auth.log?

I am the Splunk administrator working with an Ubuntu 12.04 LTS system and I want to collect events from /var/log/auth.log.

-rw-r----- 1 root adm 16534643 Jan  8 09:49 /var/log/auth.log

Splunk runs as a normal user, splunk.

$ id splunk
uid=1984(splunk) gid=1984(splunk) groups=1984(splunk)

Normally, I'd use this command so make the file group readable by the splunk group.

$ chgrp splunk /var/log/auth.log
-rw-r----- 1 root splunk 16534643 Jan  8 09:49 /var/log/auth.log

This works fine on other Linux distros and I assume this is okay with Ubuntu as well. But I do want to ask, will bumping out the adm cause me (actually, the other group that owns the box) headaches in the future? I am not a privileged user on the system, so I cannot check things like /var/log/cron/adm or mail for the adm account. I'm also assuming that logrotate will honor my new group owner for new files.

(Before you ask, access to the splunk index for auth.log is restricted to a limited number of people.)


Solution 1:

Followup: Since no one ever gave a reason why "adm" group ownership was important, I changed the group ownership to "splunk".

After 6 months, no issues were noticed. I decided against giving the splunk user additional group privileges by adding it to the "adm" group. I reasoned I could give the adm account the extra privilege of "splunk" group membership, if necessary.

Solution 2:

adm group may be important IF a security tool such as AppArmor (see https://wiki.ubuntu.com/AppArmor) is being used for additional security.

I mention this only because I ran into strange problems (access failures) when trying to configure bind on ubuntu and using different directories. That is, bind refused to work with changes that made sense to me but were not the AppArmor defaults. As I did not want to reconfigure AppArmor I went back to it's defaults - and sudo su when I need to make changes. For a single user system this is okay, but I would not want it this way in a production system.

Lastly, adm group may be important if you are audited - i.e., an auditor may consider it a breach of system integrity if it is not group adm. A way you might be able to 'pass' with is using ACLs (Access Control Lists) - see https://help.ubuntu.com/community/FilePermissions#ACL_.28Access_Control_List.29 for more info on that.