Can I safely change group ownership of /var/log/auth.log?

permissions log ownership

I am the Splunk administrator working with an Ubuntu 12.04 LTS system and I want to collect events from /var/log/auth.log. 

-rw-r----- 1 root adm 16534643 Jan  8 09:49 /var/log/auth.log

Splunk runs as a normal user, splunk.

$ id splunk
uid=1984(splunk) gid=1984(splunk) groups=1984(splunk)

Normally, I'd use this command so make the file group readable by the splunk group.

$ chgrp splunk /var/log/auth.log
-rw-r----- 1 root splunk 16534643 Jan  8 09:49 /var/log/auth.log

This works fine on other Linux distros and I assume this is okay with Ubuntu as well. But I do want to ask, will bumping out the adm cause me (actually, the other group that owns the box) headaches in the future? I am not a privileged user on the system, so I cannot check things like /var/log/cron/adm or mail for the adm account. I'm also assuming that logrotate will honor my new group owner for new files.

(Before you ask, access to the splunk index for auth.log is restricted to a limited number of people.)


Solution 1:

Followup: Since no one ever gave a reason why "adm" group ownership was important, I changed the group ownership to "splunk".

After 6 months, no issues were noticed. I decided against giving the splunk user additional group privileges by adding it to the "adm" group. I reasoned I could give the adm account the extra privilege of "splunk" group membership, if necessary.

Solution 2:

adm group may be important IF a security tool such as AppArmor (see https://wiki.ubuntu.com/AppArmor) is being used for additional security.

I mention this only because I ran into strange problems (access failures) when trying to configure bind on ubuntu and using different directories. That is, bind refused to work with changes that made sense to me but were not the AppArmor defaults. As I did not want to reconfigure AppArmor I went back to it's defaults - and sudo su when I need to make changes. For a single user system this is okay, but I would not want it this way in a production system.

Lastly, adm group may be important if you are audited - i.e., an auditor may consider it a breach of system integrity if it is not group adm. A way you might be able to 'pass' with is using ACLs (Access Control Lists) - see https://help.ubuntu.com/community/FilePermissions#ACL_.28Access_Control_List.29 for more info on that.

Related

Are there any official counters which keep a track on the number of downloads of a particular Ubuntu version across different derivatives?
xprintidle doesn't work in cronjob. Why?
how to configure a trackpoint only mode on thinkpads with clickpads
Dual Boot Ubuntu full disk encrypted but Windows untouched
What commands show pending/scheduled tasks in Terminal?
appmenu in 14.04 for gtk2 apps?
What is 'setcap' command and 'file capability'?
Cannot get ntpdate cron to run
apt-get autoremove "Before uninstall, this module version was ACTIVE on this kernel"
Why do top and lxtask show different degrees of memory usage?
Chrome stuck on 'resolving host'
Getting color names from color picker