Auditbeat output.file ignores permissions

I found in latest auditbeat version 7.7.0 that auditbeat output file is created with permission 640 even if I set output file permission to 644.

I have this configuration in auditbeat.yml

  path: "/var/auditbeat/logs"
  filename: auditbeat
  rotate_every_kb: 20000
  number_of_files: 2
  permissions: 0644

but output file have permission 640

ubuntu:/var/auditbeat/logs# ls -alF
total 184
drwxr-xr-x 2 root root   4096 May 14 05:12 ./
drwxr-xr-x 3 root root   4096 May 14 05:11 ../
-rw-r----- 1 root root 177590 May 14 05:12 auditbeat

Could it be bug ? It works in version 7.4.0

Thank you

Those permissions are pre-umask. This is why it becomes 0640. The logger creates the file with 0644, but then the OS applies the processes umask to that mode value. The process has an 027 umask most likely.

I see there was a change in to make the Beat set its own umask. So since the file output doesn't do an explicit chmod on the file you'll never get the configured permissions. This seems like a bug to me since users lose control of the permissions since they cannot control the process umask anymore.

than you Andrew, I will create bug

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.