Description of problem: When processing a file using "ausearch --input <file>" as non-root user, the following gets printed: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- $ ausearch --input /tmp/audit.log --just-one Error opening config file (Permission denied) NOTE - using built-in logs: /var/log/audit/audit.log ---- time->Wed Aug 9 13:55:01 2023 type=USER_ACCT msg=audit(1691582101.695:13926): pid=341128 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_sss,pam_permit acct="rmetrich" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Internally strace shows ausearch tries to open /etc/audit/auditd.conf, but of course that's not possible. Still the file gets processed properly, the message is just annoying and misleading. Version-Release number of selected component (if applicable): audit-3.1.1-1.fc38.x86_64 How reproducible: Always, just open an audit log with proper permissions as a user
It wants 2 things: config.end_of_event_timeout and config.log_file. If --input is given, it doesn't need the log_file. But it still wants the configured timeout. In the case where user's don't have permission, it uses the defaults which may not match local setup.