From 6b6e88db5800e2661a51e363173efadde0f16f92 Mon Sep 17 00:00:00 2001
From: akshya96 <araghavan@hashicorp.com>
Date: Thu, 2 Jun 2022 09:52:58 -0700
Subject: [PATCH 1/4] adding file mode changes

---
 builtin/audit/file/backend.go      | 14 ++++++++++-
 builtin/audit/file/backend_test.go | 40 ++++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+), 1 deletion(-)

diff --git a/builtin/audit/file/backend.go b/builtin/audit/file/backend.go
index 67163039b4fcb..9e7d7c36c7108 100644
--- a/builtin/audit/file/backend.go
+++ b/builtin/audit/file/backend.go
@@ -78,9 +78,21 @@ func Factory(ctx context.Context, conf *audit.BackendConfig) (audit.Backend, err
 		if err != nil {
 			return nil, err
 		}
-		if m != 0 {
+		switch m {
+		case 0:
+			// if mode is 0000, then do not modify file mode
+			if path != "stdout" && path != "discard" {
+				fileInfo, err := os.Stat(path)
+				if err != nil {
+					return nil, err
+				}
+				mode = fileInfo.Mode()
+			}
+		default:
 			mode = os.FileMode(m)
+
 		}
+
 	}
 
 	b := &Backend{
diff --git a/builtin/audit/file/backend_test.go b/builtin/audit/file/backend_test.go
index 702918d57917f..8c3ca6fae3ffa 100644
--- a/builtin/audit/file/backend_test.go
+++ b/builtin/audit/file/backend_test.go
@@ -93,6 +93,46 @@ func TestAuditFile_fileModeExisting(t *testing.T) {
 	}
 }
 
+func TestAuditFile_fileMode0000(t *testing.T) {
+	f, err := ioutil.TempFile("", "test")
+	if err != nil {
+		t.Fatalf("Failure to create test file.")
+	}
+	defer os.Remove(f.Name())
+
+	err = os.Chmod(f.Name(), 0o777)
+	if err != nil {
+		t.Fatalf("Failure to chmod temp file for testing.")
+	}
+
+	err = f.Close()
+	if err != nil {
+		t.Fatalf("Failure to close temp file for test.")
+	}
+
+	config := map[string]string{
+		"path": f.Name(),
+		"mode": "0000",
+	}
+
+	_, err = Factory(context.Background(), &audit.BackendConfig{
+		Config:     config,
+		SaltConfig: &salt.Config{},
+		SaltView:   &logical.InmemStorage{},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	info, err := os.Stat(f.Name())
+	if err != nil {
+		t.Fatalf("cannot retrieve file mode from `Stat`")
+	}
+	if info.Mode() != os.FileMode(0o777) {
+		t.Fatalf("File mode does not match.")
+	}
+}
+
 func BenchmarkAuditFile_request(b *testing.B) {
 	config := map[string]string{
 		"path": "/dev/null",

From e81c70dfa32ea125888b4607728a859a8968ae5d Mon Sep 17 00:00:00 2001
From: akshya96 <araghavan@hashicorp.com>
Date: Thu, 2 Jun 2022 10:22:47 -0700
Subject: [PATCH 2/4] add changelog

---
 changelog/15759.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 changelog/15759.txt

diff --git a/changelog/15759.txt b/changelog/15759.txt
new file mode 100644
index 0000000000000..0687000082bd1
--- /dev/null
+++ b/changelog/15759.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core: Prevent changing file permissions of audit logs when mode 0000 is used.
+```
\ No newline at end of file

From e9944f89924a292cbed8a510341e951b7b2483b4 Mon Sep 17 00:00:00 2001
From: akshya96 <araghavan@hashicorp.com>
Date: Thu, 2 Jun 2022 11:04:32 -0700
Subject: [PATCH 3/4] adding error

---
 builtin/audit/file/backend_test.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/builtin/audit/file/backend_test.go b/builtin/audit/file/backend_test.go
index 8c3ca6fae3ffa..4c928a5dc3995 100644
--- a/builtin/audit/file/backend_test.go
+++ b/builtin/audit/file/backend_test.go
@@ -96,18 +96,18 @@ func TestAuditFile_fileModeExisting(t *testing.T) {
 func TestAuditFile_fileMode0000(t *testing.T) {
 	f, err := ioutil.TempFile("", "test")
 	if err != nil {
-		t.Fatalf("Failure to create test file.")
+		t.Fatalf("Failure to create test file. The error is %v",err)
 	}
 	defer os.Remove(f.Name())
 
 	err = os.Chmod(f.Name(), 0o777)
 	if err != nil {
-		t.Fatalf("Failure to chmod temp file for testing.")
+		t.Fatalf("Failure to chmod temp file for testing. The error is %v",err)
 	}
 
 	err = f.Close()
 	if err != nil {
-		t.Fatalf("Failure to close temp file for test.")
+		t.Fatalf("Failure to close temp file for test. The error is %v",err)
 	}
 
 	config := map[string]string{
@@ -126,7 +126,7 @@ func TestAuditFile_fileMode0000(t *testing.T) {
 
 	info, err := os.Stat(f.Name())
 	if err != nil {
-		t.Fatalf("cannot retrieve file mode from `Stat`")
+		t.Fatalf("cannot retrieve file mode from `Stat`. The error is %v",err)
 	}
 	if info.Mode() != os.FileMode(0o777) {
 		t.Fatalf("File mode does not match.")

From d3831ba78c081dbc06ef8b433f4d893e149c5c40 Mon Sep 17 00:00:00 2001
From: akshya96 <araghavan@hashicorp.com>
Date: Thu, 2 Jun 2022 11:07:47 -0700
Subject: [PATCH 4/4] adding fmt changes

---
 builtin/audit/file/backend_test.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/builtin/audit/file/backend_test.go b/builtin/audit/file/backend_test.go
index 4c928a5dc3995..817518c50bd85 100644
--- a/builtin/audit/file/backend_test.go
+++ b/builtin/audit/file/backend_test.go
@@ -96,18 +96,18 @@ func TestAuditFile_fileModeExisting(t *testing.T) {
 func TestAuditFile_fileMode0000(t *testing.T) {
 	f, err := ioutil.TempFile("", "test")
 	if err != nil {
-		t.Fatalf("Failure to create test file. The error is %v",err)
+		t.Fatalf("Failure to create test file. The error is %v", err)
 	}
 	defer os.Remove(f.Name())
 
 	err = os.Chmod(f.Name(), 0o777)
 	if err != nil {
-		t.Fatalf("Failure to chmod temp file for testing. The error is %v",err)
+		t.Fatalf("Failure to chmod temp file for testing. The error is %v", err)
 	}
 
 	err = f.Close()
 	if err != nil {
-		t.Fatalf("Failure to close temp file for test. The error is %v",err)
+		t.Fatalf("Failure to close temp file for test. The error is %v", err)
 	}
 
 	config := map[string]string{
@@ -126,7 +126,7 @@ func TestAuditFile_fileMode0000(t *testing.T) {
 
 	info, err := os.Stat(f.Name())
 	if err != nil {
-		t.Fatalf("cannot retrieve file mode from `Stat`. The error is %v",err)
+		t.Fatalf("cannot retrieve file mode from `Stat`. The error is %v", err)
 	}
 	if info.Mode() != os.FileMode(0o777) {
 		t.Fatalf("File mode does not match.")