-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marco Beishuizen wrote:
> On Fri, 12 Sep 2008 18:02:37 -0400
> Greg Larkin <[EMAIL PROTECTED]> wrote:
>
>> Hi Marco,
>>
>> Right you are! In fact, after my initial logcheck commit, someone
>> opened a PR stating something very similar to what you noted:
>> http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/127255
>>
>> The submitter's point is that the logcheck user should not be part of
>> the wheel group, since that also confers the ability to su to root and
>> read many files that should be private.
>>
>> A patch has been committed very recently to remove the logcheck user
>> from the wheel group and change the verbiage in pkg-message:
>> http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/logcheck/files/pkg-install.in.diff?r1=1.1;r2=1.2
>> http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/logcheck/files/pkg-message.in.diff?r1=1.1;r2=1.2
>>
>> Any file that needs to be analyzed by logcheck will now have to be
>> readable by the logcheck group instead of the wheel group.
>>
>> Best regards,
>> Greg
>> - --
>> Greg Larkin
>
> I upgraded to the latest version today and now there is a separate
> logcheck group. But logcheck still only works when the logfiles have
> permission 644. Most of them had permissions set to 600 but then I get
> the same error messages as before.
>
> Or should I change the owner of all logfiles from root to logcheck and
> then the permissions back to 600?
>
> Regards,
> Marco
Hi Marco,
Yes, you will need to make the files readable by logcheck, according to
the instructions displayed after the port is installed, but you don't
need to chance the owner of the files to be analyzed, just the group and
group permissions:
--------------------------------------------------------------------
Please make sure that all files listed in
/usr/local/etc/logcheck/logcheck.logfiles
are readable to the 'logcheck' group (see also /etc/newsyslog.conf),
or remove them from the aforementioned logcheck configuration file.
--------------------------------------------------------------------
In my installation, logcheck.logfiles contains the following. I believe
this is the default when the port is first installed:
--------------------------------------------------------------------
# these files will be checked by logcheck
# This has been tuned towards a default syslog install
/var/log/messages
/var/log/auth.log
--------------------------------------------------------------------
When I check the permissions on these files, I see:
--------------------------------------------------------------------
fbsd70# ls -l /var/log/messages /var/log/auth.log
-rw-r----- 1 root wheel 63339 Sep 14 12:44 /var/log/auth.log
-rw-r--r-- 1 root wheel 47346 Sep 14 12:48 /var/log/messages
--------------------------------------------------------------------
I can tell that /var/log/messages is readable by the logcheck group
(other = read), but /var/log/auth.log is not (other = none). To fix this
problem, I change the group of the /var/log/auth.log file like so:
--------------------------------------------------------------------
fbsd70# chgrp logcheck /var/log/auth.log
fbsd70# ls -l /var/log/messages /var/log/auth.log
-rw-r----- 1 root logcheck 63339 Sep 14 12:44 /var/log/auth.log
-rw-r--r-- 1 root wheel 47346 Sep 14 12:48 /var/log/messages
--------------------------------------------------------------------
Finally, I'll add the members of the wheel group to the logcheck group
so anyone in that group can still read the file as they could before:
--------------------------------------------------------------------
fbsd70# grep ^wheel: /etc/group
wheel:*:0:root,glarkin
fbsd70# grep ^wheel: /etc/group | awk -F : '{ print $4 }' | xargs \
-n1 pw groupmod logcheck -m
fbsd70# grep ^logcheck: /etc/group
logcheck:*:915:root,glarkin
--------------------------------------------------------------------
Now the logcheck, root, and glarkin user can all read /var/log/auth.log,
and the logcheck script should work fine. I hope that clears everything
up. If you have any further questions or problems, please post back here.
Best regards,
Greg
- --
Greg Larkin
http://www.FreeBSD.org/ - The Power To Serve
http://www.sourcehosting.net/ - Ready. Set. Code.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIzUM+0sRouByUApARAkK5AKCfeXkA/W5+0YByPuGBqgQkZjxM3gCgybwj
zs5Qhzqab1OPwA/C70yjaUs=
=KRZ2
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
