> On Friday, February 25, 2011 03:13:31 am Matthias Runge wrote:
> > - change systems logs owners from root:root mode 600 to root:adm mode
> > 640 (or something similar)
>
> So, what would be the implementation of this? How would logcheck or any log reader
> work. Would they be setgid applications or would they start as root and change to this
> new account?
>
> There are things in the logs that ordinary users cannot have access to to by default.
>
> -Steve
+1 to this.
Setting a log reader (logfetch, in my case, from Xymon nÃe Hobbit) 2700 <designateduser>:adm and making logs I want it to be able to read chgrp adm and chmod g+r seemed to be the easiest and most secure way to deal with the situation. Nothing ever needs root privs and existing access controls suffice.
> The simple concept is as depicted above: create a group "logreader" and
> change group ownership of all(/some) system logs to logreader.
>
> Matthias
One benefit of setgid over simply giving an account "logreader" group membership is that that even that user account doesn't have general read access to logs outside of a specific escalation point (in this case, the setgid logfetch tool). To the extent a security review of the log reading code is needed, it makes auditing easier.
If there are multiple levels of log security needed (secure vs. everything else?) one could use multiple setgid tools ("logreader" or "daemon" for regular logs, "adm" for secure ones?), or I suppose just have different users with different group/secondary group memberships.
Either way, one should still never need to make a tool setuid root to read a log we authorized it to.
See also http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3373 for logfetch, which prompted this
Japheth Cleaver
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
