Date: Sun, 14 Sep 2008 13:00:47 -0400 From: Greg Larkin <glarkin@FreeBSD.org> To: Marco Beishuizen <mbeis@xs4all.nl> Cc: freebsd-questions@freebsd.org Subject: Re: logcheck doesn't work anymore Message-ID: <48CD433F.1060905@FreeBSD.org> In-Reply-To: <20080913025118.4d406f32@yokozuna.lan> References: <20080908222921.4daba36a@yokozuna.lan> <48C59453.3090604@FreeBSD.org> <20080912183357.49250e47@yokozuna.lan> <48CAE6FD.4020001@FreeBSD.org> <20080913025118.4d406f32@yokozuna.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marco Beishuizen wrote: > On Fri, 12 Sep 2008 18:02:37 -0400 > Greg Larkin <glarkin@freebsd.org> wrote: > >> Hi Marco, >> >> Right you are! In fact, after my initial logcheck commit, someone >> opened a PR stating something very similar to what you noted: >> http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/127255 >> >> The submitter's point is that the logcheck user should not be part of >> the wheel group, since that also confers the ability to su to root and >> read many files that should be private. >> >> A patch has been committed very recently to remove the logcheck user >> from the wheel group and change the verbiage in pkg-message: >> http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/logcheck/files/pkg-install.in.diff?r1=1.1;r2=1.2 >> http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/logcheck/files/pkg-message.in.diff?r1=1.1;r2=1.2 >> >> Any file that needs to be analyzed by logcheck will now have to be >> readable by the logcheck group instead of the wheel group. >> >> Best regards, >> Greg >> - -- >> Greg Larkin > > I upgraded to the latest version today and now there is a separate > logcheck group. But logcheck still only works when the logfiles have > permission 644. Most of them had permissions set to 600 but then I get > the same error messages as before. > > Or should I change the owner of all logfiles from root to logcheck and > then the permissions back to 600? > > Regards, > Marco Hi Marco, Yes, you will need to make the files readable by logcheck, according to the instructions displayed after the port is installed, but you don't need to chance the owner of the files to be analyzed, just the group and group permissions: -------------------------------------------------------------------- Please make sure that all files listed in /usr/local/etc/logcheck/logcheck.logfiles are readable to the 'logcheck' group (see also /etc/newsyslog.conf), or remove them from the aforementioned logcheck configuration file. -------------------------------------------------------------------- In my installation, logcheck.logfiles contains the following. I believe this is the default when the port is first installed: -------------------------------------------------------------------- # these files will be checked by logcheck # This has been tuned towards a default syslog install /var/log/messages /var/log/auth.log -------------------------------------------------------------------- When I check the permissions on these files, I see: -------------------------------------------------------------------- fbsd70# ls -l /var/log/messages /var/log/auth.log -rw-r----- 1 root wheel 63339 Sep 14 12:44 /var/log/auth.log -rw-r--r-- 1 root wheel 47346 Sep 14 12:48 /var/log/messages -------------------------------------------------------------------- I can tell that /var/log/messages is readable by the logcheck group (other = read), but /var/log/auth.log is not (other = none). To fix this problem, I change the group of the /var/log/auth.log file like so: -------------------------------------------------------------------- fbsd70# chgrp logcheck /var/log/auth.log fbsd70# ls -l /var/log/messages /var/log/auth.log -rw-r----- 1 root logcheck 63339 Sep 14 12:44 /var/log/auth.log -rw-r--r-- 1 root wheel 47346 Sep 14 12:48 /var/log/messages -------------------------------------------------------------------- Finally, I'll add the members of the wheel group to the logcheck group so anyone in that group can still read the file as they could before: -------------------------------------------------------------------- fbsd70# grep ^wheel: /etc/group wheel:*:0:root,glarkin fbsd70# grep ^wheel: /etc/group | awk -F : '{ print $4 }' | xargs \ -n1 pw groupmod logcheck -m fbsd70# grep ^logcheck: /etc/group logcheck:*:915:root,glarkin -------------------------------------------------------------------- Now the logcheck, root, and glarkin user can all read /var/log/auth.log, and the logcheck script should work fine. I hope that clears everything up. If you have any further questions or problems, please post back here. Best regards, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIzUM+0sRouByUApARAkK5AKCfeXkA/W5+0YByPuGBqgQkZjxM3gCgybwj zs5Qhzqab1OPwA/C70yjaUs= =KRZ2 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48CD433F.1060905>