Date: Mon, 27 Jul 1998 11:35:40 -0700 (PDT) From: "Jan B. Koum " <jkb@best.com> To: Robert Watson <robert+freebsd@cyrus.watson.org> Cc: security@FreeBSD.ORG Subject: Re: files in /var/log Message-ID: <Pine.BSF.3.96.980727113239.29202E-100000@shell6.ba.best.com> In-Reply-To: <Pine.BSF.3.96.980727083240.7733D-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 27 Jul 1998, Robert Watson wrote: >Jan, > >On my own machines I have added a "logger" group and set permissions in >this manner: > >/var/cron/log root.loguser 640 3 100 * Z >/var/log/amd.log root.loguser 644 7 100 * Z >/var/log/kerberos.log root.loguser 640 7 100 * Z >/var/log/lpd-errs root.loguser 644 7 100 * Z >/var/log/maillog root.loguser 644 7 * 24 Z >/var/log/messages root.loguser 644 5 * 168 Z >/var/log/slip.log root.loguser 640 3 100 * Z >/var/log/ppp.log root.loguser 640 3 100 * Z >/var/log/wtmp root.loguser 644 52 * 168 ZB >/var/log/auth root.loguser 640 14 * 168 Z ># my stuff >/var/log/ftpd.log root.loguser 640 3 * 168 Z >/var/log/pop.log root.loguser 640 3 * 72 Z >/var/log/kadmind.syslog root.loguser 640 14 * 168 Z >/var/log/imapd.log root.loguser 640 3 * 72 Z >/var/log/all-log root.loguser 640 7 * 72 Z > >A number of daemons and other programs tend to leak sensitive information >(such as bad login information) to publically readable logs -- and I did >not want to give users root access to get to these files where it was >actually unnecessary. Exactly my point! > >For more general use, root.wheel would probably be sufficient. I also >changed some of the syslog logging rules to prevent auth-style log entries >from going to the wrong places. Yes, our /etc/syslog.conf can use auth.* entry or some other such entry. I also simply chown logs to root.wheel -- my rationale is that if you are in group wheel, most likely you can su(1) to root anyway and read logs -- this way you can read logs w/o doing extra su(1) step. > >I suspect that there are some daemons/etc out there that are delivering >some of the auth-style log messages with the wrong level on the log >message (i.e., notice or something) and as a result, they are not getting >caught be this. However, I have not looked closely. > >I don't know if the standard FreeBSD ssh port/package changes the log >level from DAEMON to AUTH or not, but I certainly had to do that on my own >build of sshd (see /etc/sshd_config). Heh.. I also always have: % grep AUTH /etc/sshd_config SyslogFacility AUTH % Then again, I never use ports or packages. :) -- Yan > >On Mon, 27 Jul 1998, Jan B. Koum wrote: > >> >> Hello all, >> >> Be default FreeBSD has many files in /var/log group write. What is >> the reason for that? Can we change this to be group read only? >> Also, would it make more sence to ship /var/log/messages o-r by >> default? Why do we want all world to know what goes into our >> /var/log/messages files? >> [we would also need to modify /etc/newsyslog.conf's mode column >> to 640 then] >> >> -- Yan >> >> Jan Koum jkb@best.com | "Turn up the lights; I don't want >> www.FreeBSD.org -- The Power to Serve | to go home in the dark." >> "Write longer sentences - they are paying us a lot of money" >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe security" in the body of the message >> > > > Robert N Watson > >Carnegie Mellon University http://www.cmu.edu/ >TIS Labs at Network Associates, Inc. http://www.tis.com/ >SafePort Network Services http://www.safeport.com/ >robert@fledge.watson.org http://www.watson.org/~robert/ > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980727113239.29202E-100000>