From owner-freebsd-questions@FreeBSD.ORG Sun Sep 14 17:00:53 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C539A1065673 for ; Sun, 14 Sep 2008 17:00:53 +0000 (UTC) (envelope-from glarkin@FreeBSD.org) Received: from mail1.sourcehosting.net (113901-app1.sourcehosting.net [72.32.213.11]) by mx1.freebsd.org (Postfix) with ESMTP id 902C38FC14 for ; Sun, 14 Sep 2008 17:00:48 +0000 (UTC) (envelope-from glarkin@FreeBSD.org) Received: from 68-189-244-97.dhcp.oxfr.ma.charter.com ([68.189.244.97] helo=Gregory-Larkins-Computer.local) by mail1.sourcehosting.net with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1Keuxp-000ClI-1i; Sun, 14 Sep 2008 13:00:46 -0400 Received: from [127.0.0.1] (fireball.entropy.prv [192.168.1.12]) by Gregory-Larkins-Computer.local (Postfix) with ESMTP id 9A25F24C7580; Sun, 14 Sep 2008 13:00:45 -0400 (EDT) Message-ID: <48CD433F.1060905@FreeBSD.org> Date: Sun, 14 Sep 2008 13:00:47 -0400 From: Greg Larkin Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Marco Beishuizen References: <20080908222921.4daba36a@yokozuna.lan> <48C59453.3090604@FreeBSD.org> <20080912183357.49250e47@yokozuna.lan> <48CAE6FD.4020001@FreeBSD.org> <20080913025118.4d406f32@yokozuna.lan> In-Reply-To: <20080913025118.4d406f32@yokozuna.lan> X-Enigmail-Version: 0.95.7 OpenPGP: id=1C940290 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Score: -1.2 (-) Cc: freebsd-questions@freebsd.org Subject: Re: logcheck doesn't work anymore X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: glarkin@FreeBSD.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Sep 2008 17:00:53 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marco Beishuizen wrote: > On Fri, 12 Sep 2008 18:02:37 -0400 > Greg Larkin wrote: > >> Hi Marco, >> >> Right you are! In fact, after my initial logcheck commit, someone >> opened a PR stating something very similar to what you noted: >> http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/127255 >> >> The submitter's point is that the logcheck user should not be part of >> the wheel group, since that also confers the ability to su to root and >> read many files that should be private. >> >> A patch has been committed very recently to remove the logcheck user >> from the wheel group and change the verbiage in pkg-message: >> http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/logcheck/files/pkg-install.in.diff?r1=1.1;r2=1.2 >> http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/logcheck/files/pkg-message.in.diff?r1=1.1;r2=1.2 >> >> Any file that needs to be analyzed by logcheck will now have to be >> readable by the logcheck group instead of the wheel group. >> >> Best regards, >> Greg >> - -- >> Greg Larkin > > I upgraded to the latest version today and now there is a separate > logcheck group. But logcheck still only works when the logfiles have > permission 644. Most of them had permissions set to 600 but then I get > the same error messages as before. > > Or should I change the owner of all logfiles from root to logcheck and > then the permissions back to 600? > > Regards, > Marco Hi Marco, Yes, you will need to make the files readable by logcheck, according to the instructions displayed after the port is installed, but you don't need to chance the owner of the files to be analyzed, just the group and group permissions: -------------------------------------------------------------------- Please make sure that all files listed in /usr/local/etc/logcheck/logcheck.logfiles are readable to the 'logcheck' group (see also /etc/newsyslog.conf), or remove them from the aforementioned logcheck configuration file. -------------------------------------------------------------------- In my installation, logcheck.logfiles contains the following. I believe this is the default when the port is first installed: -------------------------------------------------------------------- # these files will be checked by logcheck # This has been tuned towards a default syslog install /var/log/messages /var/log/auth.log -------------------------------------------------------------------- When I check the permissions on these files, I see: -------------------------------------------------------------------- fbsd70# ls -l /var/log/messages /var/log/auth.log -rw-r----- 1 root wheel 63339 Sep 14 12:44 /var/log/auth.log -rw-r--r-- 1 root wheel 47346 Sep 14 12:48 /var/log/messages -------------------------------------------------------------------- I can tell that /var/log/messages is readable by the logcheck group (other = read), but /var/log/auth.log is not (other = none). To fix this problem, I change the group of the /var/log/auth.log file like so: -------------------------------------------------------------------- fbsd70# chgrp logcheck /var/log/auth.log fbsd70# ls -l /var/log/messages /var/log/auth.log -rw-r----- 1 root logcheck 63339 Sep 14 12:44 /var/log/auth.log -rw-r--r-- 1 root wheel 47346 Sep 14 12:48 /var/log/messages -------------------------------------------------------------------- Finally, I'll add the members of the wheel group to the logcheck group so anyone in that group can still read the file as they could before: -------------------------------------------------------------------- fbsd70# grep ^wheel: /etc/group wheel:*:0:root,glarkin fbsd70# grep ^wheel: /etc/group | awk -F : '{ print $4 }' | xargs \ -n1 pw groupmod logcheck -m fbsd70# grep ^logcheck: /etc/group logcheck:*:915:root,glarkin -------------------------------------------------------------------- Now the logcheck, root, and glarkin user can all read /var/log/auth.log, and the logcheck script should work fine. I hope that clears everything up. If you have any further questions or problems, please post back here. Best regards, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIzUM+0sRouByUApARAkK5AKCfeXkA/W5+0YByPuGBqgQkZjxM3gCgybwj zs5Qhzqab1OPwA/C70yjaUs= =KRZ2 -----END PGP SIGNATURE-----