From owner-freebsd-security  Mon Jul 27 11:36:58 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA10031
          for freebsd-security-outgoing; Mon, 27 Jul 1998 11:36:58 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from shell6.ba.best.com (jkb@shell6.ba.best.com [206.184.139.137])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA09903
          for <security@FreeBSD.ORG>; Mon, 27 Jul 1998 11:36:22 -0700 (PDT)
          (envelope-from jkb@best.com)
Received: from localhost (jkb@localhost)
	by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id LAA02491;
	Mon, 27 Jul 1998 11:35:40 -0700 (PDT)
X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs
Date: Mon, 27 Jul 1998 11:35:40 -0700 (PDT)
From: "Jan B. Koum " <jkb@best.com>
X-Sender: jkb@shell6.ba.best.com
To: Robert Watson <robert+freebsd@cyrus.watson.org>
cc: security@FreeBSD.ORG
Subject: Re: files in /var/log
In-Reply-To: <Pine.BSF.3.96.980727083240.7733D-100000@fledge.watson.org>
Message-ID: <Pine.BSF.3.96.980727113239.29202E-100000@shell6.ba.best.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, 27 Jul 1998, Robert Watson wrote:

>Jan,
>
>On my own machines I have added a "logger" group and set permissions in
>this manner:
>
>/var/cron/log           root.loguser    640  3     100  *     Z
>/var/log/amd.log        root.loguser    644  7     100  *     Z
>/var/log/kerberos.log   root.loguser    640  7     100  *     Z
>/var/log/lpd-errs       root.loguser    644  7     100  *     Z
>/var/log/maillog        root.loguser    644  7     *    24    Z
>/var/log/messages       root.loguser    644  5     *   168    Z
>/var/log/slip.log       root.loguser    640  3     100  *     Z
>/var/log/ppp.log        root.loguser    640  3     100  *     Z
>/var/log/wtmp           root.loguser    644  52    *    168   ZB
>/var/log/auth           root.loguser    640  14    *    168   Z
># my stuff
>/var/log/ftpd.log       root.loguser    640  3     *    168   Z
>/var/log/pop.log        root.loguser    640  3     *    72    Z
>/var/log/kadmind.syslog root.loguser    640  14    *    168   Z
>/var/log/imapd.log      root.loguser    640  3     *    72    Z
>/var/log/all-log        root.loguser    640  7     *    72    Z
>
>A number of daemons and other programs tend to leak sensitive information
>(such as bad login information) to publically readable logs -- and I did
>not want to give users root access to get to these files where it was
>actually unnecessary.

	Exactly my point!

>
>For more general use, root.wheel would probably be sufficient.  I also
>changed some of the syslog logging rules to prevent auth-style log entries
>from going to the wrong places.

	Yes, our /etc/syslog.conf can use auth.* entry or some other such
entry.
	I also simply chown logs to root.wheel -- my rationale is that if
you are in group wheel, most likely you can su(1) to root anyway and read
logs -- this way you can read logs w/o doing extra su(1) step.

>
>I suspect that there are some daemons/etc out there that are delivering
>some of the auth-style log messages with the wrong level on the log
>message (i.e., notice or something) and as a result, they are not getting
>caught be this.  However, I have not looked closely.
>
>I don't know if the standard FreeBSD ssh port/package changes the log
>level from DAEMON to AUTH or not, but I certainly had to do that on my own
>build of sshd (see /etc/sshd_config).


	Heh.. I also always have:

% grep AUTH /etc/sshd_config
SyslogFacility AUTH
% 
	Then again, I never use ports or packages. :)

-- Yan


>
>On Mon, 27 Jul 1998, Jan B. Koum  wrote:
>
>> 
>> 	Hello all,
>> 
>> 	Be default FreeBSD has many files in /var/log group write. What is
>> the reason for that? Can we change this to be group read only?
>> 	Also, would it make more sence to ship /var/log/messages o-r by
>> default? Why do we want all world to know what goes into our
>> /var/log/messages files?
>> 	[we would also need to modify /etc/newsyslog.conf's mode column
>> to 640 then]
>> 
>> -- Yan
>> 
>> Jan Koum                  jkb@best.com |  "Turn up the lights; I don't want
>> www.FreeBSD.org --  The Power to Serve |   to go home in the dark."
>> "Write longer sentences - they are paying us a lot of money"
>> 
>> 
>> To Unsubscribe: send mail to majordomo@FreeBSD.org
>> with "unsubscribe security" in the body of the message
>> 
>
>
>  Robert N Watson 
>
>Carnegie Mellon University            http://www.cmu.edu/
>TIS Labs at Network Associates, Inc.  http://www.tis.com/
>SafePort Network Services             http://www.safeport.com/
>robert@fledge.watson.org              http://www.watson.org/~robert/
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe security" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message