Re: LIDS and daily cron jobs
On Tue, Sep 03, 2002 at 10:43:05AM +0200, Janus N. T?ndering wrote: > Dear Sirs, > > I've installed a LIDS kernel (www.lids.org) on my Debian Woody box. I > think I have figured out most ACLs but I cannot make the daily/weekly > cron jobs work properly (those that rotate logs etc). > > Does someone have any experience regarding this matter? > > Regards, > Janus > -- > Janus N?rgaard T?ndering > email: [EMAIL PROTECTED], [EMAIL PROTECTED] or [EMAIL PROTECTED] > > "Would you buy a car with the hood welded shut?" > -Phil Hughes, Linux Journal Magazine > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > Actually, me too I'm currently playing around with LIDS on a sarge system. The whole nastyness with LIDS is here that you can NOT just allow a process access to a directory. This is very nasty, for, say, snort. If you want to have your logs READONLY or APPEND then you cannot just give snort access to a directory as write. This is impossible. LIDS needs inodes of files, and snort creates log files while running, depending on day and time I believe. It's impossible to get LIDS to permit these things (at least to my knowledge, if I'm wrong, I'd be very happy to find out all about it.). For you the only thing that might help you is getting logrotate to work with some of those logs, I don't know the proggie very well, maybe you're able to put the logrotates somewhere else ?? Put that would, then again, be a problem : if you allow logrotate to store the actual rotates in a different directory, you would also want to put this directory in READONLY or APPEND .. which is not possible. An attacker would thus be able to access and modify your rotates. I suppose LIDS has still got some work to do at this point. -- It is, of course, a bit of a drawback that science was invented after I left school. -- Lord Carrington pgpcPtNT1EeOO.pgp Description: PGP signature
Re: LIDS and daily cron jobs
Hi, [EMAIL PROTECTED] wrote: > > I've played with LIDS some time ago. As far as I know, you > could simply allow the /usr/sbin/logrotate program to write > to the specified log directories and make the executable > itself write-protected (at least all the "sbin"-programs > should be so, right?) so that it can't be modified. > > Hope that this helps. no, that doesn't help. In your solution everybody can execute logrotate with ANY configuration file as OFTEN as he want to. So everybody can delete or even modify (if APPEND is allowed) the logfiles. at first you have to protect the "ANY configuration file". this can be done by giving the specific rights to /etc/cron.daily/logrotate. then you have to limit the number of execution, so /etc/cron.daily(/logrotate) has to be protected for everyone (DENY) beside for crond. in addition crontab etc. have to be protected, too. there are much more solutions for this problem... sorry, i don't have any debian specific solution, but i just wanted to tell you, that your solution is wrong and gives a false sense of security. Regards, Ralf Dreibrodt -- Mesos Telefon 49 221 9639263 Wallstr. 123 Fax 49 221 9646649 51063 Koeln Mail [EMAIL PROTECTED]
Re: LIDS and daily cron jobs
Hi Janus! I've played with LIDS some time ago. As far as I know, you could simply allow the /usr/sbin/logrotate program to write to the specified log directories and make the executable itself write-protected (at least all the "sbin"-programs should be so, right?) so that it can't be modified. Hope that this helps. Regards, Martin Neuhaeusser On Tue, Sep 03, 2002 at 10:43:05AM +0200, Janus N. T?ndering wrote: > Dear Sirs, > > I've installed a LIDS kernel (www.lids.org) on my Debian Woody box. I > think I have figured out most ACLs but I cannot make the daily/weekly > cron jobs work properly (those that rotate logs etc). > > Does someone have any experience regarding this matter? > > Regards, > Janus > -- > Janus N?rgaard T?ndering > email: [EMAIL PROTECTED], [EMAIL PROTECTED] or [EMAIL PROTECTED] > > "Would you buy a car with the hood welded shut?" > -Phil Hughes, Linux Journal Magazine > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- \ / ---==( o )==--- PGP encrypted messages preferred. Public-Key at: http://sawfish.weh.rwth-aachen.de/~martin/index.html pgpkpAVuoev1U.pgp Description: PGP signature
LIDS and daily cron jobs
Dear Sirs, I've installed a LIDS kernel (www.lids.org) on my Debian Woody box. I think I have figured out most ACLs but I cannot make the daily/weekly cron jobs work properly (those that rotate logs etc). Does someone have any experience regarding this matter? Regards, Janus -- Janus Nørgaard Tøndering email: [EMAIL PROTECTED], [EMAIL PROTECTED] or [EMAIL PROTECTED] "Would you buy a car with the hood welded shut?" -Phil Hughes, Linux Journal Magazine