On Tue, Sep 03, 2002 at 10:43:05AM +0200, Janus N. T?ndering wrote: > Dear Sirs, > > I've installed a LIDS kernel (www.lids.org) on my Debian Woody box. I > think I have figured out most ACLs but I cannot make the daily/weekly > cron jobs work properly (those that rotate logs etc). > > Does someone have any experience regarding this matter? > > Regards, > Janus > -- > Janus N?rgaard T?ndering > email: janus@bananus.dk, j@nus.person.dk or janus@daimi.au.dk > > "Would you buy a car with the hood welded shut?" > -Phil Hughes, Linux Journal Magazine > > > > -- > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > Actually, me too I'm currently playing around with LIDS on a sarge system. The whole nastyness with LIDS is here that you can NOT just allow a process access to a directory. This is very nasty, for, say, snort. If you want to have your logs READONLY or APPEND then you cannot just give snort access to a directory as write. This is impossible. LIDS needs inodes of files, and snort creates log files while running, depending on day and time I believe. It's impossible to get LIDS to permit these things (at least to my knowledge, if I'm wrong, I'd be very happy to find out all about it.). For you the only thing that might help you is getting logrotate to work with some of those logs, I don't know the proggie very well, maybe you're able to put the logrotates somewhere else ?? Put that would, then again, be a problem : if you allow logrotate to store the actual rotates in a different directory, you would also want to put this directory in READONLY or APPEND .. which is not possible. An attacker would thus be able to access and modify your rotates. I suppose LIDS has still got some work to do at this point. -- It is, of course, a bit of a drawback that science was invented after I left school. -- Lord Carrington
Attachment:
pgpZLXwkovex6.pgp
Description: PGP signature