One additional tweak which falls into line with the security setups, that I think is a good idea is to made the log files in /var/log to be chattr +a (append only) so logfiles cannot be modified or removed altogether to cover up tracks. This isn't the the biggest security trick because all it does is make it if you don't know about chattr then you can't install a trojan. If you've got root then removing the immutability flags is trivial, but only if you know how to, or even know they exist. But it has kept the lower-level admins at a site I work at from modifying the logfiles, which is against policy. In order to do this properly you need to modify the sysklogd scripts to set and unset them during rotation (/etc/cron.daily/sysklogd and /etc/cron.weekly/sysklogd) - on a side note, why are system logs rotated through sysklogd and other logs like btmp are rotated with logrotate? Why aren't these all done via logrotate? - the way I modified these files was as follows: (this is the snippit from /etc/cron.weekly/sysklogd that is different) cd /var/log for LOG in syslogd-listfiles --weekly do if [ -f $LOG ]; then chattr -ia $LOG chattr -i $LOG.[0-4] chattr -i $LOG.[0-4].gz savelog -g adm -m 640 -u root -c 4 $LOG >/dev/null chattr +a $LOG chattr +i $LOG.[0-4] chattr +i $LOG.[0-4].gz fi done for LOG in syslogd-listfiles --auth do if [ -f $LOG ]; then chown root.adm $LOG chmod o-rwx $LOG chattr +a $LOG fi done (Here is the snippit from /etc/cron.daily/sysklogd that is different): cd /var/log for LOG in syslogd-listfiles do if [ -f $LOG ]; then chattr -ia $LOG chattr -i $LOG.[0-7] chattr -i $LOG.[0-7].gz savelog -g adm -m 640 -u root -c 7 $LOG >/dev/null chattr +a $LOG chattr +i $LOG.[0-7] chattr +i $LOG.[0-7].gz fi done for LOG in syslogd-listfiles --auth do if [ -f $LOG ]; then chown root.adm $LOG chmod o-rwx $LOG chattr +a $LOG fi Kenneth Vestergaard Schmidt schrieb am Samstag, den 14. April 2001: > (Sorry for the crosspost, but I want to get as much coverage as possible) > > First of, thank you everyone for responding! It's given me some food for > thought, and I also found a lot of errors in what I thought would be best. > Anyway, I've compiled a rough "wishlist" here, listing what people (including > me) generally request. The reason for this is to get a discussion started, so > we can all have the most efficient (and secure) logging possible. Please > comment (if you wish) on the points noted here, but don't feel restricted to > only those - I'm more than willing to consider other features... > > Here it goes: > > o One log with everything (like /var/log/syslog) > o Authentication log (/var/log/auth.log) > o Non-important stuff in separate logs (/var/log/<service>.{info,warn,err} > o Human-readable date&time > o Machine-processible (ie, fixed field widths, like now) > o High-precision date/time (TAI64?) > o Docs + inclusion in the "Securing Debian Manual" > o /secure/ remote-logging (ie, crypto) > o Fallback log (ie, if something gets missed, it is logged to fx. > /var/log/missed) > o Permission checking (?) > o Running as non-root > o Encrypted logs (Compressed?) > o User-defined facilities (ie, firewall.info, xfree.err) > > After reading through the features which people would like to see, it seems > to me that there is really need for something else besides sysklogd. What I > really want to know is, why is syslog-ng and/or msyslog not more widely used? > What do they lack? Compatibility and security are the only points I can see > where they might not qualify as a total replacement. > > With that in mind, I've been considering making my own logger. Is this a good > idea? I've considered it a bit, and thought it would be best to start with > the current sysklogd source, and make small, tested changes to be sure that > it's still safe & working. What do people think of this? > > So, anybody want to jump in and make some comments? Even if you think it's > trivial what you have to say, please do so anyway. If you feel it's not worth > everybody's mailbox, just mail me personally. Think of it as a poll :) > > And also, if "the people" think it's a good idea with a new syslogger, then > there's the all-important question of the project name. Ideas are welcome :) > > > Yours truly > > Kenneth Vestergaard Schmidt > > > -- > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Attachment:
pgpaDMZXvfHXi.pgp
Description: PGP signature