One additional tweak which falls into line with the security setups, that I
think is a good idea is to made the log files in /var/log to be chattr +a
(append only) so logfiles cannot be modified or removed altogether to cover
up tracks. This isn't the the biggest security trick because all it does is
make it if you don't know about chattr then you can't install a trojan. If
you've got root then removing the immutability flags is trivial, but only if
you know how to, or even know they exist. But it has kept the lower-level
admins at a site I work at from modifying the logfiles, which is against
policy.
In order to do this properly you need to modify the sysklogd scripts to set
and unset them during rotation (/etc/cron.daily/sysklogd and
/etc/cron.weekly/sysklogd) - on a side note, why are system logs rotated
through sysklogd and other logs like btmp are rotated with logrotate? Why
aren't these all done via logrotate? - the way I modified these files was as
follows:
(this is the snippit from /etc/cron.weekly/sysklogd that is different)
cd /var/log
for LOG in syslogd-listfiles --weekly
do
if [ -f $LOG ]; then
chattr -ia $LOG
chattr -i $LOG.[0-4]
chattr -i $LOG.[0-4].gz
savelog -g adm -m 640 -u root -c 4 $LOG >/dev/null
chattr +a $LOG
chattr +i $LOG.[0-4]
chattr +i $LOG.[0-4].gz
fi
done
for LOG in syslogd-listfiles --auth
do
if [ -f $LOG ]; then
chown root.adm $LOG
chmod o-rwx $LOG
chattr +a $LOG
fi
done
(Here is the snippit from /etc/cron.daily/sysklogd that is different):
cd /var/log
for LOG in syslogd-listfiles
do
if [ -f $LOG ]; then
chattr -ia $LOG
chattr -i $LOG.[0-7]
chattr -i $LOG.[0-7].gz
savelog -g adm -m 640 -u root -c 7 $LOG >/dev/null
chattr +a $LOG
chattr +i $LOG.[0-7]
chattr +i $LOG.[0-7].gz
fi
done
for LOG in syslogd-listfiles --auth
do
if [ -f $LOG ]; then
chown root.adm $LOG
chmod o-rwx $LOG
chattr +a $LOG
fi
Kenneth Vestergaard Schmidt schrieb am Samstag, den 14. April 2001:
> (Sorry for the crosspost, but I want to get as much coverage as possible)
>
> First of, thank you everyone for responding! It's given me some food for
> thought, and I also found a lot of errors in what I thought would be best.
> Anyway, I've compiled a rough "wishlist" here, listing what people (including
> me) generally request. The reason for this is to get a discussion started, so
> we can all have the most efficient (and secure) logging possible. Please
> comment (if you wish) on the points noted here, but don't feel restricted to
> only those - I'm more than willing to consider other features...
>
> Here it goes:
>
> o One log with everything (like /var/log/syslog)
> o Authentication log (/var/log/auth.log)
> o Non-important stuff in separate logs (/var/log/<service>.{info,warn,err}
> o Human-readable date&time
> o Machine-processible (ie, fixed field widths, like now)
> o High-precision date/time (TAI64?)
> o Docs + inclusion in the "Securing Debian Manual"
> o /secure/ remote-logging (ie, crypto)
> o Fallback log (ie, if something gets missed, it is logged to fx.
> /var/log/missed)
> o Permission checking (?)
> o Running as non-root
> o Encrypted logs (Compressed?)
> o User-defined facilities (ie, firewall.info, xfree.err)
>
> After reading through the features which people would like to see, it seems
> to me that there is really need for something else besides sysklogd. What I
> really want to know is, why is syslog-ng and/or msyslog not more widely used?
> What do they lack? Compatibility and security are the only points I can see
> where they might not qualify as a total replacement.
>
> With that in mind, I've been considering making my own logger. Is this a good
> idea? I've considered it a bit, and thought it would be best to start with
> the current sysklogd source, and make small, tested changes to be sure that
> it's still safe & working. What do people think of this?
>
> So, anybody want to jump in and make some comments? Even if you think it's
> trivial what you have to say, please do so anyway. If you feel it's not worth
> everybody's mailbox, just mail me personally. Think of it as a poll :)
>
> And also, if "the people" think it's a good idea with a new syslogger, then
> there's the all-important question of the project name. Ideas are welcome :)
>
>
> Yours truly
>
> Kenneth Vestergaard Schmidt
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Attachment:
pgpaDMZXvfHXi.pgp
Description: PGP signature