Hi everyone, It's been over a month since I submitted bug report #124169 to the BTS and snort's maintainer, Robert van der Meulen <rvdm at debian dot org>, has not yet replied to me. This bug report is effectively holding me back from releasing a fully operational razorback (ITP #115609) package to accompany Debian's snort package. Pasted below is a copy of that bug report: =========================================================================== Package: snort Version: 1.8p1-1 Severity: normal Dear Robert, I currently have an ITP to razorback <http://www.intersectalliance.com/projects/RazorBack/> which is a GNOME front-end to snort. Razorback requires access to /var/log/secure in order to provide real time monitoring of snort's status. After reading the documentation to snort it would seem that snort is meant to log by default to /var/log/secure as enabled by -s in the man page and the option you specified in /etc/snort/snort.conf: -s Send alert messages to syslog. On Linux boxen, they will appear in /var/log/secure, /var/log/messages on many other platforms. However this file doesn't exist or logged to even if the file is created by hand. My other concern is that as the logs under /var/log/snort/ belong to snort.snort but are being set to 400. To me, this negates the purpose of having the snort group being setup in the first place. I view this as a problem because razorback ships with a script that can be used to lock down access to the razorback program via PAM to root access only. However, I'm going to change this behaviour to allow the snort group access instead seeing the group does exist already, but the snort group being denied read access to the logs doesn't really make sense in this case and would render razorback useless to all but root/sudo if the script is run at install time. Hoping to hear from you seen seeing I'm in a hurry to get razorback packaged. Yours sincerely, Andrew "Netsnipe" Lau -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux espresso 2.4.16 #1 Wed Nov 28 01:13:11 EST 2001 i686 Locale: LANG=C, LC_CTYPE= Versions of packages snort depends on: ii adduser 3.45 Add and remove users and groups ii debconf 1.0.22 Debian configuration managemen= t sy ii libc6 2.2.4-7 GNU C Library: Shared librarie= s an ii libpcap0 0.6.2-2 System interface for user-leve= l pa ii snort-common 1.8p1-1 Flexible NIDS (Network Intrusi= on D ii snort-rules-default [snort-ru 1.8p1-1 Flexible NIDS (Network Intrusi= on D ii sysklogd [syslogd] 1.4.1-8 System Logging Daemon ii sysklogd [system-log-daemon] 1.4.1-8 System Logging Daemon =========================================================================== I have tried a few things to try to get snort to log to /var/log/secure without much luck. I have inserted -s into snort's startup options within it's init.d script. I have have also uncommented: output alert_syslog: LOG_AUTH LOG_ALERT and ruletype redalert { type alert output alert_syslog: LOG_AUTH LOG_ALERT output database: log, mysql, user=snort dbname=snort host=localhost } from /etc/snort/snort.conf. But snort still refuses to log anything to /var/log/secure and I cannot figure out why. So does anyone know what I can do in order to enable it? Does anyone foresee any security risks involved with making /var/log/snort readable by the snort group as I asked in the bug report? Would a NMU to fix the above problems in snort is reasonable if Robert fails to address my issues? Yours sincerely, Andrew "Netsnipe" Lau -- --------------------------------------------------------------------------- * Andrew 'Netsnipe' Lau DebianPlanet.org Editor & Comp.Sci, UNSW * * "apt-get into it" Debian GNU/Linux New Maintainer * * <netsnipe @/ debianplanet.org> <awhl435 @/ cse.unsw. edu.au> * * PGP: 1024D/2E8B68BD: 0B77 73D0 4F3B F286 63F1 9F4A 9B24 C07D 2E8B 68BD * ---------------------------------------------------------------------------
Attachment:
pgpDcZZIgCheq.pgp
Description: PGP signature