[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

#124169: snort: Lack of logging to /var/log/secure in default setup & log permissions



Hi everyone,
	It's been over a month since I submitted bug report #124169 to
the BTS and snort's maintainer, Robert van der Meulen
<rvdm at debian dot org>, has not yet replied to me. This bug report is
effectively holding me back from releasing a fully operational
razorback (ITP #115609) package to accompany Debian's snort
package. Pasted below is a copy of that bug report:

===========================================================================

Package: snort
Version: 1.8p1-1
Severity: normal

Dear Robert,
	I currently have an ITP to razorback
<http://www.intersectalliance.com/projects/RazorBack/> which is a
GNOME front-end to snort. Razorback requires access to /var/log/secure
in order to provide real time monitoring of snort's status. After
reading the documentation to snort it would seem that snort is meant
to log by default to /var/log/secure as enabled by -s in the man page
and the option you specified in /etc/snort/snort.conf:

       -s     Send alert messages to  syslog.   On  Linux  boxen,
              they will appear in /var/log/secure, /var/log/messages
	      on many other platforms.

However this file doesn't exist or logged to even if the file is
created by hand.
	My other concern is that as the logs under /var/log/snort/
belong to snort.snort but are being set to 400. To me, this negates
the purpose of having the snort group being setup in the first
place. I view this as a problem because razorback ships with a script
that can be used to lock down access to the razorback program via PAM
to root access only. However, I'm going to change this behaviour to
allow the snort group access instead seeing the group does exist
already, but the snort group being denied read access to the logs
doesn't really make sense in this case and would render razorback
useless to all but root/sudo if the script is run at install time.
	Hoping to hear from you seen seeing I'm in a hurry to get
razorback packaged.

Yours sincerely,
Andrew "Netsnipe" Lau

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux espresso 2.4.16 #1 Wed Nov 28 01:13:11 EST 2001 i686
Locale: LANG=C, LC_CTYPE=

Versions of packages snort depends on:
ii  adduser                       3.45       Add and remove users and groups
ii  debconf                       1.0.22     Debian configuration managemen=
t sy
ii  libc6                         2.2.4-7    GNU C Library: Shared librarie=
s an
ii  libpcap0                      0.6.2-2    System interface for user-leve=
l pa
ii  snort-common                  1.8p1-1    Flexible NIDS (Network Intrusi=
on D
ii  snort-rules-default [snort-ru 1.8p1-1    Flexible NIDS (Network Intrusi=
on D
ii  sysklogd [syslogd]            1.4.1-8    System Logging Daemon
ii  sysklogd [system-log-daemon]  1.4.1-8    System Logging Daemon

===========================================================================

I have tried a few things to try to get snort to log to
/var/log/secure without much luck. I have inserted -s into snort's
startup options within it's init.d script. I have have also
uncommented:
	output alert_syslog: LOG_AUTH LOG_ALERT
and
	ruletype redalert
	{	
		type alert
	        output alert_syslog: LOG_AUTH LOG_ALERT
		output database: log, mysql, user=snort dbname=snort
host=localhost
	}	

from /etc/snort/snort.conf. But snort still refuses to log anything to
/var/log/secure and I cannot figure out why. So does anyone know what
I can do in order to enable it? Does anyone foresee any security risks
involved with making /var/log/snort readable by the snort group as I
asked in the bug report? Would a NMU to fix the above problems in
snort is reasonable if Robert fails to address my issues?

Yours sincerely,
Andrew "Netsnipe" Lau

-- 
---------------------------------------------------------------------------
* Andrew 'Netsnipe' Lau          DebianPlanet.org Editor & Comp.Sci, UNSW *
*   "apt-get into it"                     Debian GNU/Linux New Maintainer *
*     <netsnipe @/ debianplanet.org>    <awhl435 @/ cse.unsw. edu.au>     * 
* PGP: 1024D/2E8B68BD: 0B77 73D0 4F3B F286 63F1  9F4A 9B24 C07D 2E8B 68BD *
---------------------------------------------------------------------------

Attachment: pgpJ6PFWo86T_.pgp
Description: PGP signature


Reply to: