Re: LIDS and daily cron jobs

To: debian-security@lists.debian.org
Subject: Re: LIDS and daily cron jobs
From: Ralf Dreibrodt <rd@mesos.de>
Date: Tue, 03 Sep 2002 12:16:54 +0200
Message-id: <[🔎] 3D748C16.506195A5@mesos.de>
References: <[🔎] 1031042626.7782.1.camel@banan.skjoldhoej.dk> <[🔎] 20020903094638.GA7096@weh.RWTH-Aachen.de>

Hi,

martin@weh.rwth-aachen.de wrote:
> 
> I've played with LIDS some time ago. As far as I know, you
> could simply allow the /usr/sbin/logrotate program to write
> to the specified log directories and make the executable
> itself write-protected (at least all the "sbin"-programs
> should be so, right?) so that it can't be modified.
> 
> Hope that this helps.

no, that doesn't help.
In your solution everybody can execute logrotate with ANY configuration file
as OFTEN as he want to.
So everybody can delete or even modify (if APPEND is allowed) the logfiles.

at first you have to protect the "ANY configuration file".
this can be done by giving the specific rights to /etc/cron.daily/logrotate.

then you have to limit the number of execution, so
/etc/cron.daily(/logrotate) has to be protected for everyone (DENY) beside
for crond.
in addition crontab etc. have to be protected, too.

there are much more solutions for this problem...

sorry, i don't have any debian specific solution, but i just wanted to tell
you, that your solution is wrong and gives a false sense of security.

Regards,
Ralf Dreibrodt

-- 
Mesos         Telefon 49 221 9639263
Wallstr. 123      Fax 49 221 9646649
51063 Koeln         Mail rd@mesos.de

Reply to:

References:
- LIDS and daily cron jobs
  - From: "Janus N." Tøndering <janus@bananus.dk>
- Re: LIDS and daily cron jobs
  - From: martin@weh.rwth-aachen.de

Prev by Date: Re: LIDS and daily cron jobs
Next by Date: Re: Checking Signatures and Checksums
Previous by thread: Re: LIDS and daily cron jobs
Next by thread: Re: LIDS and daily cron jobs
Index(es):
- Date
- Thread