[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LIDS and daily cron jobs


martin@weh.rwth-aachen.de wrote:
> I've played with LIDS some time ago. As far as I know, you
> could simply allow the /usr/sbin/logrotate program to write
> to the specified log directories and make the executable
> itself write-protected (at least all the "sbin"-programs
> should be so, right?) so that it can't be modified.
> Hope that this helps.

no, that doesn't help.
In your solution everybody can execute logrotate with ANY configuration file
as OFTEN as he want to.
So everybody can delete or even modify (if APPEND is allowed) the logfiles.

at first you have to protect the "ANY configuration file".
this can be done by giving the specific rights to /etc/cron.daily/logrotate.

then you have to limit the number of execution, so
/etc/cron.daily(/logrotate) has to be protected for everyone (DENY) beside
for crond.
in addition crontab etc. have to be protected, too.

there are much more solutions for this problem...

sorry, i don't have any debian specific solution, but i just wanted to tell
you, that your solution is wrong and gives a false sense of security.

Ralf Dreibrodt

Mesos         Telefon 49 221 9639263
Wallstr. 123      Fax 49 221 9646649
51063 Koeln         Mail rd@mesos.de

Reply to: