Re: LIDS and daily cron jobs
> I've played with LIDS some time ago. As far as I know, you
> could simply allow the /usr/sbin/logrotate program to write
> to the specified log directories and make the executable
> itself write-protected (at least all the "sbin"-programs
> should be so, right?) so that it can't be modified.
> Hope that this helps.
no, that doesn't help.
In your solution everybody can execute logrotate with ANY configuration file
as OFTEN as he want to.
So everybody can delete or even modify (if APPEND is allowed) the logfiles.
at first you have to protect the "ANY configuration file".
this can be done by giving the specific rights to /etc/cron.daily/logrotate.
then you have to limit the number of execution, so
/etc/cron.daily(/logrotate) has to be protected for everyone (DENY) beside
in addition crontab etc. have to be protected, too.
there are much more solutions for this problem...
sorry, i don't have any debian specific solution, but i just wanted to tell
you, that your solution is wrong and gives a false sense of security.
Mesos Telefon 49 221 9639263
Wallstr. 123 Fax 49 221 9646649
51063 Koeln Mail email@example.com