[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LIDS and daily cron jobs

On Tue, Sep 03, 2002 at 10:43:05AM +0200, Janus N. T?ndering wrote:
> Dear Sirs,
> I've installed a LIDS kernel (www.lids.org) on my Debian Woody box. I
> think I have figured out most ACLs but I cannot make the daily/weekly
> cron jobs work properly (those that rotate logs etc).
> Does someone have any experience regarding this matter?
> Regards,
> Janus
> -- 
> Janus N?rgaard T?ndering	
> email: janus@bananus.dk, j@nus.person.dk or janus@daimi.au.dk
> "Would you buy a car with the hood welded shut?"
> -Phil Hughes, Linux Journal Magazine
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Actually, me too I'm currently playing around with LIDS on a sarge system. The whole nastyness with LIDS is here that
you can NOT just allow a process access to a directory. This is very nasty, for, say, snort. If you want to have your logs
READONLY or APPEND then you cannot just give snort access to a directory as write. This is impossible. LIDS needs inodes of
files, and snort creates log files while running, depending on day and time I believe. It's impossible to get LIDS to permit
these things (at least to my knowledge, if I'm wrong, I'd be very happy to find out all about it.).

For you the only thing that might help you is getting logrotate to work with some of those logs, I don't know the proggie
very well, maybe you're able to put the logrotates somewhere else ?? Put that would, then again, be a problem : if you allow
logrotate to store the actual rotates in a different directory, you would also want to put this directory in READONLY or
APPEND .. which is not possible. An attacker would thus be able to access and modify your rotates. I suppose LIDS has still
got some work to do at this point.

It is, of course, a bit of a drawback that science was invented after I left school. -- Lord Carrington

Attachment: pgpUtG5oSf828.pgp
Description: PGP signature

Reply to: