logcheck doesn't work anymore

Greg Larkin glarkin at FreeBSD.org
Sun Sep 14 17:00:53 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marco Beishuizen wrote:
> On Fri, 12 Sep 2008 18:02:37 -0400
> Greg Larkin <glarkin at freebsd.org> wrote:
> 
>> Hi Marco,
>>
>> Right you are!  In fact, after my initial logcheck commit, someone
>> opened a PR stating something very similar to what you noted:
>> http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/127255
>>
>> The submitter's point is that the logcheck user should not be part of
>> the wheel group, since that also confers the ability to su to root and
>> read many files that should be private.
>>
>> A patch has been committed very recently to remove the logcheck user
>> from the wheel group and change the verbiage in pkg-message:
>> http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/logcheck/files/pkg-install.in.diff?r1=1.1;r2=1.2
>> http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/logcheck/files/pkg-message.in.diff?r1=1.1;r2=1.2
>>
>> Any file that needs to be analyzed by logcheck will now have to be
>> readable by the logcheck group instead of the wheel group.
>>
>> Best regards,
>> Greg
>> - --
>> Greg Larkin
> 
> I upgraded to the latest version today and now there is a separate
> logcheck group. But logcheck still only works when the logfiles have
> permission 644. Most of them had permissions set to 600 but then I get
> the same error messages as before.
> 
> Or should I change the owner of all logfiles from root to logcheck and
> then the permissions back to 600?
> 
> Regards,
> Marco

Hi Marco,

Yes, you will need to make the files readable by logcheck, according to
the instructions displayed after the port is installed, but you don't
need to chance the owner of the files to be analyzed, just the group and
group permissions:
    --------------------------------------------------------------------
    Please make sure that all files listed in

      /usr/local/etc/logcheck/logcheck.logfiles

    are readable to the 'logcheck' group (see also /etc/newsyslog.conf),
    or remove them from the aforementioned logcheck configuration file.
    --------------------------------------------------------------------


In my installation, logcheck.logfiles contains the following.  I believe
this is the default when the port is first installed:
    --------------------------------------------------------------------
    # these files will be checked by logcheck
    # This has been tuned towards a default syslog install
    /var/log/messages
    /var/log/auth.log
    --------------------------------------------------------------------


When I check the permissions on these files, I see:
    --------------------------------------------------------------------
    fbsd70# ls -l /var/log/messages /var/log/auth.log
    -rw-r-----  1 root  wheel  63339 Sep 14 12:44 /var/log/auth.log
    -rw-r--r--  1 root  wheel  47346 Sep 14 12:48 /var/log/messages
    --------------------------------------------------------------------


I can tell that /var/log/messages is readable by the logcheck group
(other = read), but /var/log/auth.log is not (other = none). To fix this
problem, I change the group of the /var/log/auth.log file like so:
    --------------------------------------------------------------------
    fbsd70# chgrp logcheck /var/log/auth.log
    fbsd70# ls -l /var/log/messages /var/log/auth.log
    -rw-r-----  1 root  logcheck  63339 Sep 14 12:44 /var/log/auth.log
    -rw-r--r--  1 root  wheel     47346 Sep 14 12:48 /var/log/messages
    --------------------------------------------------------------------


Finally, I'll add the members of the wheel group to the logcheck group
so anyone in that group can still read the file as they could before:
    --------------------------------------------------------------------
    fbsd70# grep ^wheel: /etc/group
    wheel:*:0:root,glarkin
    fbsd70# grep ^wheel: /etc/group | awk -F : '{ print $4 }' | xargs \
        -n1 pw groupmod logcheck -m
    fbsd70# grep ^logcheck: /etc/group
    logcheck:*:915:root,glarkin
    --------------------------------------------------------------------


Now the logcheck, root, and glarkin user can all read /var/log/auth.log,
and the logcheck script should work fine.  I hope that clears everything
up.  If you have any further questions or problems, please post back here.

Best regards,
Greg
- --
Greg Larkin

http://www.FreeBSD.org/       - The Power To Serve
http://www.sourcehosting.net/ - Ready. Set. Code.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIzUM+0sRouByUApARAkK5AKCfeXkA/W5+0YByPuGBqgQkZjxM3gCgybwj
zs5Qhzqab1OPwA/C70yjaUs=
=KRZ2
-----END PGP SIGNATURE-----

More information about the freebsd-questions mailing list