[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1387
  • Last Modified:

Bind 9 Logging - Ubuntu Hardy Heron server 8.04

I have two questions. And, I'm logged in as root as I do this stuff.

One:
I'm trying to setup logging on our DNS server. I have the following msg in syslog. Can somebody clue me in as to what I may need to do to fix it? I'm guessing it has something to do with umask.

kernel: audit : type=1503 operation=inode_permission requested_mask=a:: name=/var/log/query.log pid=5819 profile=/usr/sbin/named namespace=default

named: logging channel query file /var/log/query.log: permission denied


I searched the Linux Questions forum and found a thread about Apparmor being the culprit so I set it to complain mode, restarted named, but no joy.

Here's my logging statement straight out of Ubuntu's documentation.

logging {
channel query.log {
file "/var/log/query.log";
// Set the severity to dynamic to see all the debug messages.
severity debug 3;
};

category queries { query.log; };
};

ls -al /var/log/query.log
returns
-rw-r--r-- 1 bind bind 0 date time query.log

I've also tried this statement out of Mark Sobell's "A Practical Guide to Ubuntu Linux" book. No joy.
Should either one of these statements work once I have the "permissions denied" problem resolved?

logging {
channel "query" {
file "/var/log/query.log";
// Set the severity to dynamic to see all the debug messages.
severity debug 3;
};

category queries { "query"; };

};

Two:
Why can't I view the contents of usr.sbin.named?
When I run the cmd "more /etc/usr.sbin.named" it returns "No such file or directory."
ls -al /etc/usr.sbin.named
returns
-rw-r--r-- 1 root root 742 date time usr.sbin.named
0
Westez
Asked:
Westez
  • 3
  • 2
1 Solution
 
WestezAuthor Commented:
I've determined that Apparmor is the culprint.  No error msg and  I can write to the logs when it's disabled.
I'd prefer to have Apparmor running and protecting named.  How can this be done?
0
 
KMlynarskiCommented:
Hello Westez,

1. query.log problem:

Try this (as root):
(In my example I'm using the vi editor, but you can use any text editor of your choice)

# mkdir /var/log/named
# chown bind:bind /var/log/named
# vi /etc/bind/<name_of-your-config_file_here>

.... replace:

file "/var/log/query.log";

... with:

file "/var/log/named/query.log";

... and save your bind configuration file, and exit the vi.

# /etc/init.d/bind9 restart

... and then, do some queries using dig or any utility like that.

Check if your /var/log/named/query.log shows you something. It really should!

Why? Here's part TWO:

There's a definition in the file: /etc/apparmor.d/usr.sbin.named:

[...]
  # some people like to put logs in /var/log/named/
  /var/log/named/** rw,
[...]

Of course, you (in theory) can change this definition, to point to /var/log... but, you can't view or edit the file, right?

Why? I don't know exactly, but in a clean install of the Ubuntu 8.04 you should have right to see or even edit (as root) this very file. If not, then you may have any weird filesystem flags set on this file. You can check this using the following command (as root):

root@ubuntu:~# lsattr /etc/apparmor.d/

... and the output should be something like that:

------------------ /etc/apparmor.d/abstractions
------------------ /etc/apparmor.d/usr.sbin.cupsd
------------------ /etc/apparmor.d/disable
------------------ /etc/apparmor.d/usr.sbin.named
------------------ /etc/apparmor.d/tunables
------------------ /etc/apparmor.d/force-complain
root@ubuntu:~#

If it isn't (there are any flags visible instead of "-" characters on the left side of the file name, you can use the chattr command to disable the flag (man chattr).

Hope this will be helpful!

Bestest,
 -Chris



0
 
WestezAuthor Commented:
Chris,

I built this box from scratch and loaded just dns and ssh and accepted the defaults.  So there's no /var/log/named directory, only /var/log/
And I did edit the usr.sbin.named file and added the line /var/log/** rw,
then restarted bind9. Ran some digs, etc to see if the file was being written to, before I posted up.
And I can view the file query.log, but there's nothing in it to view, with Apparmor running.  If I turn Apparmor off there's a ton of stuff written to it.

I just ran the lsattr /etc/apparmor.d/ cmd and it runs cleanly the way you would expect it to, so no weird file permissions.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
gheistCommented:
BIND in Ubuntu chroot-s so you will need to use syslog or create log file under /var/lib/named/./
0
 
WestezAuthor Commented:
gheist - I didn't chroot the setup.
0
 
gheistCommented:
You have to add log directory twice into apparmor.d file.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now