Bind 9 Logging - Ubuntu Hardy Heron server 8.04

I have two questions. And, I'm logged in as root as I do this stuff.

One:
I'm trying to setup logging on our DNS server. I have the following msg in syslog. Can somebody clue me in as to what I may need to do to fix it? I'm guessing it has something to do with umask.

kernel: audit : type=1503 operation=inode_permission requested_mask=a:: name=/var/log/query.log pid=5819 profile=/usr/sbin/named namespace=default

named: logging channel query file /var/log/query.log: permission denied


I searched the Linux Questions forum and found a thread about Apparmor being the culprit so I set it to complain mode, restarted named, but no joy.

Here's my logging statement straight out of Ubuntu's documentation.

logging {
channel query.log {
file "/var/log/query.log";
// Set the severity to dynamic to see all the debug messages.
severity debug 3;
};

category queries { query.log; };
};

ls -al /var/log/query.log
returns
-rw-r--r-- 1 bind bind 0 date time query.log

I've also tried this statement out of Mark Sobell's "A Practical Guide to Ubuntu Linux" book. No joy.
Should either one of these statements work once I have the "permissions denied" problem resolved?

logging {
channel "query" {
file "/var/log/query.log";
// Set the severity to dynamic to see all the debug messages.
severity debug 3;
};

category queries { "query"; };

};

Two:
Why can't I view the contents of usr.sbin.named?
When I run the cmd "more /etc/usr.sbin.named" it returns "No such file or directory."
ls -al /etc/usr.sbin.named
returns
-rw-r--r-- 1 root root 742 date time usr.sbin.named
WestezAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

WestezAuthor Commented:
I've determined that Apparmor is the culprint.  No error msg and  I can write to the logs when it's disabled.
I'd prefer to have Apparmor running and protecting named.  How can this be done?
0
KMlynarskiCommented:
Hello Westez,

1. query.log problem:

Try this (as root):
(In my example I'm using the vi editor, but you can use any text editor of your choice)

# mkdir /var/log/named
# chown bind:bind /var/log/named
# vi /etc/bind/<name_of-your-config_file_here>

.... replace:

file "/var/log/query.log";

... with:

file "/var/log/named/query.log";

... and save your bind configuration file, and exit the vi.

# /etc/init.d/bind9 restart

... and then, do some queries using dig or any utility like that.

Check if your /var/log/named/query.log shows you something. It really should!

Why? Here's part TWO:

There's a definition in the file: /etc/apparmor.d/usr.sbin.named:

[...]
  # some people like to put logs in /var/log/named/
  /var/log/named/** rw,
[...]

Of course, you (in theory) can change this definition, to point to /var/log... but, you can't view or edit the file, right?

Why? I don't know exactly, but in a clean install of the Ubuntu 8.04 you should have right to see or even edit (as root) this very file. If not, then you may have any weird filesystem flags set on this file. You can check this using the following command (as root):

root@ubuntu:~# lsattr /etc/apparmor.d/

... and the output should be something like that:

------------------ /etc/apparmor.d/abstractions
------------------ /etc/apparmor.d/usr.sbin.cupsd
------------------ /etc/apparmor.d/disable
------------------ /etc/apparmor.d/usr.sbin.named
------------------ /etc/apparmor.d/tunables
------------------ /etc/apparmor.d/force-complain
root@ubuntu:~#

If it isn't (there are any flags visible instead of "-" characters on the left side of the file name, you can use the chattr command to disable the flag (man chattr).

Hope this will be helpful!

Bestest,
 -Chris



0
WestezAuthor Commented:
Chris,

I built this box from scratch and loaded just dns and ssh and accepted the defaults.  So there's no /var/log/named directory, only /var/log/
And I did edit the usr.sbin.named file and added the line /var/log/** rw,
then restarted bind9. Ran some digs, etc to see if the file was being written to, before I posted up.
And I can view the file query.log, but there's nothing in it to view, with Apparmor running.  If I turn Apparmor off there's a ton of stuff written to it.

I just ran the lsattr /etc/apparmor.d/ cmd and it runs cleanly the way you would expect it to, so no weird file permissions.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

gheistCommented:
BIND in Ubuntu chroot-s so you will need to use syslog or create log file under /var/lib/named/./
0
WestezAuthor Commented:
gheist - I didn't chroot the setup.
0
gheistCommented:
You have to add log directory twice into apparmor.d file.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.