Solved

Bind 9 Logging - Ubuntu Hardy Heron server 8.04

Posted on 2008-10-28
7
1,380 Views
Last Modified: 2013-12-23
I have two questions. And, I'm logged in as root as I do this stuff.

One:
I'm trying to setup logging on our DNS server. I have the following msg in syslog. Can somebody clue me in as to what I may need to do to fix it? I'm guessing it has something to do with umask.

kernel: audit : type=1503 operation=inode_permission requested_mask=a:: name=/var/log/query.log pid=5819 profile=/usr/sbin/named namespace=default

named: logging channel query file /var/log/query.log: permission denied


I searched the Linux Questions forum and found a thread about Apparmor being the culprit so I set it to complain mode, restarted named, but no joy.

Here's my logging statement straight out of Ubuntu's documentation.

logging {
channel query.log {
file "/var/log/query.log";
// Set the severity to dynamic to see all the debug messages.
severity debug 3;
};

category queries { query.log; };
};

ls -al /var/log/query.log
returns
-rw-r--r-- 1 bind bind 0 date time query.log

I've also tried this statement out of Mark Sobell's "A Practical Guide to Ubuntu Linux" book. No joy.
Should either one of these statements work once I have the "permissions denied" problem resolved?

logging {
channel "query" {
file "/var/log/query.log";
// Set the severity to dynamic to see all the debug messages.
severity debug 3;
};

category queries { "query"; };

};

Two:
Why can't I view the contents of usr.sbin.named?
When I run the cmd "more /etc/usr.sbin.named" it returns "No such file or directory."
ls -al /etc/usr.sbin.named
returns
-rw-r--r-- 1 root root 742 date time usr.sbin.named
0
Comment
Question by:Westez
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 

Author Comment

by:Westez
ID: 22826187
I've determined that Apparmor is the culprint.  No error msg and  I can write to the logs when it's disabled.
I'd prefer to have Apparmor running and protecting named.  How can this be done?
0
 
LVL 1

Expert Comment

by:KMlynarski
ID: 22826706
Hello Westez,

1. query.log problem:

Try this (as root):
(In my example I'm using the vi editor, but you can use any text editor of your choice)

# mkdir /var/log/named
# chown bind:bind /var/log/named
# vi /etc/bind/<name_of-your-config_file_here>

.... replace:

file "/var/log/query.log";

... with:

file "/var/log/named/query.log";

... and save your bind configuration file, and exit the vi.

# /etc/init.d/bind9 restart

... and then, do some queries using dig or any utility like that.

Check if your /var/log/named/query.log shows you something. It really should!

Why? Here's part TWO:

There's a definition in the file: /etc/apparmor.d/usr.sbin.named:

[...]
  # some people like to put logs in /var/log/named/
  /var/log/named/** rw,
[...]

Of course, you (in theory) can change this definition, to point to /var/log... but, you can't view or edit the file, right?

Why? I don't know exactly, but in a clean install of the Ubuntu 8.04 you should have right to see or even edit (as root) this very file. If not, then you may have any weird filesystem flags set on this file. You can check this using the following command (as root):

root@ubuntu:~# lsattr /etc/apparmor.d/

... and the output should be something like that:

------------------ /etc/apparmor.d/abstractions
------------------ /etc/apparmor.d/usr.sbin.cupsd
------------------ /etc/apparmor.d/disable
------------------ /etc/apparmor.d/usr.sbin.named
------------------ /etc/apparmor.d/tunables
------------------ /etc/apparmor.d/force-complain
root@ubuntu:~#

If it isn't (there are any flags visible instead of "-" characters on the left side of the file name, you can use the chattr command to disable the flag (man chattr).

Hope this will be helpful!

Bestest,
 -Chris



0
 

Author Comment

by:Westez
ID: 22835927
Chris,

I built this box from scratch and loaded just dns and ssh and accepted the defaults.  So there's no /var/log/named directory, only /var/log/
And I did edit the usr.sbin.named file and added the line /var/log/** rw,
then restarted bind9. Ran some digs, etc to see if the file was being written to, before I posted up.
And I can view the file query.log, but there's nothing in it to view, with Apparmor running.  If I turn Apparmor off there's a ton of stuff written to it.

I just ran the lsattr /etc/apparmor.d/ cmd and it runs cleanly the way you would expect it to, so no weird file permissions.
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 
LVL 62

Expert Comment

by:gheist
ID: 22867579
BIND in Ubuntu chroot-s so you will need to use syslog or create log file under /var/lib/named/./
0
 

Author Comment

by:Westez
ID: 22868215
gheist - I didn't chroot the setup.
0
 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 22868480
You have to add log directory twice into apparmor.d file.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question