[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Access to logs via sudo

Posted on 2011-04-29
17
Medium Priority
?
537 Views
Last Modified: 2012-06-27
I have a log server that collects logs from all the cisco devices on our network.  The company policy states that any logs should only be accessible by root. So I have the following permissions set on the directory, as well as everything inside the directory where the cisco logs are kept.

drwx------ 65 root root   4096 Apr 29 7:38 rsyslog

Open in new window


The cisco folks are requesting access to these logs, which is allowed by company policy.  Now here is where it gets complicated.  I need to give the cisco folks access to the logs without, 1 giving them access to root, 2 changing the permissions on the files.

So I was thinking, is there anyway I can give them access through sudo?  I know you can limit sudo to certain commands, is there a way I can use sudo to give them read access to the above directory?

0
Comment
Question by:savone
  • 8
  • 6
  • 2
  • +1
17 Comments
 
LVL 30

Expert Comment

by:Randy Downs
ID: 35490925
maybe you could set up ftp and lock them in that directory.
0
 
LVL 30

Expert Comment

by:Randy Downs
ID: 35490969
something like sudo ftp but not sure you can keep a root user in a folder.
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 2000 total points
ID: 35491037
sudo will not really help here, because your users will get full root access to the directory in question, not just readonly access.

I'd suggest using extended ACLs.

http://www.techrepublic.com/article/learn-to-use-extended-filesystem-acls/6091748

Basically it's

setfacl -m u:userid1:r /path/to/rsyslog
setfacl -m u:userid2:r /path/to/rsyslog
.
.
.

wmp

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 23

Author Comment

by:savone
ID: 35491083
@woolmikporc

I am not all that familiar with extended ACLs, but if I remember correctly it causes problems if ACLs are on the root filesystem, which is where the /var/log/rsyslog directory exists.
# cat /etc/fstab
/dev/VG0/LV0            /                       ext3    defaults        1 1
LABEL=/boot             /boot                   ext3    defaults        1 2
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/dev/VG0/LV1            swap                    swap    defaults        0 0

# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VG0-LV0    62G  5.4G   54G  10% /
/dev/sda1              99M   27M   68M  29% /boot
tmpfs                1005M     0 1005M   0% /dev/shm

Open in new window

0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 2000 total points
ID: 35491246
What is your OS?

The only thing I'm aware of is that you can't enable ACLs on / after reboot on some systems whose mount command doesn't have the "remount" option, because after the necessary modification of /etc/fstab the filesystem needs to be completely umounted/mounted here, which is of course not possible with /.

By the way, it might be a good idea to create a separate FS for /var if there are that many logs to be stored, don't you think?

wmp

0
 
LVL 23

Author Comment

by:savone
ID: 35491552
It is RHEL 5.

I understand your comments about the /var filesystem, but this machine was handed down to me, and my hands are tied with most changes like that until the machine needs to be rebuilt or there is a tech refresh.  Basically they will say it's not broke don't fix it. :)

0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 2000 total points
ID: 35491743
OK,

I'm not aware of any issue with enabling ACLs for / on RHEL.
Just modify /etc/fstab, remount or reboot and try it out.

wmp
0
 
LVL 23

Author Comment

by:savone
ID: 35491945
Thanks for your help, I have added the options and remounted.  I have also set the acl to allow read permissions to the directory:


drw-r-----+ 65 root root   4096 Apr 29 10:38 rsyslog

Open in new window


Is there a way to make this recursive?  Also what if a new directory was created inside rsyslog, is there a way to allow it to inherit the acl from the parent directory?

I am asking this since there are 50+ directories under /var/log/rsyslog and we are often adding new devices which creates a new directory in /var/log/rsyslog

0
 
LVL 23

Author Comment

by:savone
ID: 35491959
So I figured out how to make it recursive, how about the inherit part? Any ideas?
0
 
LVL 23

Author Comment

by:savone
ID: 35492029
This doesnt seem to be working, I have r-- permissions to the user on /var/log/rsyslog and everything inside that directory and they still can not change to that directory, permission denied.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 35492095
OK, use

"rx" instead of "r" alone in "setfacl".
0
 
LVL 23

Author Comment

by:savone
ID: 35492136
Same results...

# getfacl rsyslog/
# file: rsyslog
# owner: root
# group: root
user::rw-
user:test:r-x
group::---
mask::r-x
other::---

Open in new window



[test@logserv ~]$ cd /var/log/rsyslog 
-bash: cd: /var/log/rsyslog: Permission denied

Open in new window

0
 
LVL 12

Expert Comment

by:mccracky
ID: 35492151
Another option might be that you set up another throwaway box for use just by the Cisco folks where they would also have the root password and rsync the logs over to that box.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 35492156
/var and /var/log need rx as well!
0
 
LVL 23

Author Comment

by:savone
ID: 35492237
Yep, that did it.  

But now one more question needs to be answered, not that you havent helped me enough already.

is there a way to have anything created under rsyslog to inherit the acl?  For example if we add another cisco device which would create a new directory in /var/log/rsyslog, would I have to go and add the acl again? or is there a way to have the new directory inherit the acl from its parent directory?

0
 
LVL 23

Author Comment

by:savone
ID: 35492261
Hmm, also a new log is created every day for every device, will this file need the acl updated as well?
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 2000 total points
ID: 35492278
To establish inheritance you'll have to create a default ACL for the rsyslog directory.

Use "-d -m" instead of "-m" alone to achieve this.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month18 days, 12 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question