Steven Vona
asked on
Access to logs via sudo
I have a log server that collects logs from all the cisco devices on our network. The company policy states that any logs should only be accessible by root. So I have the following permissions set on the directory, as well as everything inside the directory where the cisco logs are kept.
The cisco folks are requesting access to these logs, which is allowed by company policy. Now here is where it gets complicated. I need to give the cisco folks access to the logs without, 1 giving them access to root, 2 changing the permissions on the files.
So I was thinking, is there anyway I can give them access through sudo? I know you can limit sudo to certain commands, is there a way I can use sudo to give them read access to the above directory?
drwx------ 65 root root 4096 Apr 29 7:38 rsyslog
The cisco folks are requesting access to these logs, which is allowed by company policy. Now here is where it gets complicated. I need to give the cisco folks access to the logs without, 1 giving them access to root, 2 changing the permissions on the files.
So I was thinking, is there anyway I can give them access through sudo? I know you can limit sudo to certain commands, is there a way I can use sudo to give them read access to the above directory?
maybe you could set up ftp and lock them in that directory.
something like sudo ftp but not sure you can keep a root user in a folder.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@woolmikporc
I am not all that familiar with extended ACLs, but if I remember correctly it causes problems if ACLs are on the root filesystem, which is where the /var/log/rsyslog directory exists.
I am not all that familiar with extended ACLs, but if I remember correctly it causes problems if ACLs are on the root filesystem, which is where the /var/log/rsyslog directory exists.
# cat /etc/fstab
/dev/VG0/LV0 / ext3 defaults 1 1
LABEL=/boot /boot ext3 defaults 1 2
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
/dev/VG0/LV1 swap swap defaults 0 0
# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VG0-LV0 62G 5.4G 54G 10% /
/dev/sda1 99M 27M 68M 29% /boot
tmpfs 1005M 0 1005M 0% /dev/shm
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It is RHEL 5.
I understand your comments about the /var filesystem, but this machine was handed down to me, and my hands are tied with most changes like that until the machine needs to be rebuilt or there is a tech refresh. Basically they will say it's not broke don't fix it. :)
I understand your comments about the /var filesystem, but this machine was handed down to me, and my hands are tied with most changes like that until the machine needs to be rebuilt or there is a tech refresh. Basically they will say it's not broke don't fix it. :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help, I have added the options and remounted. I have also set the acl to allow read permissions to the directory:
Is there a way to make this recursive? Also what if a new directory was created inside rsyslog, is there a way to allow it to inherit the acl from the parent directory?
I am asking this since there are 50+ directories under /var/log/rsyslog and we are often adding new devices which creates a new directory in /var/log/rsyslog
drw-r-----+ 65 root root 4096 Apr 29 10:38 rsyslog
Is there a way to make this recursive? Also what if a new directory was created inside rsyslog, is there a way to allow it to inherit the acl from the parent directory?
I am asking this since there are 50+ directories under /var/log/rsyslog and we are often adding new devices which creates a new directory in /var/log/rsyslog
ASKER
So I figured out how to make it recursive, how about the inherit part? Any ideas?
ASKER
This doesnt seem to be working, I have r-- permissions to the user on /var/log/rsyslog and everything inside that directory and they still can not change to that directory, permission denied.
OK, use
"rx" instead of "r" alone in "setfacl".
"rx" instead of "r" alone in "setfacl".
ASKER
Same results...
# getfacl rsyslog/
# file: rsyslog
# owner: root
# group: root
user::rw-
user:test:r-x
group::---
mask::r-x
other::---
[test@logserv ~]$ cd /var/log/rsyslog
-bash: cd: /var/log/rsyslog: Permission denied
Another option might be that you set up another throwaway box for use just by the Cisco folks where they would also have the root password and rsync the logs over to that box.
/var and /var/log need rx as well!
ASKER
Yep, that did it.
But now one more question needs to be answered, not that you havent helped me enough already.
is there a way to have anything created under rsyslog to inherit the acl? For example if we add another cisco device which would create a new directory in /var/log/rsyslog, would I have to go and add the acl again? or is there a way to have the new directory inherit the acl from its parent directory?
But now one more question needs to be answered, not that you havent helped me enough already.
is there a way to have anything created under rsyslog to inherit the acl? For example if we add another cisco device which would create a new directory in /var/log/rsyslog, would I have to go and add the acl again? or is there a way to have the new directory inherit the acl from its parent directory?
ASKER
Hmm, also a new log is created every day for every device, will this file need the acl updated as well?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.