Access to logs via sudo

I have a log server that collects logs from all the cisco devices on our network.  The company policy states that any logs should only be accessible by root. So I have the following permissions set on the directory, as well as everything inside the directory where the cisco logs are kept.

drwx------ 65 root root   4096 Apr 29 7:38 rsyslog

Open in new window


The cisco folks are requesting access to these logs, which is allowed by company policy.  Now here is where it gets complicated.  I need to give the cisco folks access to the logs without, 1 giving them access to root, 2 changing the permissions on the files.

So I was thinking, is there anyway I can give them access through sudo?  I know you can limit sudo to certain commands, is there a way I can use sudo to give them read access to the above directory?

LVL 23
savoneAsked:
Who is Participating?
 
woolmilkporcConnect With a Mentor Commented:
sudo will not really help here, because your users will get full root access to the directory in question, not just readonly access.

I'd suggest using extended ACLs.

http://www.techrepublic.com/article/learn-to-use-extended-filesystem-acls/6091748

Basically it's

setfacl -m u:userid1:r /path/to/rsyslog
setfacl -m u:userid2:r /path/to/rsyslog
.
.
.

wmp

0
 
Randy DownsOWNERCommented:
maybe you could set up ftp and lock them in that directory.
0
 
Randy DownsOWNERCommented:
something like sudo ftp but not sure you can keep a root user in a folder.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
savoneAuthor Commented:
@woolmikporc

I am not all that familiar with extended ACLs, but if I remember correctly it causes problems if ACLs are on the root filesystem, which is where the /var/log/rsyslog directory exists.
# cat /etc/fstab
/dev/VG0/LV0            /                       ext3    defaults        1 1
LABEL=/boot             /boot                   ext3    defaults        1 2
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/dev/VG0/LV1            swap                    swap    defaults        0 0

# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VG0-LV0    62G  5.4G   54G  10% /
/dev/sda1              99M   27M   68M  29% /boot
tmpfs                1005M     0 1005M   0% /dev/shm

Open in new window

0
 
woolmilkporcConnect With a Mentor Commented:
What is your OS?

The only thing I'm aware of is that you can't enable ACLs on / after reboot on some systems whose mount command doesn't have the "remount" option, because after the necessary modification of /etc/fstab the filesystem needs to be completely umounted/mounted here, which is of course not possible with /.

By the way, it might be a good idea to create a separate FS for /var if there are that many logs to be stored, don't you think?

wmp

0
 
savoneAuthor Commented:
It is RHEL 5.

I understand your comments about the /var filesystem, but this machine was handed down to me, and my hands are tied with most changes like that until the machine needs to be rebuilt or there is a tech refresh.  Basically they will say it's not broke don't fix it. :)

0
 
woolmilkporcConnect With a Mentor Commented:
OK,

I'm not aware of any issue with enabling ACLs for / on RHEL.
Just modify /etc/fstab, remount or reboot and try it out.

wmp
0
 
savoneAuthor Commented:
Thanks for your help, I have added the options and remounted.  I have also set the acl to allow read permissions to the directory:


drw-r-----+ 65 root root   4096 Apr 29 10:38 rsyslog

Open in new window


Is there a way to make this recursive?  Also what if a new directory was created inside rsyslog, is there a way to allow it to inherit the acl from the parent directory?

I am asking this since there are 50+ directories under /var/log/rsyslog and we are often adding new devices which creates a new directory in /var/log/rsyslog

0
 
savoneAuthor Commented:
So I figured out how to make it recursive, how about the inherit part? Any ideas?
0
 
savoneAuthor Commented:
This doesnt seem to be working, I have r-- permissions to the user on /var/log/rsyslog and everything inside that directory and they still can not change to that directory, permission denied.
0
 
woolmilkporcCommented:
OK, use

"rx" instead of "r" alone in "setfacl".
0
 
savoneAuthor Commented:
Same results...

# getfacl rsyslog/
# file: rsyslog
# owner: root
# group: root
user::rw-
user:test:r-x
group::---
mask::r-x
other::---

Open in new window



[test@logserv ~]$ cd /var/log/rsyslog 
-bash: cd: /var/log/rsyslog: Permission denied

Open in new window

0
 
mccrackyCommented:
Another option might be that you set up another throwaway box for use just by the Cisco folks where they would also have the root password and rsync the logs over to that box.
0
 
woolmilkporcCommented:
/var and /var/log need rx as well!
0
 
savoneAuthor Commented:
Yep, that did it.  

But now one more question needs to be answered, not that you havent helped me enough already.

is there a way to have anything created under rsyslog to inherit the acl?  For example if we add another cisco device which would create a new directory in /var/log/rsyslog, would I have to go and add the acl again? or is there a way to have the new directory inherit the acl from its parent directory?

0
 
savoneAuthor Commented:
Hmm, also a new log is created every day for every device, will this file need the acl updated as well?
0
 
woolmilkporcConnect With a Mentor Commented:
To establish inheritance you'll have to create a default ACL for the rsyslog directory.

Use "-d -m" instead of "-m" alone to achieve this.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.