Flylib.com

Books Software

 
 
 

Category list


Similar pages

Configure the Service to Log Activity


Buy on amazon.com >>
Terpstra J.H. Love P. Reck R.P.
    << Previous page
    Table of contents
    Next page >>

    Configure the Service to Log Activity

    The information to be logged from a service in a chroot environment does not differ from when the service executes from the normal root. In fact, part of the build policy related to the chroot configuration should explicitly state the logging requirements. Nevertheless, disk space is a major consideration for this scenario. One of the reasons to create a chroot environment is to minimize the disk space available to attackers in the event of a compromise. Once again, you have several options for logging the service.

    Even though the service may be writing to a file in the /var/log directory, this directory is within the chroot environment. However, other processes on the system with the correct privileges can freely access the files in /opt/chroot/var/log. A simple cron job can periodically move logs from the chroot environment to a location that is more secure and has more disk space available. This also helps the administrator centralize and parse logs.

    A basic log directory would appear as such: 

    /var/
    log/
        lastlog
        messages
        secure
        wtmp
    run/

    The other option is to forgo writing logs in the chroot environment altogether and send the log messages to a syslog server. This has the benefit that you can further restrict the size of the partition assigned to chroot . You must create an /etc/syslog.conf file in the chroot environment to do this.

    Additionally, be aware that commands such as w or who only apply to their current environment by default. This is the desired result for the chroot environment (users in chroot cannot observe if non- chroot users are logged in). As an administrator, you should still monitor when users log in, what commands they execute, and when they log out. In fact, this is easy to do. Typing who on the host system only displays users who are not authenticated within a chroot environment (via pam_chroot , for example). 

    # who
root     pts/0        May  7 09:08 (10.0.1.3)
root     pts/1        May  7 09:08 (10.0.1.3)

    To observe the users logged into a chroot environment, query the appropriate wtmp file: 

    # who /opt/chroot/var/log/wtmp
mike                  May  7 09:40 (10.0.1.3)

    Logfiles provide useful information not only if a compromise occurs, but for monitoring the status and problems that might occur in a chroot environment.



    Troubleshoot chroot Environment Problems

    If a service within a chroot environment is not working correctly, the first thing to do is carefully review the strace output and make sure every required file is present. Very often, a few common, non-sensitive files in the /etc directory, such as resolv.conf and nsswitch.conf, have been forgotten.

    Many programs will write error messages to syslog or to /var/log/messages by default. Remember, this is the /var/log/messages in the chroot directory (/opt/chroot/var/log/messages) and not the /var/log/messages file of the root file system.

    Be aware of incorrect file permissions. Many services are sensitive to file ownership and modes. Whenever possible, use cp -p to preserve the original file permissions when copying files from their original location to the chroot environment. The tar command also uses -p , or you can specify --preserve as a long option.

    If you have placed the chroot directory structure on its own partition or set disk quotas, make sure that sufficient disk space remains for the program to execute, write to temporary files, write logfiles, and otherwise be able to access some free disk space. You can reduce the logging overhead by using syslog to send events to another server rather than write to the chroot directory.

    Mounting chroot systems over NFS is not a good idea. NFS will squash root privileges on files by default and silently map them to the nobody user . So, aside from the possible performance impact, NFS may wreak havoc on the file permissions you expect for the environment.



    Buy on amazon.com >>
    Terpstra J.H. Love P. Reck R.P.
      << Previous page
      Table of contents
      Next page >>

      Similar products

       
      flylib.com © Copyright 2008-2013. All Rights Reserved.
      if you may any questions please contact us: flylib@qtcs.net
      Privacy policy