The information to be logged from a service in a
environment does not
Even though the service may be writing to a file in the /var/log directory, this directory is within the
environment. However, other processes on the system with the correct privileges can
A basic log directory would appear as such:
/var/ log/ lastlog messages secure wtmp run/
The other option is to forgo writing logs in the
environment altogether and send the log messages to a
server. This has the benefit that you can further restrict the
Additionally, be aware that commands such as w or who only apply to their current environment by default. This is the desired result for the chroot environment (users in chroot cannot observe if non- chroot users are logged in). As an administrator, you should still monitor when users log in, what commands they execute, and when they log out. In fact, this is easy to do. Typing who on the host system only displays users who are not authenticated within a chroot environment (via pam_chroot , for example).
# who root pts/0 May 7 09:08 (10.0.1.3) root pts/1 May 7 09:08 (10.0.1.3)
To observe the users logged into a chroot environment, query the appropriate wtmp file:
# who /opt/chroot/var/log/wtmp mike May 7 09:40 (10.0.1.3)
Logfiles provide useful information not only if a compromise occurs, but for monitoring the status and problems that might occur in a chroot environment.
If a service within a
environment is not working correctly, the first thing to do is
Many programs will write error messages to syslog or to /var/log/messages by default. Remember, this is the /var/log/messages in the chroot directory (/opt/chroot/var/log/messages) and not the /var/log/messages file of the root file system.
Be aware of incorrect file permissions. Many services are sensitive to file ownership and modes. Whenever possible, use cp -p to preserve the original file permissions when copying files from their original location to the chroot environment. The tar command also uses -p , or you can specify --preserve as a long option.
If you have placed the chroot directory structure on its own partition or set disk quotas, make sure that sufficient disk space remains for the program to execute, write to temporary files, write logfiles, and
systems over NFS is not a good idea. NFS will squash root privileges on files by default and silently map them to the nobody