The information to be logged from a service in a chroot environment does not differ from when the service executes from the normal root. In fact, part of the build policy related to the chroot configuration should explicitly state the logging requirements. Nevertheless, disk space is a major consideration for this scenario. One of the reasons to create a chroot environment is to minimize the disk space available to attackers in the event of a compromise. Once again, you have several options for logging the service.
Even though the service may be writing to a file in the /var/log directory, this directory is within the chroot environment. However, other processes on the system with the correct privileges can freely access the files in /opt/chroot/var/log. A simple cron job can periodically move logs from the chroot environment to a location that is more secure and has more disk space available. This also helps the administrator centralize and parse logs.
A basic log directory would appear as such:
/var/ log/ lastlog messages secure wtmp run/
The other option is to forgo writing logs in the chroot environment altogether and send the log messages to a syslog server. This has the benefit that you can further restrict the size of the partition assigned to chroot . You must create an /etc/syslog.conf file in the chroot environment to do this.
Additionally, be aware that commands such as w or who only apply to their current environment by default. This is the desired result for the chroot environment (users in chroot cannot observe if non- chroot users are logged in). As an administrator, you should still monitor when users log in, what commands they execute, and when they log out. In fact, this is easy to do. Typing who on the host system only displays users who are not authenticated within a chroot environment (via pam_chroot , for example).
# who root pts/0 May 7 09:08 (10.0.1.3) root pts/1 May 7 09:08 (10.0.1.3)
To observe the users logged into a chroot environment, query the appropriate wtmp file:
# who /opt/chroot/var/log/wtmp mike May 7 09:40 (10.0.1.3)
Logfiles provide useful information not only if a compromise occurs, but for monitoring the status and problems that might occur in a chroot environment.