RHEL 7 and 8 syslog-ng 3.19 and 3.31 We have always set permissions on directories that we want the Splunk universal forwarder to be able to read as root:splunk 640, but now security doesn't like this and wants everything under /var/log to always be root:root except for some specific exceptions. We had tried to solve this with an ACL in the past, however, syslog-ng always seems to clobber the ACL, even when it's the default ACL on the folder. Is this a known issue, is there a way to get syslog-ng to play nice with ACLs. Thanks, -Mark Mark Faine System Administrator SAIC/NICS 215 Wynn Dr. 5065 Huntsville, AL 35805 256-961-1295 (Desk) 256-617-4861 (Work Cell)
Hi Mark, On Tue, May 18, 2021 at 04:57:39PM +0000, Faine, Mark R. (MSFC-IS40)[NICS] wrote:
We have always set permissions on directories that we want the Splunk universal forwarder to be able to read as root:splunk 640, but now security doesn't like this and wants everything under /var/log to always be root:root except for some specific exceptions. We had tried to solve this with an ACL in the past, however, syslog-ng always seems to clobber the ACL, even when it's the default ACL on the folder. Is this a known issue, is there a way to get syslog-ng to play nice with ACLs.
Did you consider using `hook-commands()` to set the ACL on startup ?
No, I can try that, but I don't suspect it will help since the ACLs are there when syslog-ng starts. However, after files are written to or a new file is created, the ACL is lost. Thanks, Mark Mark Faine System Administrator SAIC/NICS 215 Wynn Dr. 5065 Huntsville, AL 35805 256-961-1295 (Desk) 256-617-4861 (Work Cell) -----Original Message----- From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> On Behalf Of Fabien Wernli Sent: Wednesday, May 19, 2021 01:17 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: [EXTERNAL] Re: [syslog-ng] ACLs with syslog-ng Hi Mark, On Tue, May 18, 2021 at 04:57:39PM +0000, Faine, Mark R. (MSFC-IS40)[NICS] wrote:
We have always set permissions on directories that we want the Splunk universal forwarder to be able to read as root:splunk 640, but now security doesn't like this and wants everything under /var/log to always be root:root except for some specific exceptions. We had tried to solve this with an ACL in the past, however, syslog-ng always seems to clobber the ACL, even when it's the default ACL on the folder. Is this a known issue, is there a way to get syslog-ng to play nice with ACLs.
Did you consider using `hook-commands()` to set the ACL on startup ? ______________________________________________________________________________ Member info: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7Cmark.faine%40nasa.gov%7Cef9bb103cc7e453137e908d91a8ddc41%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637570018858922487%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=WyfPupKtLNddNeF3qywBReok1kp4k3Qi1h3LGGVF3Vk%3D&reserved=0 Documentation: https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7Cmark.faine%40nasa.gov%7Cef9bb103cc7e453137e908d91a8ddc41%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637570018858922487%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=lMntcFm7v0FTvpDDNJ0u3ZKtGL1t%2Fe%2FxN0fhUiPc6EI%3D&reserved=0 FAQ: https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7Cmark.faine%40nasa.gov%7Cef9bb103cc7e453137e908d91a8ddc41%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637570018858922487%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=EwXDMY0f47LrThFh8cj7kEhC6CsX1FFhS3xpqUl%2F%2BxQ%3D&reserved=0
On Wed, May 19, 2021 at 12:24:10PM +0000, Faine, Mark R. (MSFC-IS40)[NICS] wrote:
No, I can try that, but I don't suspect it will help since the ACLs are there when syslog-ng starts. However, after files are written to or a new file is created, the ACL is lost.
You could backup the acl in setup() and restore it in startup() or something like that. I thought of something else : did you try using owner() (without argument) ? According to the docs, it should retain the "original properties of the file", although I'm not sure this includes ACLs.
I have tried the backup and restore and it just got to be too complicated. I did not know about owner(), if that works it will solve the problem. Currently we're setting everything, like this: perm(0640); dir-perm(0750); dir-owner('root'); owner('root'); dir-group('splunk'); group('splunk'); Hopefully, all of those options can be specified with empty parameters. Basically, I just need syslog-ng to not do anything with permissions and everything should be fine. -Mark -----Original Message----- From: Fabien Wernli <wernli@in2p3.fr> Sent: Wednesday, May 19, 2021 08:54 To: Faine, Mark R. (MSFC-IS40)[NICS] <mark.faine@nasa.gov> Cc: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: RE: [EXTERNAL] Re: [syslog-ng] ACLs with syslog-ng On Wed, May 19, 2021 at 12:24:10PM +0000, Faine, Mark R. (MSFC-IS40)[NICS] wrote:
No, I can try that, but I don't suspect it will help since the ACLs are there when syslog-ng starts. However, after files are written to or a new file is created, the ACL is lost.
You could backup the acl in setup() and restore it in startup() or something like that. I thought of something else : did you try using owner() (without argument) ? According to the docs, it should retain the "original properties of the file", although I'm not sure this includes ACLs.
participants (2)
-
Fabien Wernli
-
Faine, Mark R. (MSFC-IS40)[NICS]