logs and emails
Kevin Fenzi
kevin at scrye.com
Fri Aug 26 22:09:01 UTC 2011
This change has been made.
Please let me know if you spot any problems or issues with it.
kevin
--
On Wed, 10 Aug 2011 12:59:10 -0600
Kevin Fenzi <kevin at scrye.com> wrote:
> On Thu, 4 Aug 2011 11:17:18 -0600
> Stephen John Smoogen <smooge at gmail.com> wrote:
>
> ...snip...
>
> > >> Passwords creep into the logs every now and then. The usual is
> > >> that someone tries to login with their password. Sorry about the
> > >> write on group, I thought i fixed that a while ago.
> > >
> > > Yeah, I'll go look thru logs and see if there's anything there
> > > that looks problematic. We might be able to just have the system
> > > log ones readable, but leave the httpd ones closed up (those
> > > would be the only ones that might have passwords I would think).
> >
> > Hmmm I thought the httpd ones were more open :).
>
> So, I did some digging around and I can't off hand find any passwords
> in any of the httpd error logs or the like. Of course that doesn't
> prevent a bug from happening.
>
> So, what I would propose on this
> (after the freeze):
>
> * chown -R root:root /var/log/hosts /var/log/merged
> * chmod -R 0644 /var/log/hosts /var/log/merged
> * change /etc/rsyslog.conf to:
> $DirCreateMode 0755
> $FileCreateMode 0644
> $FileOwner root
> $FileGroup root
> * add 'fi-apprentice' to be able to login there.
>
> If we find anything logging sensitive information, we need to fix it
> not to do that, and/or re-evaluate.
>
> kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20110826/7fa979ab/attachment.bin
More information about the infrastructure
mailing list