logs and emails

Kevin Fenzi kevin at scrye.com
Thu Aug 4 16:24:38 UTC 2011 

On Thu, 4 Aug 2011 10:02:21 -0600
Stephen John Smoogen <smooge at gmail.com> wrote:

> On Thu, Aug 4, 2011 at 09:07, Kevin Fenzi <kevin at scrye.com> wrote:
> > Greetings.
> >
> > Two items I'd like some feedback on...
> >
> > 1. Would there be any downsides to switching sysadmin-qa over to
> > requiring just 'cla_done' instead of sysadmin? The QA admins get
> > seperate nagios emails to sysadmin-qa on their machines, and don't
> > use our puppet so they don't care about commit emails. Is there
> > some other reason sysadmin needs to be a requirement for
> > sysadmin-$foo groups?
> 
> I think we will need to get Toshio and Mike to go in on this. I don't
> know if there is particular fas logic that happens also. 

Agreed. :) 

> To me the
> bigger question is.. do we need to have the root emails going to
> sysadmin or to a subgroup. If those emails go down to say
> sysadmin-noc,fi-apprentice,sysadmin-main,sysadmin-hosted it would do
> the same thing.

No, root emails only go to sysadmin-main. I'd really prefer that to
stay that way. We do get emails with passwords or the like... (bounces
from fas accounts that have invalid emails, etc)

> > 2. I'd like to allow apprentice folks to look at logs on log02.
> > Currently this is just sysadmin-main and -noc. Can anyone think of
> > anything we log that might be too sensitive for this? We shouldn't
> > be logging any passwords (although I can look). I'd also like to
> > make sure all the logs on log02 are ro to everyone (but main).
> > Currently many of the directories there are writable for sysadmin
> > group, which seems wrong to me.
> 
> Passwords creep into the logs every now and then. The usual is that
> someone tries to login with their password. Sorry about the write on
> group, I thought i fixed that a while ago.

Yeah, I'll go look thru logs and see if there's anything there that
looks problematic. We might be able to just have the system log ones
readable, but leave the httpd ones closed up (those would be the only
ones that might have passwords I would think). 

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20110804/40de495c/attachment.bin

More information about the infrastructure mailing list