Honeypots: roo Bug #316 (2nd try)

["Earl Sammons" <esammons () hush com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

1st attempt bounced...

Earl

Return-Path: <esammons () hush com>
Delivered-To: moderator for honeypots () securityfocus com
Received: (qmail 27775 invoked from network); 23 Jun 2005 13:40:03 -
0000

All,

If you are running the Honeynet Project's 'roo' Honeywall, you will
want to have a look at Bugzilla item #316.

https://bugs.honeynet.org/show_bug.cgi?id=316

Essentially logrotate fails while attempting to rotate
/var/log/messages because we (Well it was my doing ;P) set the
"Append Only" attribute bit on the file without setting up a means
by which to handle it accordingly.  Two possible fixes...

If you don't care about keeping your Honeywall as close to NIST
recomendations as possible just:
chattr -a /var/log/messages

and you will be good.

The "lockdown" script (/usr/local/bin/lockdown-hw.sh) is where the
append only attrib is being set on first boot of a freshly
installed roo.  So, if you ever re-run this (good practice) on a
roo version <= 1.0.hw-139 it will reset the append only bit again
(fyi).

If you prefer to keep things as "NISTIFIED" as possible, I've
posted a logrotate config work around to deal with the attrib
stuff.  Please see:

https://bugs.honeynet.org/show_bug.cgi?id=316

We appreciate the time people take to detail bugs like this in
roo's Bugzilla database.  Everyone bennefits from the lessons
learned.

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkLBmZEACgkQk7+e+4lPSm0/ewCfSLSZTE5T1Fs0y3wXF7J3b9Nb9XAA
niyxIAy2wBbKLfk84SPDkrQHKyfo
=O66O
-----END PGP SIGNATURE-----