|
Home > Archive > Unix administration > February 2005 > securely access to application logs
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
securely access to application logs
|
|
| kona_iron@yahoo.fr 2005-02-14, 5:55 pm |
| Hello,
We have a lot of Solaris servers with each multiple applications that
generate application logs.
Some application logs have to be read by "non privilege" users.
We can not give direct accesse on these logs. So the idea is to have a
log server.
These applications do not use syslog. So it is not easy to export these
logs to amother servers.
What do you suggest me ?
We need a solution as secure as possible. So no NFS or Samba
Thank's a lot for any advices
| |
| Michael Vilain 2005-02-15, 8:06 am |
| In article <1108422851.143107.293540@z14g2000cwz.googlegroups.com>,
kona_iron@yahoo.fr wrote:
> Hello,
> We have a lot of Solaris servers with each multiple applications that
> generate application logs.
> Some application logs have to be read by "non privilege" users.
> We can not give direct accesse on these logs. So the idea is to have a
> log server.
> These applications do not use syslog. So it is not easy to export these
> logs to amother servers.
> What do you suggest me ?
> We need a solution as secure as possible. So no NFS or Samba
>
> Thank's a lot for any advices
Setup sudo to use a paginator that doesn't allow shelling-out. Build
"less" to not allow a shell and create scripts that provide listing the
log files. Use sudo to allow non-priv users to access them.
This require they login to a non-privileged account running a restricted
shell and use an UNIX command line. If they are grown up enough to
require access to log files, they can deal with a command line.
--
DeeDee, don't press that button! DeeDee! NO! Dee...
| |
| kona_iron@yahoo.fr 2005-02-15, 6:02 pm |
| Thank you Mickael.
Some of our Solaris servers was not prepared to become "guest" users. A
lot of Application were installed with "other" access right. We can not
remove this access right so easy without to be sure that they are no
impact.
So in between time I also think to use SUDO. But I'm not sure that SUDO
can solve my problem, because of some files that are too "open" (other
acces).
And restricted shell can not prevent acces a file if I know his path,
right ?
Regards.
Michael Vilain wrote:
> In article <1108422851.143107.293540@z14g2000cwz.googlegroups.com>,
> kona_iron@yahoo.fr wrote:
>
that[vbcol=seagreen]
have a[vbcol=seagreen]
these[vbcol=seagreen]
>
> Setup sudo to use a paginator that doesn't allow shelling-out. Build
> "less" to not allow a shell and create scripts that provide listing
the
> log files. Use sudo to allow non-priv users to access them.
>
> This require they login to a non-privileged account running a
restricted
> shell and use an UNIX command line. If they are grown up enough to
> require access to log files, they can deal with a command line.
>
> --
> DeeDee, don't press that button! DeeDee! NO! Dee...
| |
| Michael Vilain 2005-02-16, 2:48 am |
| In article <1108502934.853182.283030@g14g2000cwa.googlegroups.com>,
kona_iron@yahoo.fr wrote:
[vbcol=seagreen]
> Thank you Mickael.
> Some of our Solaris servers was not prepared to become "guest" users. A
> lot of Application were installed with "other" access right. We can not
> remove this access right so easy without to be sure that they are no
> impact.
> So in between time I also think to use SUDO. But I'm not sure that SUDO
> can solve my problem, because of some files that are too "open" (other
> acces).
> And restricted shell can not prevent acces a file if I know his path,
> right ?
> Regards.
>
> Michael Vilain wrote:
> that
> have a
> these
>
> the
> restricted
The only other thing I can think of is you write a CGI web interface
that can access the files. You'll still have the access rights problem,
but you'll have that problem regardless of the solution. You have to
balance the "skill level" (aka stupidity) of your users vs. their need
to access this information.
I don't envy you this task. You have to either allow full access or
break the application. I'd start working with the developers to fix the
access problems. You won't get anywhere with this until they fix their
code.
--
DeeDee, don't press that button! DeeDee! NO! Dee...
| |
|
| kona_iron@yahoo.fr wrote:
> Hello,
> We have a lot of Solaris servers with each multiple applications that
> generate application logs.
> Some application logs have to be read by "non privilege" users.
> We can not give direct accesse on these logs. So the idea is to have a
> log server.
> These applications do not use syslog. So it is not easy to export these
> logs to amother servers.
> What do you suggest me ?
> We need a solution as secure as possible. So no NFS or Samba
>
> Thank's a lot for any advices
>
How about using "logger" and sending to a syslog server... bit like this:
logger -p local1.notice -t APPSERV01 -f /path/logfile
should read the file "/path/logfile" line by line and sent it to syslog
with the priority of "local1.notice" and tag with "APPSERV01"
Then setup syslog for remote logging for local1.notice etc.
Might have to get a little more tricky doing something like:
cat <logfile> >> <store log> && logger -p local0.notice -t APPSERV01 -f
<logfile> && cat /dev/nul > <logfile>
Giving you a full set of log on the application server <store log> and a
running log to send to syslog.
Wack it in cron and your away.
Other possible options I can think of:
Is replacing the application log file with a named pipe and running the
logger command on that.
Or even use scp to go and get the files every 5 mins or so if realtime
is not that important.
-Harv
| |
| kona_iron@yahoo.fr 2005-02-17, 5:54 pm |
| Hi Harv,
Thank you, good advices.
harv wrote:
> kona_iron@yahoo.fr wrote:
that[vbcol=seagreen]
have a[vbcol=seagreen]
these[vbcol=seagreen]
> How about using "logger" and sending to a syslog server... bit like
this:
> logger -p local1.notice -t APPSERV01 -f /path/logfile
> should read the file "/path/logfile" line by line and sent it to
syslog
> with the priority of "local1.notice" and tag with "APPSERV01"
> Then setup syslog for remote logging for local1.notice etc.
>
> Might have to get a little more tricky doing something like:
>
> cat <logfile> >> <store log> && logger -p local0.notice -t APPSERV01
-f
> <logfile> && cat /dev/nul > <logfile>
>
> Giving you a full set of log on the application server <store log>
and a
> running log to send to syslog.
>
> Wack it in cron and your away.
>
>
> Other possible options I can think of:
> Is replacing the application log file with a named pipe and running
the
> logger command on that.
> Or even use scp to go and get the files every 5 mins or so if
realtime
> is not that important.
>
> -Harv
|
|
|
|
|