FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Infrastructure

 
 
LinkBack Thread Tools
 
Old 08-04-2011, 03:07 PM
Kevin Fenzi
 
Default logs and emails

Greetings.

Two items I'd like some feedback on...

1. Would there be any downsides to switching sysadmin-qa over to
requiring just 'cla_done' instead of sysadmin? The QA admins get
seperate nagios emails to sysadmin-qa on their machines, and don't use
our puppet so they don't care about commit emails. Is there some other
reason sysadmin needs to be a requirement for sysadmin-$foo groups?

2. I'd like to allow apprentice folks to look at logs on log02.
Currently this is just sysadmin-main and -noc. Can anyone think of
anything we log that might be too sensitive for this? We shouldn't be
logging any passwords (although I can look). I'd also like to make sure
all the logs on log02 are ro to everyone (but main). Currently many of
the directories there are writable for sysadmin group, which seems
wrong to me.

Thoughts? Concerns? Stories?

kevin
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 08-04-2011, 04:02 PM
Stephen John Smoogen
 
Default logs and emails

On Thu, Aug 4, 2011 at 09:07, Kevin Fenzi <kevin@scrye.com> wrote:
> Greetings.
>
> Two items I'd like some feedback on...
>
> 1. Would there be any downsides to switching sysadmin-qa over to
> requiring just 'cla_done' instead of sysadmin? The QA admins get
> seperate nagios emails to sysadmin-qa on their machines, and don't use
> our puppet so they don't care about commit emails. Is there some other
> reason sysadmin needs to be a requirement for sysadmin-$foo groups?

I think we will need to get Toshio and Mike to go in on this. I don't
know if there is particular fas logic that happens also. To me the
bigger question is.. do we need to have the root emails going to
sysadmin or to a subgroup. If those emails go down to say
sysadmin-noc,fi-apprentice,sysadmin-main,sysadmin-hosted it would do
the same thing.

> 2. I'd like to allow apprentice folks to look at logs on log02.
> Currently this is just sysadmin-main and -noc. Can anyone think of
> anything we log that might be too sensitive for this? We shouldn't be
> logging any passwords (although I can look). I'd also like to make sure
> all the logs on log02 are ro to everyone (but main). Currently many of
> the directories there are writable for sysadmin group, which seems
> wrong to me.

Passwords creep into the logs every now and then. The usual is that
someone tries to login with their password. Sorry about the write on
group, I thought i fixed that a while ago.

> Thoughts? Concerns? Stories?
>
> kevin
>
> _______________________________________________
> infrastructure mailing list
> infrastructure@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure
>



--
Stephen J Smoogen.
"The core skill of innovators is error recovery, not failure avoidance."
Randy Nelson, President of Pixar University.
"Let us be kind, one to another, for most of us are fighting a hard
battle." -- Ian MacLaren
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 08-04-2011, 04:24 PM
Kevin Fenzi
 
Default logs and emails

On Thu, 4 Aug 2011 10:02:21 -0600
Stephen John Smoogen <smooge@gmail.com> wrote:

> On Thu, Aug 4, 2011 at 09:07, Kevin Fenzi <kevin@scrye.com> wrote:
> > Greetings.
> >
> > Two items I'd like some feedback on...
> >
> > 1. Would there be any downsides to switching sysadmin-qa over to
> > requiring just 'cla_done' instead of sysadmin? The QA admins get
> > seperate nagios emails to sysadmin-qa on their machines, and don't
> > use our puppet so they don't care about commit emails. Is there
> > some other reason sysadmin needs to be a requirement for
> > sysadmin-$foo groups?
>
> I think we will need to get Toshio and Mike to go in on this. I don't
> know if there is particular fas logic that happens also.

Agreed.

> To me the
> bigger question is.. do we need to have the root emails going to
> sysadmin or to a subgroup. If those emails go down to say
> sysadmin-noc,fi-apprentice,sysadmin-main,sysadmin-hosted it would do
> the same thing.

No, root emails only go to sysadmin-main. I'd really prefer that to
stay that way. We do get emails with passwords or the like... (bounces
from fas accounts that have invalid emails, etc)

> > 2. I'd like to allow apprentice folks to look at logs on log02.
> > Currently this is just sysadmin-main and -noc. Can anyone think of
> > anything we log that might be too sensitive for this? We shouldn't
> > be logging any passwords (although I can look). I'd also like to
> > make sure all the logs on log02 are ro to everyone (but main).
> > Currently many of the directories there are writable for sysadmin
> > group, which seems wrong to me.
>
> Passwords creep into the logs every now and then. The usual is that
> someone tries to login with their password. Sorry about the write on
> group, I thought i fixed that a while ago.

Yeah, I'll go look thru logs and see if there's anything there that
looks problematic. We might be able to just have the system log ones
readable, but leave the httpd ones closed up (those would be the only
ones that might have passwords I would think).

kevin
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 08-04-2011, 05:17 PM
Stephen John Smoogen
 
Default logs and emails

On Thu, Aug 4, 2011 at 10:24, Kevin Fenzi <kevin@scrye.com> wrote:
> On Thu, 4 Aug 2011 10:02:21 -0600

>> To me the
>> bigger question is.. do we need to have the root emails going to
>> sysadmin or to a subgroup. If those emails go down to say
>> sysadmin-noc,fi-apprentice,sysadmin-main,sysadmin-hosted it would do
>> the same thing.
>
> No, root emails only go to sysadmin-main. I'd really prefer that to
> stay that way. We do get emails with passwords or the like... (bounces
> from fas accounts that have invalid emails, etc)

Sorry I meant cron and other emails that various people get that they
don't know why

>> > 2. I'd like to allow apprentice folks to look at logs on log02.
>> > Currently this is just sysadmin-main and -noc. Can anyone think of
>> > anything we log that might be too sensitive for this? We shouldn't
>> > be logging any passwords (although I can look). I'd also like to
>> > make sure all the logs on log02 are ro to everyone (but main).
>> > Currently many of the directories there are writable for sysadmin
>> > group, which seems wrong to me.
>>
>> Passwords creep into the logs every now and then. The usual is that
>> someone tries to login with their password. Sorry about the write on
>> group, I thought i fixed that a while ago.
>
> Yeah, I'll go look thru logs and see if there's anything there that
> looks problematic. We might be able to just have the system log ones
> readable, but leave the httpd ones closed up (those would be the only
> ones that might have passwords I would think).

Hmmm I thought the httpd ones were more open .

> kevin
>
> _______________________________________________
> infrastructure mailing list
> infrastructure@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure
>



--
Stephen J Smoogen.
"The core skill of innovators is error recovery, not failure avoidance."
Randy Nelson, President of Pixar University.
"Let us be kind, one to another, for most of us are fighting a hard
battle." -- Ian MacLaren
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 08-10-2011, 06:59 PM
Kevin Fenzi
 
Default logs and emails

On Thu, 4 Aug 2011 11:17:18 -0600
Stephen John Smoogen <smooge@gmail.com> wrote:

...snip...

> >> Passwords creep into the logs every now and then. The usual is that
> >> someone tries to login with their password. Sorry about the write
> >> on group, I thought i fixed that a while ago.
> >
> > Yeah, I'll go look thru logs and see if there's anything there that
> > looks problematic. We might be able to just have the system log ones
> > readable, but leave the httpd ones closed up (those would be the
> > only ones that might have passwords I would think).
>
> Hmmm I thought the httpd ones were more open .

So, I did some digging around and I can't off hand find any passwords
in any of the httpd error logs or the like. Of course that doesn't
prevent a bug from happening.

So, what I would propose on this
(after the freeze):

* chown -R root:root /var/log/hosts /var/log/merged
* chmod -R 0644 /var/log/hosts /var/log/merged
* change /etc/rsyslog.conf to:
$DirCreateMode 0755
$FileCreateMode 0644
$FileOwner root
$FileGroup root
* add 'fi-apprentice' to be able to login there.

If we find anything logging sensitive information, we need to fix it
not to do that, and/or re-evaluate.

kevin
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 08-26-2011, 10:09 PM
Kevin Fenzi
 
Default logs and emails

This change has been made.

Please let me know if you spot any problems or issues with it.

kevin
--
On Wed, 10 Aug 2011 12:59:10 -0600
Kevin Fenzi <kevin@scrye.com> wrote:

> On Thu, 4 Aug 2011 11:17:18 -0600
> Stephen John Smoogen <smooge@gmail.com> wrote:
>
> ...snip...
>
> > >> Passwords creep into the logs every now and then. The usual is
> > >> that someone tries to login with their password. Sorry about the
> > >> write on group, I thought i fixed that a while ago.
> > >
> > > Yeah, I'll go look thru logs and see if there's anything there
> > > that looks problematic. We might be able to just have the system
> > > log ones readable, but leave the httpd ones closed up (those
> > > would be the only ones that might have passwords I would think).
> >
> > Hmmm I thought the httpd ones were more open .
>
> So, I did some digging around and I can't off hand find any passwords
> in any of the httpd error logs or the like. Of course that doesn't
> prevent a bug from happening.
>
> So, what I would propose on this
> (after the freeze):
>
> * chown -R root:root /var/log/hosts /var/log/merged
> * chmod -R 0644 /var/log/hosts /var/log/merged
> * change /etc/rsyslog.conf to:
> $DirCreateMode 0755
> $FileCreateMode 0644
> $FileOwner root
> $FileGroup root
> * add 'fi-apprentice' to be able to login there.
>
> If we find anything logging sensitive information, we need to fix it
> not to do that, and/or re-evaluate.
>
> kevin
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 

Thread Tools




All times are GMT. The time now is 01:14 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org