netbsd-bugs: misc/574: syslog.conf has insecure configuration

Subject: misc/574: syslog.conf has insecure configuration
To: None <gnats-admin@sun-lamp.cs.berkeley.edu>
From: Luke Mewburn <lukem@dodo.melb.cpr.itg.telecom.com.au>
List: netbsd-bugs
Date: 11/14/1994 15:50:05

>Number:         574
>Category:       misc
>Synopsis:       syslog sends authpriv stuff to insecure places
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gnats-admin (Misc Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   lm
>Arrival-Date:   Mon Nov 14 15:50:04 1994
>Originator:     Luke Mewburn
>Organization:
	Werj
>Release:        1.0
>Environment:
System: NetBSD dodo 1.0_BETA NetBSD 1.0_BETA (DODO) #0: Wed Oct 26 13:36:30 EST 1994 simonb@dodo:/slab/0/src/sys/arch/i386/compile/DODO i386


>Description:
According to the syslog man page:
	LOG_AUTHPRIV	The same as LOG_AUTH, but logged to a file
			readable only by selected individuals.

But, the current syslog.conf file sends *.info to /var/log/messages.
So, login failure messages such as:
	Nov 15 10:37:50 dodo login: 3 LOGIN FAILURES FROM localhost
	Nov 15 10:37:50 dodo login: 3 LOGIN FAILURES FROM localhost, foo
get scattered through /var/log/messages. The second line should NOT be
appearing there, as the `foo' bit could be a password typed out of sync...

>How-To-Repeat:
Get a login prompt on a machine, and generate a few incorrect logins
and watch messages on the console and /var/log/messages appear...

>Fix:
- apply the following patch to /usr/src/etc/syslog.conf.
- ensure that /var/log/secure exists and has 600 root.wheel
  perms.
- maybe modify /usr/src/etc/newsyslog.conf to rotate the
  secure logs...

Notice how I've removed *.notice since *.info already
grabs that. Infact, mail.crit could have been removed
from the /var/log/messages line since *.notice will get
that as well.

The important modification is the authpriv.none entry
which stops wildcard matches on any authpriv stuff.
I've put authpriv to /var/log/secure (which the 4.4BSD
mdist security stuff checks anyway) If you don't want
these messages appearing on the console either, make
an appropriate change.


*** /etc/syslog.conf	Wed Oct 19 12:01:10 1994
--- syslog.conf	Tue Nov 15 10:45:23 1994
***************
*** 1,6 ****
  *.err;kern.debug;auth.notice;mail.crit		/dev/console
! *.notice;kern.debug;lpr,auth.info;mail.crit	/var/log/messages
! *.info						/var/log/messages
  mail.info					/var/log/maillog
  lpr.info					/var/log/lpd-errs
  cron.info					/var/cron/log
--- 1,6 ----
  *.err;kern.debug;auth.notice;mail.crit		/dev/console
! *.info;kern.debug;mail.crit;authpriv.none	/var/log/messages
! authpriv.info					/var/log/secure
  mail.info					/var/log/maillog
  lpr.info					/var/log/lpd-errs
  cron.info					/var/cron/log
>Audit-Trail:
>Unformatted: