--On 11 October 2005 11:31 -0400, James Mackinnon wrote:
I created a file that has the following info and made it executable to root and the wheel group and no access to everyone. This file sits in /usr/local/bin with the name logkick # !/bin/sh # this file is used to roll over the PFLog file to a new file so that # it can be transfered to the Corporate log server every hour DATE=$(date +%d%m%y%H) HOSTNM=$(hostname) sudo mv /var/log/pflog /var/log/pflog-$DATE$HOSTNM chmod 660 /var/log/pflog-$DATE$HOSTNM touch /var/log/pflog sudo kill -HUP `cat /var/run/pflogd.pid` I have created an account on my firewalls and logging system which is in the sudoers file with ability to do all with nopassword being prompted for (probably risky but this is why I'm asking for feedback). This user is also part of the wheel group
See newsyslog.conf(5) - it can signal pflogd for you. Set the gid on the log to one shared by the account used to transfer the log, and use the -f option to pflogd to place the log in a directory with write permissions to that same gid, then your script needs neither root nor wheel access.
I have created a public/private key pair
Good.
I am using a crazy 30 character length password with symbols, caps, numbers etc so I think the account is pretty safe.
You can disable password-based access to that account ('vipw' and change the encrypted password field to *, like is done for the various pre-created daemon accounts), that way the only access can be via the relevant ssh key/s.
Anyhow, any suggestions on this would be great as I want to make sure the risks associated with the sudoers process is not to risky and if there is a better way I could do this as in limiting exactly what someone using sudo can do as they only have to HUP the pflogd process as thats the only thing I couldn't get working until I took that step.
Look at sudoers(5) if you want to find out how you can control which commands may be executed by which user with/without passwords. There's a lot more that you can do than is demonstrated in the sample sudoers file.
