Greetings.
Two items I'd like some feedback on...
1. Would there be any downsides to switching sysadmin-qa over to requiring just 'cla_done' instead of sysadmin? The QA admins get seperate nagios emails to sysadmin-qa on their machines, and don't use our puppet so they don't care about commit emails. Is there some other reason sysadmin needs to be a requirement for sysadmin-$foo groups?
2. I'd like to allow apprentice folks to look at logs on log02. Currently this is just sysadmin-main and -noc. Can anyone think of anything we log that might be too sensitive for this? We shouldn't be logging any passwords (although I can look). I'd also like to make sure all the logs on log02 are ro to everyone (but main). Currently many of the directories there are writable for sysadmin group, which seems wrong to me.
Thoughts? Concerns? Stories?
kevin
On Thu, Aug 4, 2011 at 09:07, Kevin Fenzi kevin@scrye.com wrote:
Greetings.
Two items I'd like some feedback on...
- Would there be any downsides to switching sysadmin-qa over to
requiring just 'cla_done' instead of sysadmin? The QA admins get seperate nagios emails to sysadmin-qa on their machines, and don't use our puppet so they don't care about commit emails. Is there some other reason sysadmin needs to be a requirement for sysadmin-$foo groups?
I think we will need to get Toshio and Mike to go in on this. I don't know if there is particular fas logic that happens also. To me the bigger question is.. do we need to have the root emails going to sysadmin or to a subgroup. If those emails go down to say sysadmin-noc,fi-apprentice,sysadmin-main,sysadmin-hosted it would do the same thing.
- I'd like to allow apprentice folks to look at logs on log02.
Currently this is just sysadmin-main and -noc. Can anyone think of anything we log that might be too sensitive for this? We shouldn't be logging any passwords (although I can look). I'd also like to make sure all the logs on log02 are ro to everyone (but main). Currently many of the directories there are writable for sysadmin group, which seems wrong to me.
Passwords creep into the logs every now and then. The usual is that someone tries to login with their password. Sorry about the write on group, I thought i fixed that a while ago.
Thoughts? Concerns? Stories?
kevin
infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
On Thu, 4 Aug 2011 10:02:21 -0600 Stephen John Smoogen smooge@gmail.com wrote:
On Thu, Aug 4, 2011 at 09:07, Kevin Fenzi kevin@scrye.com wrote:
Greetings.
Two items I'd like some feedback on...
- Would there be any downsides to switching sysadmin-qa over to
requiring just 'cla_done' instead of sysadmin? The QA admins get seperate nagios emails to sysadmin-qa on their machines, and don't use our puppet so they don't care about commit emails. Is there some other reason sysadmin needs to be a requirement for sysadmin-$foo groups?
I think we will need to get Toshio and Mike to go in on this. I don't know if there is particular fas logic that happens also.
Agreed. :)
To me the bigger question is.. do we need to have the root emails going to sysadmin or to a subgroup. If those emails go down to say sysadmin-noc,fi-apprentice,sysadmin-main,sysadmin-hosted it would do the same thing.
No, root emails only go to sysadmin-main. I'd really prefer that to stay that way. We do get emails with passwords or the like... (bounces from fas accounts that have invalid emails, etc)
- I'd like to allow apprentice folks to look at logs on log02.
Currently this is just sysadmin-main and -noc. Can anyone think of anything we log that might be too sensitive for this? We shouldn't be logging any passwords (although I can look). I'd also like to make sure all the logs on log02 are ro to everyone (but main). Currently many of the directories there are writable for sysadmin group, which seems wrong to me.
Passwords creep into the logs every now and then. The usual is that someone tries to login with their password. Sorry about the write on group, I thought i fixed that a while ago.
Yeah, I'll go look thru logs and see if there's anything there that looks problematic. We might be able to just have the system log ones readable, but leave the httpd ones closed up (those would be the only ones that might have passwords I would think).
kevin
On Thu, Aug 4, 2011 at 10:24, Kevin Fenzi kevin@scrye.com wrote:
On Thu, 4 Aug 2011 10:02:21 -0600
To me the bigger question is.. do we need to have the root emails going to sysadmin or to a subgroup. If those emails go down to say sysadmin-noc,fi-apprentice,sysadmin-main,sysadmin-hosted it would do the same thing.
No, root emails only go to sysadmin-main. I'd really prefer that to stay that way. We do get emails with passwords or the like... (bounces from fas accounts that have invalid emails, etc)
Sorry I meant cron and other emails that various people get that they don't know why
- I'd like to allow apprentice folks to look at logs on log02.
Currently this is just sysadmin-main and -noc. Can anyone think of anything we log that might be too sensitive for this? We shouldn't be logging any passwords (although I can look). I'd also like to make sure all the logs on log02 are ro to everyone (but main). Currently many of the directories there are writable for sysadmin group, which seems wrong to me.
Passwords creep into the logs every now and then. The usual is that someone tries to login with their password. Sorry about the write on group, I thought i fixed that a while ago.
Yeah, I'll go look thru logs and see if there's anything there that looks problematic. We might be able to just have the system log ones readable, but leave the httpd ones closed up (those would be the only ones that might have passwords I would think).
Hmmm I thought the httpd ones were more open :).
kevin
infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
On Thu, 4 Aug 2011 11:17:18 -0600 Stephen John Smoogen smooge@gmail.com wrote:
...snip...
Passwords creep into the logs every now and then. The usual is that someone tries to login with their password. Sorry about the write on group, I thought i fixed that a while ago.
Yeah, I'll go look thru logs and see if there's anything there that looks problematic. We might be able to just have the system log ones readable, but leave the httpd ones closed up (those would be the only ones that might have passwords I would think).
Hmmm I thought the httpd ones were more open :).
So, I did some digging around and I can't off hand find any passwords in any of the httpd error logs or the like. Of course that doesn't prevent a bug from happening.
So, what I would propose on this (after the freeze):
* chown -R root:root /var/log/hosts /var/log/merged * chmod -R 0644 /var/log/hosts /var/log/merged * change /etc/rsyslog.conf to: $DirCreateMode 0755 $FileCreateMode 0644 $FileOwner root $FileGroup root * add 'fi-apprentice' to be able to login there.
If we find anything logging sensitive information, we need to fix it not to do that, and/or re-evaluate.
kevin
This change has been made.
Please let me know if you spot any problems or issues with it.
kevin -- On Wed, 10 Aug 2011 12:59:10 -0600 Kevin Fenzi kevin@scrye.com wrote:
On Thu, 4 Aug 2011 11:17:18 -0600 Stephen John Smoogen smooge@gmail.com wrote:
...snip...
Passwords creep into the logs every now and then. The usual is that someone tries to login with their password. Sorry about the write on group, I thought i fixed that a while ago.
Yeah, I'll go look thru logs and see if there's anything there that looks problematic. We might be able to just have the system log ones readable, but leave the httpd ones closed up (those would be the only ones that might have passwords I would think).
Hmmm I thought the httpd ones were more open :).
So, I did some digging around and I can't off hand find any passwords in any of the httpd error logs or the like. Of course that doesn't prevent a bug from happening.
So, what I would propose on this (after the freeze):
- chown -R root:root /var/log/hosts /var/log/merged
- chmod -R 0644 /var/log/hosts /var/log/merged
- change /etc/rsyslog.conf to:
$DirCreateMode 0755 $FileCreateMode 0644 $FileOwner root $FileGroup root
- add 'fi-apprentice' to be able to login there.
If we find anything logging sensitive information, we need to fix it not to do that, and/or re-evaluate.
kevin
infrastructure@lists.fedoraproject.org