03-10-2011 09:52 AM
I'm i the process of hardening my servers and I would like to know how low I can set the file permissions on the log files.
The master server is installed on a Solaris 10 server. One media sever is also installed on Solaris 10. The clients are Solaris 9, Solaris 10, Red Hat, Windows 2003/8 servers.
As an example I am getting a hit on my scan. The files/directories have permissions of 777.
/usr/openv/netbackup/logs/user_ops/nbjlogs
/usr/openv/netbackup/logs/user_ops
The issue here is security doesn't want there to be world/everyone writable permissions on the diretories and files. can I set the permission to say: 775 or 774? By the way the backups are run as root.
Any help would be great.
03-10-2011 12:54 PM
I believe the user_ops directory is primarily used for logs being part of NBU actions any user can initiate on the servers, thus the directories would need to be 777, unless you include a subset of users in a group that can access the directory, and assign the group to the directories, then you would be able to set to 770.
On the other hand, is the information that is being logged a potential security risk?
/A
03-10-2011 01:17 PM
Thanks for your help
Me and the other UNIX/Linux admins have root access. There are 2 Windows backup addmins that only have user accounts, but they wouldn't be looking at UNIX logs.
The security risk? - The Security people don't want any world writable files on the system period. The file can be readable. They just don't want any rogue scripts doing harm.
I was just going to change the permissions but I saw some fourm post where people where changing the permissions to 777.
Thanks for your help.
03-10-2011 11:45 PM
SAP and Oracle backup need writing access to user_ops, but you can avoid 777 by giving right on a group level:
e.g:
chmod root:dba user_ops
chmod 775 user_ops
The assumption is all oracle/SAP users are member of DBA.