Re: pf logging: tcpdump: need root privileges
Daniel Polak [2006-05-29, 00:37:06]: Martin, The solution in the FAQ was ok for 3.8 but things changed in 3.9. For now if you run the script underneath from root's crontab every 5 minutes you'll most likely be ok. There should be a check in the script to see if it is already running to prevent another instance starting when the old one hasn't finished yet. The check in the script in the FAQ was actually not working anyway so if the script in the FAQ wasn't causing any problems this one will be ok too. With this script there is just one script and no need for the user pflogger anymore as everything is done as root. This allows tcpdump to privsep which makes things safer. /etc/pflogrotate: #!/bin/sh # rotate pflog file and feed to syslog FILE=/var/log/pflog5min.$(date +%Y%m%d%H%M) kill -ALRM $(cat /var/run/pflogd.pid) if [ $(ls -l /var/log/pflog | cut -d -f 8) -gt 24 ]; then mv /var/log/pflog $FILE kill -HUP $(cat /var/run/pflogd.pid) tcpdump -n -e -ttt -r $FILE | logger -p local0.info rm $FILE fi I've adjusted the FAQ page with the new script, thanks! steven Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Re: pf logging: tcpdump: need root privileges
2006/5/28, Martin Schrvder [EMAIL PROTECTED]: FAQ), this doesn't work anymore (and I don't get any error mails nor Allright, I get the mails. But that doesn't help. :-( Best Martin
Re: pf logging: tcpdump: need root privileges
* Martin Schr?der [EMAIL PROTECTED] [2006-05-28 20:12]: Hi, after upgrading from 3.8 to 3.9, logging pf via pfl2sysl (as per the FAQ), this doesn't work anymore (and I don't get any error mails nor can I find anything in the logs). When I run pfl2sysl manually via sudo -u pflogger /bin/sh /home/pflogger/pfl2sysl.sh I get the message tcpdump: need root privileges What's wrong here? Bug in the FAQ? you have to start tcpdump as root so it can run privilege seperated and you don't have the scary decoders running with any real user's privs. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: pf logging: tcpdump: need root privileges
2006/5/28, Henning Brauer [EMAIL PROTECTED]: What's wrong here? Bug in the FAQ? you have to start tcpdump as root so it can run privilege seperated and you don't have the scary decoders running with any real user's privs. So it's a bug in the FAQ (faq/pf/logging.html), as that solution doesn't work anymore. Sigh. Best Martin
Re: pf logging: tcpdump: need root privileges
Tcpdump must now be run as root. http://marc.theaimsgroup.com/?l=openbsd-miscm=114279291827416w=2 http://marc.theaimsgroup.com/?l=openbsd-miscm=107980397806077w=2 http://undeadly.org/cgi?action=articlesid=20040220120426 Found by searching for tcpdump root in the marc archives... ;) On 5/28/06, Martin Schrvder [EMAIL PROTECTED] wrote: Hi, after upgrading from 3.8 to 3.9, logging pf via pfl2sysl (as per the FAQ), this doesn't work anymore (and I don't get any error mails nor can I find anything in the logs). When I run pfl2sysl manually via sudo -u pflogger /bin/sh /home/pflogger/pfl2sysl.sh I get the message tcpdump: need root privileges What's wrong here? Bug in the FAQ? TIA Martin -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: pf logging: tcpdump: need root privileges
Martin, The solution in the FAQ was ok for 3.8 but things changed in 3.9. For now if you run the script underneath from root's crontab every 5 minutes you'll most likely be ok. There should be a check in the script to see if it is already running to prevent another instance starting when the old one hasn't finished yet. The check in the script in the FAQ was actually not working anyway so if the script in the FAQ wasn't causing any problems this one will be ok too. With this script there is just one script and no need for the user pflogger anymore as everything is done as root. This allows tcpdump to privsep which makes things safer. /etc/pflogrotate: #!/bin/sh # rotate pflog file and feed to syslog FILE=/var/log/pflog5min.$(date +%Y%m%d%H%M) kill -ALRM $(cat /var/run/pflogd.pid) if [ $(ls -l /var/log/pflog | cut -d -f 8) -gt 24 ]; then mv /var/log/pflog $FILE kill -HUP $(cat /var/run/pflogd.pid) tcpdump -n -e -ttt -r $FILE | logger -p local0.info rm $FILE fi Hope this helps! Daniel Original message from Martin Schrvder at 28-5-2006 20:45 2006/5/28, Henning Brauer [EMAIL PROTECTED]: What's wrong here? Bug in the FAQ? you have to start tcpdump as root so it can run privilege seperated and you don't have the scary decoders running with any real user's privs. So it's a bug in the FAQ (faq/pf/logging.html), as that solution doesn't work anymore.
