Logrotate debian

groenboontje · July 18, 2024, 8:19am

when i set the permissions as documentated

sudo chown -R gvm:gvm /run/gvmd
sudo chmod -R g+srw /var/log/gvm

Logrotate fails

$ sudo logrotate -v /etc/logrotate.conf
...
rotating pattern: /var/log/gvm/gsad.log  weekly (4 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/gvm/gsad.log
error: skipping "/var/log/gvm/gsad.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

rotating pattern: /var/log/gvm/gvmd.log  weekly (4 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/gvm/gvmd.log
error: skipping "/var/log/gvm/gvmd.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

Should adding su directives be part of the documentation?

Lukas · July 18, 2024, 8:35am

You need to tell Logrotate to use “gvm” for rotation, like your Mail-Log using the Mail-User etc …

/var/log/gvm/*.log {
        daily
        missingok
        rotate 28
        compress
        delaycompress
        notifempty
        create 640 gvm gvm
}

groenboontje · July 18, 2024, 8:41am

hi @Lukas

I know how i can fix this, but you missed the question:

Should adding su directives be part of the documentation?

because is not documented in Building from Source - Greenbone Community Documentation

rippledj · July 18, 2024, 8:42am

GVMD buidts with a -DLOGROTATE_DIR=/etc/logrotate.d directive / flag. Maybe this is different for Debian?

Lukas · July 18, 2024, 8:43am

That is standard Linux-Administration know how, Exim is not documenting that why should Greenbone do that ?

Anyway this is documented within Logrotate If i used that tool i should read that documentation.

rippledj · July 18, 2024, 9:01am

It looks like the build automatically creates a /etc/logrotate.d/gvmd and other component log files. However, they are not configured properly with su directive.

existing /etc/logrotate.d/gvmd:

/var/log/gvm/gvmd.log {
	compress
	missingok
	notifempty
	sharedscripts
	copytruncate
}

Outputs the same error as the OP suggests.

Adjusted:

/var/log/gvm/gvmd.log {
	compress
	missingok
	notifempty
	sharedscripts
	copytruncate
    su gvm gvm
    create 0640 gvm gvm
}

Then logrotate works:

$ sudo logrotate -v /etc/logrotate.d/gvmd
...
rotating pattern: /var/log/gvm/gvmd.log  1048576 bytes (no old logs will be kept)
empty log files are not rotated, old logs are removed
switching euid from 0 to 999 and egid from 0 to 999 (pid 1860)
considering log /var/log/gvm/gvmd.log
  Now: 2024-07-18 04:59
  Last rotated at 2024-07-18 04:00
  log does not need rotating (log size is below the 'size' threshold)

Perhaps the build should be adjusted to include these permission directives? You should also adjust the GSA. Doesn’t seem openvas has such as auto-directive. It may need one as well.

groenboontje · July 18, 2024, 9:11am

That is standard Linux-Administration know how

so is sudo chown -R gvm:gvm /var/log/gvm but somehow that IS documented.

I am just trying to fix the documentation for those who are less familiar with logrotate or “standard linux administation”. Installation/built docs should result is in working system imho. Exim has nothing to do with it, nowhere in the linked documentation is exim touched.

@rippledj thanx you. You nailed it. If the build could be adjusted that would even be way better than adding more instructions to the installation/built docs.

groenboontje · August 19, 2024, 9:13am

Perhaps the build should be adjusted

Any idea how i could initiate this?

rippledj · August 20, 2024, 1:28am

There is an open pull-request for this issue.