$Id: LOGGING,v 1.4 2001/10/02 11:05:21 charles Exp $

This document covers Pancho's ability to log entries for the 
application's use. Although configuration of logging is very
simple, doing so in a secure manner demanded a discussion that
would be too verbose for the already too extensive --verbose-help
flag.

With the current revision of pancho (as of this writing 1.5)
two new fields can be found near the top of the script's actual
contents:

my $logging = "0";      # set this to "1" to enable logging

my $logfile = "";       # full path to your logfile

Each should be very straightforward to configure and enable
Pancho to begin logging entries for each time the script is 
executed against a node or nodes. But to effectively and 
securely log actions, thought should be placed into the file
permissions of note only pancho, but also the files to which
it is logging.

Several ideas have been kicked around, on the proper way to
securely log, and although more than one method proved to be
successful, the one detailed in this document is what we accept
as our 'best practice'. Any critique is welcome and by all means
if a hole is found in either the script or this procedure, I
wholeheartedly ask the discoverer to drop me an email pronto.

Our logging goals that we based our procedure on were as follows:

  - allow a user to execute pancho and have a detailed record
    of the event writtent to an external file.

  - the external file may be world readable, but not writable
    by any non-privelaged user in order to prevent anyone from
    attempting to cover their tracks.

With this in mind, I recommend that the Pancho script have the
setuid bit turned on for the file. This would be done by issueing:

  chmod 4711 pancho

Whether pancho should be setuid to root or a dedicated non-
privelaged user (possibly named pancho?) is at the discretion of
the sysadmin. The corresponding log file should be touched with 
at least a 600 and up to a 644 in permissions.

This will allow for the script to be ran by any user, however
the logging will be done as the setuid user and therefore other
users will not have write access to the log file.

So, to log to a file called /var/log/pancho, with root as the owner,
the following steps would be taken:

  - edit pancho to reflect logging:

    my $logging = "1";      # set this to "1" to enable logging

    my $logfile = "/var/log/pancho";       # full path to your logfile
 
  - change the file's permissions and ownership:

    % chown root pancho
    % chmod 4711 pancho

  - touch the log file and give it the appropriate permissions:

    % touch /var/log/pancho
    % chmod 600 /var/log/pancho

Note: The FreeBSD port compiled with -DWITH_PANCHO_LOGGING enables
logging into ~/pancho.log so the setuid bit isn't set.

