[1028] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

System log practicalities (was Re: [linux-security] qmail,wu.ftpd,deslogind, in.telnetsnoopd ?)

daemon@ATHENA.MIT.EDU (Louis Mandelstam)
Tue Aug 20 08:23:07 1996

Date: Tue, 20 Aug 1996 10:21:42 +0200 (SAT)
From: Louis Mandelstam <louis@sacc.org.za>
To: "Paul D. Robertson" <proberts@clark.net>
cc: Jonathan Larmour <JLarmour@origin-at.co.uk>,
        Frank Parato <fparato@gti.net>, linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.GSO.3.95.960819201612.21781B-100000@clark.net>

On Mon, 19 Aug 1996, Paul D. Robertson wrote:

> [REW: The deamon problem consists at least of being able to fill someones
> harddisk by sending it stuff to be logged. Some systems choke when their
> root partition fills....(Denial of service)]

What do people do to get around this, as well as the ability of an
attacker who has gained root to modify the written log?

Problems with illegal root modifying the log can be solved by somehow
making the log append-only (line printer, modified tape streamer driver,
remote syslog host without telnetd etc, etc) but those can be even more
susceptible to nonsense flooding.

Disk-based logs could conceivably be rotated (or entries removed from the
top when the log exceeds x lenght) but this allows the attacker to flood
harmful evidence out of the log.

[REW: 1) You disable external access to your syslog port. 2) Linux 
already has an "append-only" file mode, so you don't need to revert
to the old "line printer log".]

-------------------------------------------------------------------------
L.Mandelstam - System Administrator                     louis@sacc.org.za
S A Council of Churches, PO Box 4921,  Johannesburg,  2000,  South Africa
tel:+27-11-492-1380 x145   fax:+27-11-492-1448    mobile: +27-83-229-0712
-------------------------------------------------------------------------

home help back first fref pref prev next nref lref last post