[1028] in linux-security and linux-alert archive
System log practicalities (was Re: [linux-security] qmail,wu.ftpd,deslogind, in.telnetsnoopd ?)
daemon@ATHENA.MIT.EDU (Louis Mandelstam)
Tue Aug 20 08:23:07 1996
Date: Tue, 20 Aug 1996 10:21:42 +0200 (SAT)
From: Louis Mandelstam <louis@sacc.org.za>
To: "Paul D. Robertson" <proberts@clark.net>
cc: Jonathan Larmour <JLarmour@origin-at.co.uk>,
Frank Parato <fparato@gti.net>, linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.GSO.3.95.960819201612.21781B-100000@clark.net>
On Mon, 19 Aug 1996, Paul D. Robertson wrote:
> [REW: The deamon problem consists at least of being able to fill someones
> harddisk by sending it stuff to be logged. Some systems choke when their
> root partition fills....(Denial of service)]
What do people do to get around this, as well as the ability of an
attacker who has gained root to modify the written log?
Problems with illegal root modifying the log can be solved by somehow
making the log append-only (line printer, modified tape streamer driver,
remote syslog host without telnetd etc, etc) but those can be even more
susceptible to nonsense flooding.
Disk-based logs could conceivably be rotated (or entries removed from the
top when the log exceeds x lenght) but this allows the attacker to flood
harmful evidence out of the log.
[REW: 1) You disable external access to your syslog port. 2) Linux
already has an "append-only" file mode, so you don't need to revert
to the old "line printer log".]
-------------------------------------------------------------------------
L.Mandelstam - System Administrator louis@sacc.org.za
S A Council of Churches, PO Box 4921, Johannesburg, 2000, South Africa
tel:+27-11-492-1380 x145 fax:+27-11-492-1448 mobile: +27-83-229-0712
-------------------------------------------------------------------------