[1033] in linux-security and linux-alert archive
Re: System log practicalities (was Re: [linux-security] qmail,wu.ftpd,deslogind, in.telnetsnoopd ?)
daemon@ATHENA.MIT.EDU (David R Schwanke)
Wed Aug 21 02:49:53 1996
Date: Tue, 20 Aug 1996 08:54:46 -0400 (EDT)
From: David R Schwanke <dscw+@andrew.cmu.edu>
To: linux-security@tarsier.cv.nrao.edu
Cc: Jonathan Larmour <JLarmour@origin-at.co.uk>,
Frank Parato <fparato@gti.net>, linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.94.960820101537.280h-100000@lh1.sacc.org.za>
Excerpts from internet.computing.linux-security: 20-Aug-96 System log
practicalities (.. by Louis Mandelstam@sacc.or
> Problems with illegal root modifying the log can be solved by somehow
> making the log append-only (line printer, modified tape streamer driver,
> remote syslog host without telnetd etc, etc) but those can be even more
> susceptible to nonsense flooding.
Favorite of mine is to setup a standalone machine as a listen only
connection via serial cable. Log is cat-ed to the correct tty. Then
the standalone machine cats it (via standard (in my old case, dos)
terminal software) to a file.
They would have to first know its there, and then disable it. (Which
would be the case of any log system since its somehow ON the machine.)
They couldn't flood it out of the log since the log was appended. Only
thing they could do would be to try to flood the log BEFORE they did
anything that might disclose their location, but for one thing it takes
a hell of a long time to create a 120 meg text file via cat, and second,
you can usually tell who caused the problem and then they would still be
suspect..
[REW: In security and cryptography, always assume the bad guys know
everything. You'll only catch a few more bad guys because in reality
they don't.
Beware that a 9600 baud line could be flooded "temporarily". Get the
system to log 20kbytes of data. Now you have a few seconds to do the
bad stuff, and generate another 4k of data. At least the kernel log
would silently overflow the logs of the bad things. I assume that
someone with bad intentions can find a way to generate log messages
that don't contain his name.
Because of the added "ease-of-use" I personally would chose for the
networked logger solution. A very securely configured (No network
services) Linux machine with just a syslogd. If a client would pay me
enough, I'd write something fancy that would detect and deter flood
attempts better than the standard syslogd.]