[1035] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: System log practicalities (was Re: [linux-security] qmail,wu.ftpd,deslogind, in.telnetsnoopd ?)

daemon@ATHENA.MIT.EDU (Brian Mitchell)
Wed Aug 21 06:26:08 1996

Date: Tue, 20 Aug 1996 20:33:44 -0400 (EDT)
From: Brian Mitchell <brian@saturn.net>
To: Louis Mandelstam <louis@sacc.org.za>
cc: "Paul D. Robertson" <proberts@clark.net>,
        Jonathan Larmour <JLarmour@origin-at.co.uk>,
        Frank Parato <fparato@gti.net>, linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.94.960820101537.280h-100000@lh1.sacc.org.za>

On Tue, 20 Aug 1996, Louis Mandelstam wrote:

> Problems with illegal root modifying the log can be solved by somehow
> making the log append-only (line printer, modified tape streamer driver,
> remote syslog host without telnetd etc, etc) but those can be even more
> susceptible to nonsense flooding.
> 
> Disk-based logs could conceivably be rotated (or entries removed from the
> top when the log exceeds x lenght) but this allows the attacker to flood
> harmful evidence out of the log.
> 
> [REW: 1) You disable external access to your syslog port. 2) Linux 
> already has an "append-only" file mode, so you don't need to revert
> to the old "line printer log".]

the 'append mode' is pretty useless, since the root user can just undo 
the flag, modify the files, then set the flag again. The same is (was, I 
believe - kernel 2.x seems to have fixed this) true of the immutable flag.

[REW: I thought that we had something like "securelevel" too, which
would, given the right value, disable the clearing of those flags.
One of the primary uses of the immutable and append-only flags are for
the logfile case that we're looking at right now. I wouldn't consider
it ready for inclusion in the standard kernel if it didn't make
an attempt at being secure against a root-user. I can't find anything
about this in my /usr/src/linux tree. Maybe it's just an optional patch
that someone has lying around?]


Brian Mitchell 				                brian@saturn.net
"I never give them hell. I just tell the truth and they think it's hell"
- H. Truman

home help back first fref pref prev next nref lref last post