[1040] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: System log practicalities (was Re: [linux-security] qmail,wu.ftpd,deslogind, in.telnetsnoopd ?)

daemon@ATHENA.MIT.EDU (Louis Mandelstam)
Wed Aug 21 06:32:09 1996

Date: Tue, 20 Aug 1996 16:34:40 +0200 (SAT)
From: Louis Mandelstam <louis@sacc.org.za>
To: "Paul D. Robertson" <proberts@clark.net>
cc: Jonathan Larmour <JLarmour@origin-at.co.uk>,
        Frank Parato <fparato@gti.net>, linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.GSO.3.95.960820100708.16048A-100000@explorer2>

On Tue, 20 Aug 1996, Paul D. Robertson wrote:

> Generally, you syslog to a log partition, not to the root partition,
> I've typically used /log or /syslog as a mount point, and logged directly 

Yes, certainly.

> to files in that partition.  Normally a crontab entry mv's the log file,
> gzips it, touches a new one, and sighups syslogd.  Since I tend to log
> production machines at *.debug, this step becomes necessary pretty
> quickly.  On AIX machines, I tend to use a compressed filesystem (I admit
> to never having searched for one on Linux) to remove the having to gzip
> step (though LZH is less efficient).

But this still doesn't exactly address the possibility of an attacker
flooding the log with bogus entries.  Yes, if the log management scripts
are implemented correctly, the system would cope - either stop logging
when we run out of space, or start deleting older log entries.

Problem with the first (cease logging) is that the "interesting" bits may
occur after the attacker grinds the log to a halt, and with the second,
that the attacker can push evidence out the other side of the queue.

The only solid solution I can think of would be for the logging daemon to
intelligently interpret entries and somehow evaluate which entries need to
be ignored.   Dunno how one would do this.

I don't know - apart from remote connections (which we can limit to some
extent) what practical ways would there be for an attacker to really flood
syslog?

[REW: Trivial. Find anything that gets logged and repeat that.]

-------------------------------------------------------------------------
L.Mandelstam - System Administrator                     louis@sacc.org.za
S A Council of Churches, PO Box 4921,  Johannesburg,  2000,  South Africa
tel:+27-11-492-1380 x145   fax:+27-11-492-1448    mobile: +27-83-229-0712
-------------------------------------------------------------------------

home help back first fref pref prev next nref lref last post