[1569] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Re: Re: Re: signing syslog files with PGP

daemon@ATHENA.MIT.EDU (Alan Cox)
Tue Jun 3 07:42:49 1997

From: Alan Cox <alan@cymru.net>
To: linux-security@redhat.com
Date: Mon, 2 Jun 1997 09:52:09 +0100 (BST)
In-Reply-To: <Pine.LNX.3.95.970530135527.11169A-100000@missing.link.ca> from "Terrence Martin" at May 30, 97 02:04:19 pm
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

> remote, central, possibly dedicated log server.  This redirection would be
> done my the syslog daemon itself and would allow you to compare one syslog
> to the other. Perhaps making note of such things as whether or not the
> file sizes are the same, or maybe whether all of the lines match from one
> log to another.

That isnt the whole answer. Someone breaking the machine can feed the log
server. In one well known UK incident someone got away with stuff because
they re added the entire last days log entries after they left a log entry
and the operators just checked the last few hundred lines and didnt notice
as a result.

> If my memory serves me correctly, one of the group members mentioned that
> Bell Labs suggested this mechanism for protecting log files and it was
> critical in nabbing one particularly notorious hacker.

The cuckoos egg details logging direct off the serial line in question with
a terminal. People in securish establishment also log to printers directly
for obvious reasons


home help back first fref pref prev next nref lref last post