[1925] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Logging (was Re: WARNING: Break-in attempts)

daemon@ATHENA.MIT.EDU (B. James Phillippe)
Mon Jun 22 04:06:13 1998

Date: Sun, 21 Jun 1998 23:27:48 -0700 (PDT)
From: "B. James Phillippe" <bryan@terran.org>
To: The Nolander <nolander@krixor.xy.org>
cc: linux-security@redhat.com
In-Reply-To: <Pine.LNX.3.96.980621231411.29291A-100000@sangis.kalix.net>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com

On Sun, 21 Jun 1998, The Nolander wrote:

> What I'm saying is, DON'T TRUST YOUR LOGS!.. And please make the police
> and every silly admin realize that. If something suspicious turns up in
> the logs, then don't freak out 'n think "HE DID IT!". What you *should* do

Yes and no.  Logs should always be taken with a grain of salt, yes.  In the
case of intelligent crackers, there will be false logs or no logs at all.
However, the majority of the time your logs serve as a vital source of
information to detect signs of an attempted break-in.  Most of the time,
they are your *only* source of information.  Yes, there are varying degrees
of log integrity; some logs are harder to screw over then others.  In the
case of the break-in attempt I reported, every log on my box had consistant
and accurate information that pointed to the same source.  Naturally, I
followed up on the log data by investigating the host that was apparently
generating them, and cross-indexing my logs with those of the administrator
of the remote site.  And, it panned out.  This crack attempt was from a
novice (as most are) who knew nothing about log falsification, or probably
even that he was being logged at all.  So yes, don't put your logs on a
pedestal.  But don't be ignorant of their existance, either.  Read them,
frequently.

-bp
--
B. James Phillippe <bryan@terran.org>
Linux Software Engineer, WGT Inc.
http://earth.terran.org/~bryan

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post