[1925] in linux-security and linux-alert archive
[linux-security] Logging (was Re: WARNING: Break-in attempts)
daemon@ATHENA.MIT.EDU (B. James Phillippe)
Mon Jun 22 04:06:13 1998
Date: Sun, 21 Jun 1998 23:27:48 -0700 (PDT)
From: "B. James Phillippe" <bryan@terran.org>
To: The Nolander <nolander@krixor.xy.org>
cc: linux-security@redhat.com
In-Reply-To: <Pine.LNX.3.96.980621231411.29291A-100000@sangis.kalix.net>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
On Sun, 21 Jun 1998, The Nolander wrote:
> What I'm saying is, DON'T TRUST YOUR LOGS!.. And please make the police
> and every silly admin realize that. If something suspicious turns up in
> the logs, then don't freak out 'n think "HE DID IT!". What you *should* do
Yes and no. Logs should always be taken with a grain of salt, yes. In the
case of intelligent crackers, there will be false logs or no logs at all.
However, the majority of the time your logs serve as a vital source of
information to detect signs of an attempted break-in. Most of the time,
they are your *only* source of information. Yes, there are varying degrees
of log integrity; some logs are harder to screw over then others. In the
case of the break-in attempt I reported, every log on my box had consistant
and accurate information that pointed to the same source. Naturally, I
followed up on the log data by investigating the host that was apparently
generating them, and cross-indexing my logs with those of the administrator
of the remote site. And, it panned out. This crack attempt was from a
novice (as most are) who knew nothing about log falsification, or probably
even that he was being logged at all. So yes, don't put your logs on a
pedestal. But don't be ignorant of their existance, either. Read them,
frequently.
-bp
--
B. James Phillippe <bryan@terran.org>
Linux Software Engineer, WGT Inc.
http://earth.terran.org/~bryan
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null