[812] in Intrusion Detection Systems
Re: Remote Logging
daemon@ATHENA.MIT.EDU (Mike Kienenberger)
Thu Dec 12 13:26:29 1996
In-Reply-To: <2.2.32.19961203023904.0068cec0@pop3.ziplink.net>
From: Mike Kienenberger <mkienenb@arsc.edu>
Date: Thu, 5 Dec 96 10:55:40 -0900
To: ids@uow.edu.au
Cc: cryption@poboxes.com
Reply-To: ids@uow.edu.au
On Mon, 02 Dec 1996, Mike wrote:
> I caught some of the conversation on audit trails and the likes, and wanted
> to know if anyone knows any FAQ's, web pages, or books..etc, that explain a
> bit on how one could have local log files, and also log the same info
> remotely, making it a great deal harder for an intruder to erase his
> presence.
>
> I would appreciate any help,
> Thanks
> Michael Devlin
> cryption@poboxes.com
On a unix system, one way to do this would be to use syslog's message
forwarding system. This only works for things which are logged via syslog,
and there are a number of
ways which syslog can potential be broken.
You'll want to check the man page for syslogd and/or syslog.conf for the
exact syntax
for your system, but it generally goes something like this:
*.debug @remotelogger.mysite.com
This tells syslog to forward all messages received by this machine's
syslogger to the syslogger on remotelogger as well.
This line would be in addition to the other logging lines on the system.
Some potential problems are:
- Your syslogd may only log a message to the first matching line
rather than to every matching line.
- Syslogd uses udp without verfication. There's a chance the
message may be lost.
- By default, most versions of syslogd will accept messages from
ANYWHERE. This means your remotelogger can be attacked using a
denial of service attack.
- Your logs are still only as secure as your remotelogger host.
- Once a smart hacker gets on your machine, one of the first things
he'll do is to kill syslogd
There's a writeup on creating syslog.conf files in the December 1996 Sys
Admin magazine, but I only glanced at the article and I can't tell you how
useful it is.
---
Mike Kienenberger Arctic Region Supercomputing Center
Systems Analyst (907) 474-6842
mkienenb@arsc.edu http://www.arsc.edu
