[lug] logs

[Kevin Fenzi]

--text follows this line--
>>>>> "D" == D Stimits <stimits at idcomm.com> writes:

D> The point is in the statement about no "exploits against current
D> syslogd". An older version would be cracked. And I'm sure that one

you should keep things up to date, of course. ;) 

D> day, another exploit of it will be found...that'll be the same day
D> the cracker breaks the firewall machine (one of Murphy's
D> laws). More important, the machine behind the firewall, if you
D> expect firewall breach, needs to be treated as if it is in a
D> militarized zone, even if it is "safe" until the firewall is
D> breached. Logging to an otherwise open machine that is directly
D> attached to the breached machine is a bit like the saying of
D> skating on thin ice. The log machine, if it is to avoid breach,
D> must be better secured than the firewall that got taken out in the

well, the problem here is that most people don't have the time or
energy to secure all their machines better than their firewall. ;) 

Surely you shouldn't let the firewall lull you into a false sense of
security and make sure you apply updates and so forth, but if someone
compromises your firewall odds are good you are running the same
versions of software on your internal machines as well. 

D> first place. Sending logs via email to a machine that is completely
D> isolated from the breached machine is a way to do that (separate
D> machines with no direct interface).

yeah, but then there is a window where an intruder can get in and fix
the logs before they are mailed. ;( 

A good old fasioned way to do this is to attach a line printer... have
it print out each line of the logs as they are logged.
Advantages: hard for attacker to modify hard copy. 
Disadvantages: lots of paper. Hard to grep. ;) 

D> D. Stimits, stimits at idcomm.com

kevin
-- 
Kevin Fenzi
MTS, tummy.com, ltd.
http://www.tummy.com/  KRUD - Kevin's Red Hat Uber Distribution