[lug] logs

D. Stimits stimits at idcomm.com
Mon Jul 30 16:47:40 MDT 2001


Kevin Fenzi wrote:
> 
> --text follows this line--
> >>>>> "D" == D Stimits <stimits at idcomm.com> writes:
> 
> D> The point is in the statement about no "exploits against current
> D> syslogd". An older version would be cracked. And I'm sure that one
> 
> you should keep things up to date, of course. ;)
> 
> D> day, another exploit of it will be found...that'll be the same day
> D> the cracker breaks the firewall machine (one of Murphy's
> D> laws). More important, the machine behind the firewall, if you
> D> expect firewall breach, needs to be treated as if it is in a
> D> militarized zone, even if it is "safe" until the firewall is
> D> breached. Logging to an otherwise open machine that is directly
> D> attached to the breached machine is a bit like the saying of
> D> skating on thin ice. The log machine, if it is to avoid breach,
> D> must be better secured than the firewall that got taken out in the
> 
> well, the problem here is that most people don't have the time or
> energy to secure all their machines better than their firewall. ;)
> 
> Surely you shouldn't let the firewall lull you into a false sense of
> security and make sure you apply updates and so forth, but if someone
> compromises your firewall odds are good you are running the same
> versions of software on your internal machines as well.
> 
> D> first place. Sending logs via email to a machine that is completely
> D> isolated from the breached machine is a way to do that (separate
> D> machines with no direct interface).
> 
> yeah, but then there is a window where an intruder can get in and fix
> the logs before they are mailed. ;(

You are assuming cron jobs, or periodic sends. I am thinking of other
triggers, on top of this.

> 
> A good old fasioned way to do this is to attach a line printer... have
> it print out each line of the logs as they are logged.
> Advantages: hard for attacker to modify hard copy.
> Disadvantages: lots of paper. Hard to grep. ;)

Yes, same idea really...log to something a compromised firewall can't be
used as a stepping stone to get to. The idea of logging through a direct
net connection to a less protected machine doesn't look good to me. I
like the dedicated DVD writer idea better than paper though.

D. Stimits, stimits at idcomm.com

> 
> D> D. Stimits, stimits at idcomm.com
> 
> kevin
> --
> Kevin Fenzi
> MTS, tummy.com, ltd.
> http://www.tummy.com/  KRUD - Kevin's Red Hat Uber Distribution
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list