[lug] logs

[Ferdinand Schmid]

"D. Stimits" wrote:
> 
<snip> 
> Just a sample of separation. Not a good sample. But would you suggest
> that an exact copy of the cracked firewall is a good place to hold logs,
> when the cracked machine has a direct interface to it? I'm not talking
> about script kiddies, I'm talking about real crackers. FYI, I agree that
> there are a lot of holes in a lot of alternate schemes, and that
> complexity makes it easier for something to go wrong. But I'm equally
> convinced that a well secured RH 7.1 firewall, when compromised, can't
> log to another RH 7.1 firewall safely.

How about running BSD on the log recipient?  Or just a significantly
different distro of Linux?  That should make you feel better!

I see a much greater problem in reading the logs and interpreting them
regularly than it is to keep them in a safe place.  Remote logging is
only a compliment to checking logs frequently, snort, tripwire, ... 
Otherwise you have a detailed log of what happened 6 months ago when
your machine was first compromised.

Ferdinand

-- 
Ferdinand Schmid
http://www.archenergy.com
303-444-4149 x231