From owner-freebsd-current  Sun Jan 21  2:58: 6 2001
Delivered-To: freebsd-current@freebsd.org
Received: from webcom.it (unknown [212.34.222.47])
	by hub.freebsd.org (Postfix) with SMTP id C8A1B37B401
	for <current@FreeBSD.ORG>; Sun, 21 Jan 2001 02:57:47 -0800 (PST)
Received: (qmail 2298 invoked by uid 1000); 21 Jan 2001 10:51:22 -0000
Date: Sun, 21 Jan 2001 11:51:22 +0100
From: Andrea Campi <andrea@webcom.it>
To: Dag-Erling Smorgrav <des@ofug.org>
Cc: cjclark@alum.mit.edu, FreeBSD-gnats-submit@FreeBSD.ORG,
	current@FreeBSD.ORG
Subject: Re: bin/24444: syslogd(8) does not update hostname
Message-ID: <20010121115121.A402@webcom.it>
References: <200101190330.f0J3UPa75677@rfx-216-196-73-168.users.reflexcom.com> <xzphf2v22vu.fsf@flood.ping.uio.no> <20010119110341.A7958@rfx-216-196-73-168.users.reflex> <xzp4ryvtcrv.fsf@flood.ping.uio.no> <20010120170155.K10761@rfx-216-196-73-168.users.reflex> <xzpofx1h966.fsf@flood.ping.uio.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <xzpofx1h966.fsf@flood.ping.uio.no>; from des@ofug.org on Sun, Jan 21, 2001 at 04:32:33AM +0100
X-Echelon: BND CIA NSA Mossad KGB MI6 IRA detonator nuclear assault strike
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> the hostname, one being a syscall and the other being a sysctl. One
> could of course have the kernel print a message to the console about
> it, syslogd(8) would pick that up.

Yes, I was about to propose this, but then I thought: why? If we go this way,
then we should definitely also log an IP address change, maybe even our default
router change MAC address... why not even hardware changes since last reboot?

Working in a security job, I can understand worries about important events
going unnoticed. But doing this in kernel is IMHO overkill, maybe it could be
interesting for TrustetBSD, but not in the normal kernel; at least, it should
be configurable at both compile time and runtime (high securelevel and/or a
sysctl).

The Right Way (tm) to do this is to use (or write) an host intrusion detection
system.

Having said this, the proposed patch looks fine to me and I think it should be
committed.

Bye,
	Andrea

-- 
               Speak softly and carry a cellular phone.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message