From owner-freebsd-security Fri Jul 9 1:20:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 1279415234 for ; Fri, 9 Jul 1999 01:20:28 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id EAA24352; Fri, 9 Jul 1999 04:20:13 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Fri, 9 Jul 1999 04:20:13 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Darren Reed Cc: Alla Bezroutchko , security@FreeBSD.ORG Subject: Re: Syslog alternatives? In-Reply-To: <199907090707.RAA16350@cheops.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 9 Jul 1999, Darren Reed wrote: > In some mail from Alla Bezroutchko, sie said: > > > > This is not exactly FreeBSD security question. More like general > > Unix security. Hope it is not completely off topic. > > > > I was looking at several syslogd alternatives (BTW, I don't think > > I have a complete list, can you suggest something?) and found out > > that I don't understand what is wrong with traditional syslogd from > > security standpoint. > > > > Could someone explain me or point me to some resources that explain > > why syslogd is bad? > > Prove to me that your log files have any integrity, in such a way that > I cannot dispute it. Or even less interesting: What happens to log records being sent over the network to a host that is in the process of rebooting? Or: What happens to network logging if you send an ICMP connection refused to the client syslog host? I noticed the other day that unlike our newsyslog, BSD/OS 3.0 actually loses lots of records when they perform log rotation, as they gzip the rotated file before sending the HUP to syslogd! I don't know if BSD/OS 4.0 does this also. We were upset to find that 3 hours of log records were missing from our maillog following the rotation. Clearly syslogd leaves much to be desired. However, it works fairly well if configured carefully. There have been discussions of alternatives, and I think someone claimed to have written a secure syslog at one point; I don't have a reference for it. I believe Schneier coauthored a paper on some of the cryptographic issues, also. Again, no references here as I'm out of town. If you can rely on kernel integrity due to securelevels, then presumably you can have it hold onto secrets and provide certain cryptographic integrity services. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Computing Laboratory at Cambridge University Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message